Stealth & Automation: Seedworm’s 2026 Global Campaign Hijacks Security Software to Deploy ChromElevator

A sprawling espionage campaign linked to the Iranian state has been uncovered, revealing a significant evolution in the tradecraft of one of Tehran’s most persistent threat actors. The group, known as Seedworm (also tracked as Muddy Water), spent the first quarter of 2026 infiltrating at least nine organizations across four continents, including a high-stakes, week-long intrusion into a major South Korean electronics manufacturer.

From industrial manufacturing in Southeast Asia to financial services in Latin America, the campaign demonstrates that “Tehran’s intelligence requirements have broadened” far beyond its traditional regional focus.

The hallmark of this 2026 offensive is Seedworm’s move toward “quieter, more disciplined operations”. The group relied heavily on DLL sideloading, a technique where malicious code is disguised as a legitimate component of trusted software.

Specifically, the attackers abused validly signed binaries from Fortemedia (fmapp.exe) and, most pointedly, the security firm SentinelOne (sentinelmemoryscanner.exe). According to the Threat Hunter Team: “The use of a security-product binary is a deliberate choice intended both to defeat path or signature-based detection and to confuse triage”.

By hijacking these trusted processes, the attackers successfully sideloaded ChromElevator, a post-exploitation tool designed to “covertly steal and exfiltrate data such as passwords, cookies, and payment card data from Chromium-based browsers”.

While Seedworm has long been a “prolific user of PowerShell,” this campaign marked a tactical shift in how that code was delivered. Instead of human operators typing commands, the activity was driven by a Node.js-based loader.

In the breach of the South Korean electronics giant, researchers noted that node.exe appeared as an ancestor to malicious processes, suggesting that:”…a Node.js script was already running on the host at the time and that it, rather than a human operator, was driving the activity”.

This automation allowed the group to perform rapid reconnaissance, screenshot capture, and “SAM hive theft” to harvest credentials for lateral movement across the network.

To further evade network-based detection, Seedworm avoided building bespoke command-and-control (C2) channels. Instead, they “staged stolen data through sendit[.]sh, a public file-transfer service”.

This reflects a growing trend where state-aligned actors blend their malicious traffic with “consumer cloud services to evade network-based detection”. By using these common services, exfiltration traffic is much more likely to survive perimeter inspection and look like standard business activity.

For organizations in high-tech manufacturing, government, and professional services, the threat from Tehran is more global, automated, and stealthy than ever before.