MuddyWater hackers use Chaos ransomware as a decoy in attacks
MuddyWater Iranian hackers use Chaos ransomware as cover for cyber-espionage via Teams social engineering.
Summary
MuddyWater, an Iranian state-sponsored group, disguised a cyber-espionage operation as a Chaos ransomware attack to complicate attribution and conceal their true objectives. The attackers used Microsoft Teams social engineering to harvest credentials, bypass MFA, and establish persistence through RDP, DWAgent, and AnyDesk, ultimately deploying a custom backdoor (Game.exe) for data exfiltration and extortion. Rapid7 attributes the campaign to MuddyWater based on infrastructure overlap, code-signing certificates, and operational tradecraft consistent with previous MOIS-aligned intrusions.
Full text
MuddyWater hackers use Chaos ransomware as a decoy in attacks By Bill Toulas May 6, 2026 09:02 AM 0 The MuddyWater Iranian hackers disguised their operations as a Chaos ransomware attack, relying on Microsoft Teams social engineering to gain access and establish persistence. Although the attack involved credential theft, persistence, remote access, data exfiltration, extortion emails, and an entry on the Chaos leak portal, the attackers used infrastructure and techniques associated with the MuddyWater attacks. Rapid7 researchers believe that the ransomware component was likely used to conceal the actual cyber-espionage operation and to complicate attribution. “The strategy highlights the convergence between state-sponsored intrusion activity and criminal tradecraft, where a big “tell” lies in the techniques that were deployed - and those that weren’t. This strategy suggests the primary goal was not financial gain,” explains Rapid7. Despite the facade, Rapid7 has moderate confidence in attributing the incident to MuddyWater, a threat group also known as Static Kitten, Mango Sandstorm, and Seedworm. The conclusion is based on infrastructure overlap, a specific code-signing certificate that the state-sponsored group used to sign Stagecomp and Darkcomp malware attributed to the threat actor, and various operational tradecraft. MuddyWater is an Iranian state-sponsored cyber-espionage group, notorious for long-term network intrusion campaigns that align with the country's Ministry of Intelligence and Security (MOIS). The Chaos is a ransomware-as-a-service (RaaS) operation that emerged in 2025 and is known for big-game hunting attacks, double-extortion tactics, and social engineering campaigns mostly targeting organizations in the United States. Attack progression The intrusion Rapid7 examined started through Microsoft Teams social engineering, where the attackers initiated chats with employees, established screen-sharing sessions, harvested credentials, manipulated multi-factor authentication (MFA) settings, and, in some cases, deployed AnyDesk for remote access. Credential theft occurred either via phishing pages masquerading as Microsoft Quick Assist or by tricking victims into typing their passwords into local text files. After compromising accounts, the attackers authenticated to internal systems, including a domain controller, and established persistence using RDP, DWAgent, and AnyDesk. Next, they leveraged a malware loader (ms_upd.exe) to drop a custom backdoor (Game.exe), disguised as a Microsoft WebView2 application. The malware features anti-analysis and anti-VM checks, and supports 12 commands, including PowerShell and CMD command execution, file upload and deletion, and persistent shell access. Overview of the attackSource: Rapid7 Rapid7 notes that MuddyWater has used ransomware in the past to mask its cyber-espionage operations. In late 2025, the threat actor deployed Qilin ransomware in an attack against an Israeli organization. The researchers suggest that the threat group might have pivoted to a different ransomware branding following the attribution of that late 2025 to MOIS operatives. 99% of What Mythos Found Is Still Unpatched. AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop. Claim Your Spot Related Articles: New GopherWhisper APT group abuses Outlook, Slack, Discord for commsKarakurt extortion gang ‘cold case’ negotiator gets 8.5 years in prisonVimeo data breach exposes personal information of 119,000 peopleVideo service Vimeo confirms Anodot breach exposed user dataCheckmarx confirms LAPSUS$ hackers leaked its stolen GitHub data
Indicators of Compromise
- malware — Game.exe
- malware — ms_upd.exe
- malware — Stagecomp
- malware — Darkcomp
- malware — Chaos
- malware — Qilin