Main points
- Iranian hackers from the MuddyWater group infiltrated the network of a major South Korean electronics manufacturer, remaining unnoticed for a week.
- The attack was part of a larger operation that included government agencies, an airport in the Middle East, industrial plants in Southeast Asia, financial institutions in Latin America, and educational institutions.
Iranian group MuddyWater hacked South Korean giant / Collage 24 Channel/Unsplash
In February 2026, cybersecurity experts documented a massive espionage campaign that affected nine organizations on four continents. The most high-profile case was the intrusion into the network of a leading South Korean electronics manufacturer, where the attackers remained undetected for a week.
How did Iranian hackers manage to infiltrate the network unnoticed?
The Iranian hacking group MuddyWater, also known as Seedworm, Static Kitten, and Temp Zagros, has carried out a widespread cyberespionage campaign targeting high-tech sectors around the world. According to Bleeping Computer, the attackers spent an entire week inside the network of a “major South Korean electronics manufacturer” between February 20 and 27, 2026, although no report says whether it was Samsung or some other company.
This attack was part of a larger operation that targeted government agencies, an international airport in the Middle East, industrial enterprises in Southeast Asia, financial institutions in Latin America, and educational institutions in various countries.
Experts from cybersecurity company Symantec believe that the Seedworm group is closely linked to the Iranian Ministry of Intelligence and Security. The main goals of the attackers were the theft of industrial and intellectual property, state espionage, and gaining access to customer lists. Each of the targets could have possessed materials of intelligence value to Tehran.
The methods used by hackers indicate a significant increase in their professional skills.
The attackers sequentially dropped pairs of files consisting of a legitimate, signed third-party executable file and a malicious DLL designed to be loaded by that file,
– Symantec researchers commented.
This technique, known as DLL sideloading, allowed attackers to disguise malicious activity as legitimate software.
In particular, hackers used the Fortemedia fmapp.exe utility and the SentinelOne antivirus protection component sentinelmemoryscanner.exe.
Using a security product binary is a conscious choice, aimed both at bypassing detection by paths or signatures and at confusing analysis,
– added Symantec.
The malicious libraries contained the ChromElevator tool, designed to steal passwords, cookies, and payment card data from Chromium-based browsers.
How was the attack carried out?
- The attack process on the South Korean company began with domain and host reconnaissance, after which the hackers used WMI tools to check for the presence of antivirus software.
- To establish themselves in the system, they made changes to the Windows registry, which ensured that the malicious code would be re-launched every time the user logged into the system.
- Communication with the command server occurred automatically every 90 seconds.
The credential theft was accomplished by using fake Windows password prompts and tools to read the SAM, SECURITY, and SYSTEM registry files. In addition, the hackers used specialized software to elevate privileges and intercept Kerberos tickets without knowing the administrator passwords.
A feature of this campaign was the use of Node.js for coordination instead of directly using PowerShell, which made the attack quieter and harder to detect. To extract the stolen data, the attackers used the public file sharing service sendit.sh. This allowed them to mix the spy traffic with regular user traffic of cloud services.
What conclusions do the researchers draw?
According to analysts, the expansion of the geography of attacks and the use of more sophisticated tools indicates that Iran's intelligence needs have increased, and the Seedworm group in particular has moved to “more disciplined and covert operations.”
The activity in early 2026 took place against a backdrop of tensions surrounding Iran's nuclear program and regional conflicts.
You may also be interested in learning: who are Seedworm, what are they known for, and how do they work?
The Seedworm hacking group, also known as APT34, OilRig, or Helix Kitten, is considered one of the most prominent Iranian cyber espionage groups. Cybersecurity experts have linked it to Iranian state structures, including the intelligence services and the Islamic Revolutionary Guard Corps.
The group has been actively monitored since around 2014, although individual operations may have been conducted earlier. Seedworm specializes primarily in cyberespionage, data theft, corporate network intrusion, and long-term covert access to systems.
Seedworm's primary targets were government agencies, energy companies, telecommunications operators, defense companies, banks, and infrastructure organizations in the Middle East, the United States, and Europe. Attacks were particularly frequent against Saudi Arabia, the United Arab Emirates, Israel, and American organizations.
Cybersecurity experts have repeatedly reported that the group actively uses phishing emails, fake login pages, credential theft, and malware to infiltrate victims' networks, writes CSIS.
Seedworm is known for tailoring its tools to specific purposes. In various campaigns, the group has used backdoors, PowerShell scripts, malicious Microsoft Office documents, and fake VPN pages. Attacks have often been built around social engineering – forcing company employees to hand over passwords or open infected files on their own. Cybersecurity researchers believe that the group’s main goals are espionage, intelligence gathering, and geopolitical influence.
Iran and hackers: how the country of the ayatollah terrorizes the whole world
Iranian hacking activity in general began to increase sharply after 2010, as analyzed by Channel 24. One of the key moments was the Stuxnet virus attack on Iranian nuclear facilities. This operation, which is attributed to the US and Israel, was actually a turning point for Tehran's cyber strategy. After that, Iran began to actively invest in its own cyber units, create a network of related groups and expand digital capabilities.
Today, Iran is considered one of the most active states in the field of cyberwarfare. Iranian groups regularly attack government systems, industrial infrastructure, energy facilities, water supply and telecommunications. In recent years, special attention has been paid to critical infrastructure. For example, CSIS analysts described attacks by Iranian-linked hackers on American water supply systems and industrial PLC controllers.
Main groups
In addition to Seedworm, a number of other groups have been linked to Tehran, including Charming Kitten, MuddyWater, CyberAv3ngers, and Infy. Some of them are engaged in espionage, others in destructive operations, and some operate under the guise of “hacktivists” to hide the state's footprint. Analysts believe that Iran is actively using the proxy group model – formally independent hackers who actually work in the interests of the state.
Hacker targets
Iran's main goals in cyberspace are political pressure, espionage, response to sanctions, fighting Israel and the United States, and a show of force. Through cyberattacks, Tehran gets a relatively cheap way to influence rivals without direct military escalation. In addition, hacking operations allow for the collection of strategic information and economic damage.
Which South Korean companies could be targeted by Iran?
The Symantec report does not identify a specific company in South Korea that was affected. However, we do have a clue: it is an electronics manufacturer that analysts call “major,” Channel 24 noted. Given this, we can make some assumptions, as South Korea is now one of the world's centers for the production of chips, displays, smartphones, and home appliances.
- The country's largest electronics manufacturer is Samsung Electronics. The company manufactures smartphones, televisions, displays, DRAM and NAND memory, processors, sensors, and home appliances. Samsung is also one of the largest semiconductor manufacturers in the world.
- Another giant is LG Electronics. The company specializes in TVs, OLED displays, home appliances, automotive electronics, and air conditioning systems. LG is also active in the display technology industry through LG Display.
- A key memory and AI chip maker is SK Hynix. The company is one of the world's largest makers of DRAM and HBM memory, which is used in NVIDIA's AI systems and servers. SK Hynix has grown rapidly in recent years thanks to the boom in the AI industry.