Date: 05/14/2026
Severity: High
Summary
In Q1 2026, an Iran-linked espionage campaign targeted at least nine organizations across four continents, affecting sectors such as manufacturing, education, finance, government, and professional services. Attackers used DLL sideloading with legitimately signed Fortemedia (fmapp.exe) and SentinelOne (sentinelmemoryscanner.exe) binaries to disguise malicious activity as trusted software. A node.exe-based implant chain deployed PowerShell scripts for reconnaissance, screenshot capture, SAM hive theft, privilege escalation, and SOCKS5 reverse-proxy tunnelling.One major incident involved attackers remaining inside the network of a South Korean electronics manufacturer for nearly a week in February 2026. Additional victims included Middle Eastern government agencies and an international airport, Southeast Asian manufacturers, a Latin American financial-services provider, and educational institutions across multiple countries.
Indicators of Compromise (IOC) List
Domains/URLs : | timetrakr.cloud sendit.sh http://179.43.177.220:8080/nm.ps1 http://179.43.177.220:8080/a.dat http://179.43.177.220:8080/a.exe http://ipinfo.io/json https://svc.wompworthy.com |
IP Address : | 179.43.177.220 178.128.233.36 172.67.156.47 104.21.48.205 37.187.78.41 34.117.59.81 |
Hash : | e25892603c42e34bd7ba0d8ea73be600d898cadc290e3417a82c04d6281b743b
c6182fd01b14d84723e3c9d11bc0e16b34de6607ccb8334fc9bb97c1b44f0cde
128b58a2a2f1df66c474094aacb7e50189025fbf45d7cd8e0834e93a8fbed667
0c9b911935a3705b0ad569446804d80026feb6db3884aeb240b6c76e9b8cf139
74ab3838ebed7054b2254bf7d334c80c8b2cfec4a97d1706723f8ea55f11061f
3ee7dab4ae4f6d4f16dfabb6f38faef370411a9fc00ff035844e54703b99600a
bee79c3302b1a7afc0952842d14eff83a604ef00bfdae525176c16c80b2045f7
d587959841a763669279ad831b8f0379f6a7b037dffc19deab5d41f37f8b5ffc
b21c802775df0c0d82c8cfde299084abc624898b10258db641b820172a0ba29a
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "http://179.43.177.220:8080/nm.ps1" or url like "http://179.43.177.220:8080/nm.ps1" or siteurl like "http://179.43.177.220:8080/nm.ps1" or domainname like "sendit.sh" or url like "sendit.sh" or siteurl like "sendit.sh" or domainname like "http://179.43.177.220:8080/a.dat" or url like "http://179.43.177.220:8080/a.dat" or siteurl like "http://179.43.177.220:8080/a.dat" or domainname like "https://svc.wompworthy.com" or url like "https://svc.wompworthy.com" or siteurl like "https://svc.wompworthy.com" or domainname like "timetrakr.cloud" or url like "timetrakr.cloud" or siteurl like "timetrakr.cloud" or domainname like "http://179.43.177.220:8080/a.exe" or url like "http://179.43.177.220:8080/a.exe" or siteurl like "http://179.43.177.220:8080/a.exe" or domainname like "http://ipinfo.io/json" or url like "http://ipinfo.io/json" or siteurl like "http://ipinfo.io/json" |
Detection Query 2 : | dstipaddress IN ("34.117.59.81","179.43.177.220","178.128.233.36","172.67.156.47","104.21.48.205","37.187.78.41") or srcipaddress IN ("34.117.59.81","179.43.177.220","178.128.233.36","172.67.156.47","104.21.48.205","37.187.78.41") |
Detection Query 3 : | sha256hash IN ("e25892603c42e34bd7ba0d8ea73be600d898cadc290e3417a82c04d6281b743b","d587959841a763669279ad831b8f0379f6a7b037dffc19deab5d41f37f8b5ffc","b21c802775df0c0d82c8cfde299084abc624898b10258db641b820172a0ba29a","c6182fd01b14d84723e3c9d11bc0e16b34de6607ccb8334fc9bb97c1b44f0cde","128b58a2a2f1df66c474094aacb7e50189025fbf45d7cd8e0834e93a8fbed667","0c9b911935a3705b0ad569446804d80026feb6db3884aeb240b6c76e9b8cf139","74ab3838ebed7054b2254bf7d334c80c8b2cfec4a97d1706723f8ea55f11061f","3ee7dab4ae4f6d4f16dfabb6f38faef370411a9fc00ff035844e54703b99600a","bee79c3302b1a7afc0952842d14eff83a604ef00bfdae525176c16c80b2045f7")
|
Reference:
https://www.security.com/threat-intelligence/iran-seedworm-electronics