{ "id": "98879895-b84a-48e2-895a-ed6147a04a4f", "created_at": "2026-04-06T00:18:19.333612Z", "updated_at": "2026-04-10T03:37:49.821786Z", "deleted_at": null, "sha1_hash": "23d1107a99c7ba2b55de80cda5c229ef8ec2eeed", "title": "Seedworm: Group Compromises Government Agencies, Oil \u0026 Gas, NGOs, Telecoms, and IT Firms", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 47592, "plain_text": "Seedworm: Group Compromises Government Agencies, Oil \u0026 Gas,\r\nNGOs, Telecoms, and IT Firms\r\nBy About the Author\r\nArchived: 2026-04-05 23:08:14 UTC\r\nSymantec researchers have uncovered extensive insights into a cyber espionage group behind a recent series of\r\ncyber attacks designed to gather intelligence on targets spread primarily across the Middle East as well as in\r\nEurope and North America.\r\nThe group, which we call Seedworm (aka MuddyWater), has been operating since at least 2017, with its most\r\nrecent activity observed in December 2018.\r\nAnalysts in our DeepSight Managed Adversary and Threat Intelligence (MATI) team have found a new backdoor,\r\nBackdoor.Powemuddy, new variants of Seedworm’s Powermud backdoor (aka POWERSTATS), a GitHub\r\nrepository used by the group to store their scripts, as well as several post-compromise tools the group uses to\r\nexploit victims once they have established a foothold in their network.\r\nTracking an Attack’s Footprints\r\nIn September 2018, we found evidence of Seedworm and the espionage group APT28 (aka Swallowtail, Fancy\r\nBear), on a computer within the Brazil-based embassy of an oil-producing nation. Seeing two active groups\r\npiqued our interest and, as we began pulling on that one string, we found more clues that led us to uncover new\r\ninformation about Seedworm.\r\nWe not only found the initial entry point, but we were able to follow Seedworm’s subsequent activity after the\r\ninitial infection due to the vast telemetry Symantec has access to via its Global Intelligence Network. Because of\r\nthis unique visibility, our analysts were able to trace what actions Seedworm took after they got into a\r\nnetwork. We found new variants of the Powermud backdoor, a new backdoor (Backdoor.Powemuddy), and\r\ncustom tools for stealing passwords, creating reverse shells, privilege escalation, and the use of the native\r\nWindows cabinet creation tool, makecab.exe, probably for compressing stolen data to be uploaded. DeepSight\r\nMATI customers can leverage these unique insights to combat emerging cyber threats.\r\nSeedworm’s motivations are much like many cyber espionage groups that we observe—they seek to acquire\r\nactionable information about the targeted organizations and individuals. They accomplish this with a preference\r\nfor speed and agility over operational security, which ultimately led to our identification of their key operational\r\ninfrastructure.\r\nTactics and Tools\r\nSeedworm likely functions as a cyber espionage group to secure actionable intelligence that could benefit their\r\nsponsor’s interests. During the operations, the group used tools consistent with those leveraged during past\r\nhttps://symantec-blogs.broadcom.com/blogs/threat-intelligence/seedworm-espionage-group\r\nPage 1 of 4\n\nintrusions including Powermud, a custom tool used by the Seedworm group, and customized PowerShell,\r\nLaZagne, and Crackmapexec scripts.\r\nThe Seedworm group controls its Powermud backdoor from behind a proxy network to hide the ultimate\r\ncommand-and-control (C\u0026C) location. The Seedworm group is the only group known to use the Powermud\r\nbackdoor.\r\nAfter compromising a system, typically by installing Powermud or Powemuddy, Seedworm first runs a tool that\r\nsteals passwords saved in users’ web browsers and email, demonstrating that access to the victim's email, social\r\nmedia, and chat accounts is one of their likely goals. Seedworm then uses open-source tools such as LaZagne and\r\nCrackmapexec to obtain Windows authorization credentials. Seedworm uses off-the-shelf, unmodified versions of\r\nthese tools as well as custom-compiled variants which we have determined are only used by this group.\r\nShifting Tactics\r\nSince its existence first came to light, we’ve seen Seedworm modify the way it operates. Since early 2017, they\r\nhave continually updated their Powermud backdoor and other tools to avoid detection and to thwart security\r\nresearchers analyzing the tools. They’ve also used GitHub to store malware and a handful of publicly available\r\ntools, which they then customize to carry out their work.\r\nWe have identified multiple online accounts that are likely associated with actors behind the Seedworm\r\noperations. The first finding was a public Github repository containing scripts that very closely match those\r\nobserved in Seedworm operations. An additional link was then made to a persona on Twitter with similar profile\r\ndata. This Twitter account follows numerous security researchers, including those who have written about the\r\ngroup in the past as well as developers who write the open-source tools they use.\r\nThese accounts are likely controlled by the Seedworm group. The Github repository contains a PowerShell script\r\nthat has been run on victim hosts in activity attributed to Seedworm; there are also numerous Crackmapexec\r\nPowerShell commands that match victim host activity.\r\nChoosing to rely on publicly available tools allows Seedworm to quickly update their operations by using code\r\nwritten by others and applying only small customizations. And they appear to adopt some of the most effective\r\nand capable tools, several of which—for these reasons—are also used by red team organizations.\r\nTargets and Timeline\r\nWe analyzed data on 131 victims that were compromised by Seedworm’s Powermud backdoor from late\r\nSeptember to mid-November 2018.\r\nObserved Seedworm victims were located primarily in Pakistan and Turkey, but also in Russia, Saudi Arabia,\r\nAfghanistan, Jordan, and elsewhere. Additionally, the group compromised organizations in Europe and North\r\nAmerica that have ties to the Middle East.\r\nAdditionally, during our analysis of Powermud victims, we were able to identify the probable industry sector for\r\n80 of the 131 unique victims. The telecommunications and IT services sectors were the main targets. Entities in\r\nthese sectors are often \"enabling victims\" as telecommunications providers or IT services agencies and vendors\r\nhttps://symantec-blogs.broadcom.com/blogs/threat-intelligence/seedworm-espionage-group\r\nPage 2 of 4\n\ncould provide Seedworm actors with further victims to compromise. Successfully compromising victims in these\r\ntwo industries provides additional clues about the sophistication and skills of the Seedworm group.\r\nThe next most common group of victims was in the oil and gas sector. All 11 victims in this group belong to one\r\nRussian firm that is active in the Middle East. Only one of these 11 victims was physically located in Russia; the\r\nrest were spread out across North America, the Middle East, Africa, and Asia.\r\nUniversities and embassies were the next most common targets. The universities were in the Middle East and the\r\nembassies were primarily based in Europe representing Middle East countries. Two major non-governmental\r\norganizations (NGOs) were also compromised; we identified seven victims who worked within these global public\r\nhealth organizations.\r\nSymantec has notified the appropriate public and private sector partners regarding Seedworm’s latest targets, tools\r\nand techniques..\r\nProtection\r\nThe following protections are in place to protect customers against Seedworm attacks:\r\nFile-based protection\r\nBackdoor.Powemuddy\r\nNetwork-based protection\r\nSystem Infected: W97M.Downloader Activity 44\r\nWeb Attack: Malicious Shell Script Download 4\r\nSystem Infected: Trojan.Backdoor Activity 243\r\nIndicators of Compromise\r\nThe following indicators are specific to Seedworm:\r\nNetwork\r\n104.237.233.60 IP used for reverse shell C\u0026C\r\n78.129.222.56 Powemuddy/Powermud delivery IP\r\n78.129.139.148 Powemuddy C\u0026C\r\n31.171.154.67 Powemuddy C\u0026C\r\n46.99.148.96 former Powemudddy C\u0026C\r\n79.106.224.203 Powemuddy C\u0026C\r\n185.34.16.82 Powemuddy C\u0026C\r\nFile names\r\nhttps://symantec-blogs.broadcom.com/blogs/threat-intelligence/seedworm-espionage-group\r\nPage 3 of 4\n\nSource: https://symantec-blogs.broadcom.com/blogs/threat-intelligence/seedworm-espionage-group\r\nhttps://symantec-blogs.broadcom.com/blogs/threat-intelligence/seedworm-espionage-group\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/seedworm-espionage-group" ], "report_names": [ "seedworm-espionage-group" ], "threat_actors": [ { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434699, "ts_updated_at": 1775792269, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/23d1107a99c7ba2b55de80cda5c229ef8ec2eeed.pdf", "text": "https://archive.orkl.eu/23d1107a99c7ba2b55de80cda5c229ef8ec2eeed.txt", "img": "https://archive.orkl.eu/23d1107a99c7ba2b55de80cda5c229ef8ec2eeed.jpg" } }