VYPR
breachPublished May 6, 2026· Updated May 17, 2026· 3 sources

MuddyWater APT Masquerades as Chaos Ransomware in Espionage Campaign

The Iranian state-sponsored group MuddyWater is conducting cyber-espionage operations under the guise of a Chaos ransomware attack, using social engineering and false-flag tactics to mask their true objectives.

The Iranian state-sponsored threat actor known as MuddyWater has been identified conducting a sophisticated cyber-espionage campaign that masquerades as a ransomware attack. Researchers at Rapid7 observed the group—also tracked as Static Kitten, Mango Sandstorm, and Seedworm—utilizing the branding of the Chaos ransomware-as-a-service (RaaS) operation to obscure their true objective of long-term network intrusion and data exfiltration BleepingComputer SecurityWeek.

The attack sequence begins with high-touch social engineering via Microsoft Teams. Attackers initiate chats with employees, often impersonating IT support, and establish screen-sharing sessions to harvest credentials and manipulate multi-factor authentication (MFA) settings The Hacker News. In some instances, victims were tricked into typing passwords into local text files or directed to phishing pages disguised as Microsoft Quick Assist BleepingComputer. Once initial access was secured, the threat actors deployed remote management tools, including AnyDesk and DWAgent, to establish persistent access and move laterally through the environment SecurityWeek.

A key component of the operation is the deployment of a custom backdoor named "Game.exe," which is disguised as a Microsoft WebView2 application BleepingComputer. This malware, which researchers link to the group's "Darkcomp" toolset, features anti-analysis and anti-VM capabilities and supports 12 distinct commands, including file manipulation and persistent shell access BleepingComputer SecurityWeek. Notably, while the attackers engaged in extortion tactics—including sending emails to employees and creating an entry on the Chaos ransomware leak portal—they never deployed file-encrypting ransomware SecurityWeek.

Rapid7 researchers believe the Chaos branding was a "false flag" intended to complicate attribution and mislead defenders into focusing on immediate financial extortion rather than the underlying espionage activity SecurityWeek. The attribution to MuddyWater is based on significant infrastructure overlap, the use of a code-signing certificate previously linked to the group's Stagecomp and Darkcomp malware, and operational tradecraft consistent with the Iranian Ministry of Intelligence and Security (MOIS) BleepingComputer SecurityWeek.

This incident is not an isolated case of MuddyWater using ransomware as a cover. The group has previously been linked to the use of Thanos, DarkBit, and Qilin ransomware in campaigns targeting Israeli organizations and other strategic entities The Hacker News. By leveraging off-the-shelf criminal tools and RaaS branding, MuddyWater continues to evolve its strategy to maintain plausible deniability and bypass security monitoring The Hacker News.

The convergence of state-sponsored espionage and criminal tradecraft highlights a growing trend where advanced persistent threats (APTs) adopt the tactics of e-crime groups to mask their strategic objectives. As these actors increasingly integrate into the cybercriminal ecosystem, organizations must remain vigilant against social engineering and prioritize the detection of persistent remote access tools, which often serve as the true indicators of a deeper, more malicious compromise BleepingComputer The Hacker News.

Synthesized by Vypr AI