Seedworm: Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign

This report documents an early-2026 espionage campaign by the Iran-linked APT Seedworm that compromised at least nine organizations across multiple sectors and continents, using Node.js-orchestrated PowerShell implants and DLL sideloading of legitimately signed binaries (Fortemedia and SentinelOne) to run ChromElevator and other tools for credential theft, privilege escalation, SOCKS5 tunnelling, and data exfiltration via public file-transfer services; the document includes file hashes, IPs, domains, and recommended mitigations.