Seedworm APT Abuses Signed Fortemedia and SentinelOne Binaries for DLL Sideloading

Symantec reports an early‑2026 espionage campaign attributed to Iran‑linked Seedworm that compromised at least nine organizations across multiple industries and continents by abusing legitimate signed executables for DLL sideloading (fmapp.exe and sentinelmemoryscanner.exe) to load ChromElevator and credential theft tools; the attackers used an embedded Node.js runtime to orchestrate actions, established persistence via startup registry entries, and exfiltrated data using a public file-transfer service, with the report providing IoCs (hashes, IPs, domains, URLs) and mitigation guidance.