Iran-Linked MuddyWater Posed as Chaos Ransomware Affiliate in False-Flag Espionage Campaign

Rapid7 has revealed that the Iran-linked advanced persistent threat (APT) group known as MuddyWater (also tracked as Seedworm, Static Kitten, and Mango Sandstorm) conducted a false-flag espionage campaign by posing as an affiliate of the Chaos ransomware operation. The findings, published on May 6 in a report titled *Muddying the Tracks: The State-Sponsored Shadow Behind Chaos Ransomware*, detail an intrusion at an unnamed organization that began in early 2026. The attackers leveraged social engineering via Microsoft Teams screen sharing to gain initial access, then moved laterally to harvest credentials, manipulate multi-factor authentication (MFA), and establish persistence using remote access tools such as DWAgent and AnyDesk.

According to Rapid7, the threat actor operated interactively through compromised user accounts to conduct initial discovery and credential harvesting, including MFA manipulation. They quickly transitioned to using legitimate accounts for internal access, then deployed additional payloads to maintain control of the environment. After exfiltrating data, the attackers contacted the victim via email, claiming data theft and initiating ransom negotiations—a hallmark of ransomware operations. However, unlike typical financially motivated Chaos affiliates, the group never deployed a ransomware payload, a key anomaly that raised red flags.

The investigation uncovered several technical links tying the activity to MuddyWater's known infrastructure. Rapid7 identified a code-signing certificate under the name "Donald Gay" used to validate malware samples, the command-and-control (C2) domain moonzonet[.]com, and the use of pythonw.exe to inject code into suspended processes. The attackers also relied on interactive Microsoft Teams sessions to harvest MFA credentials and maintain persistence. These indicators align with previous MuddyWater campaigns, including a late 2025 operation where the group impersonated the Qilin ransomware-as-a-service (RaaS) ecosystem in an attack targeting an Israeli organization.

The false-flag approach provides MuddyWater with plausible deniability, blurring the lines between state-sponsored espionage and financially motivated cybercrime. Rapid7 noted that the use of a RaaS framework may enable the actor to complicate attribution, as defenders often focus on immediate ransomware impacts rather than underlying persistence mechanisms. The inclusion of extortion and negotiation elements further distracts from the group's true objective: intelligence gathering and prepositioning for future operations.

Rapid7 emphasized that the Chaos ransomware group operates a "blind" countdown timer on its data leak site (DLS), meaning no victim details could be viewed by the attackers—yet the threat actor claimed successful data exfiltration and published stolen data on the DLS. The actor also claimed to have placed a ransom note in the victim's desktop directory containing access credentials for a secure chat, but Rapid7 was unable to locate it. Despite these inconsistencies, the leaked data was assessed as legitimate, indicating the attackers had indeed exfiltrated sensitive information.

The report concludes that investigators must look beyond overt ransomware indicators and study the full intrusion lifecycle to uncover state-sponsored activity. "Ultimately, this activity is best understood as a hybrid intrusion model, in which ransomware is leveraged not as an end goal but as a mechanism for concealment, coercion, and operational flexibility within a broader intelligence-driven campaign," Rapid7 stated. The findings underscore the growing trend of APT groups adopting ransomware tactics to mask espionage, a development that challenges traditional threat attribution and incident response strategies.