Seedworm Expands Operations with Stealth-Focused Espionage Campaign

ThreatMon researchers identified a stealthy espionage campaign attributed to the Iran-aligned Seedworm (MuddyWater/Static Kitten) targeting organizations across manufacturing, finance, government, aviation, and education. Attackers prioritized operational security by abusing legitimate tooling: using signed third-party executables for DLL sideloading, executing payloads via Node.js to reduce PowerShell visibility, harvesting credentials (registry hives, browser-stored credentials, Kerberos delegation abuse, fake Windows prompts), and exfiltrating stolen files through public file-sharing services via curl.exe.