MuddyWater uses Chaos ransomware as decoy in attacks
▼ Summary
– MuddyWater hackers disguised a cyber-espionage operation as a Chaos ransomware attack, using Microsoft Teams social engineering to gain initial access.
– The attack included credential theft, persistence, remote access, data exfiltration, and extortion, but Rapid7 believes the primary goal was espionage, not financial gain.
– Rapid7 attributes the incident to MuddyWater with moderate confidence, based on infrastructure overlap and a specific code-signing certificate linked to the group.
– The intrusion began with Teams chats, screen-sharing, credential harvesting via phishing or local text files, and deployment of AnyDesk and custom backdoor malware.
– MuddyWater has previously used ransomware to mask operations, including a 2025 Qilin ransomware attack against an Israeli organization.
Iranian state-sponsored hackers linked to the MuddyWater group have been observed posing as a Chaos ransomware operation, using Microsoft Teams social engineering as the initial entry point to steal credentials, maintain access, and exfiltrate data. While the attack included credential theft, persistence mechanisms, remote access tools, data exfiltration, extortion emails, and even a listing on the Chaos leak portal, the underlying infrastructure and techniques point squarely back to MuddyWater.
Researchers at Rapid7 assess that the ransomware component was likely a decoy designed to obscure the true objective: cyber-espionage. The goal was not financial gain but rather to complicate attribution. “The strategy highlights the convergence between state-sponsored intrusion activity and criminal tradecraft, where a big ‘tell’ lies in the techniques that were deployed , and those that weren’t,” Rapid7 noted.
Rapid7 expresses moderate confidence in attributing the incident to MuddyWater, also known as Static Kitten, Mango Sandstorm, and Seedworm. This conclusion is based on overlapping infrastructure, a specific code-signing certificate previously used by the group to sign Stagecomp and Darkcomp malware, and consistent operational tradecraft.
MuddyWater is an Iranian state-sponsored cyber-espionage group linked to the Ministry of Intelligence and Security (MOIS). The group is infamous for long-term network intrusions that align with Iranian strategic interests. The Chaos ransomware, by contrast, is a ransomware-as-a-service (RaaS) operation that emerged in 2025, known for big-game hunting, double extortion, and social engineering campaigns primarily targeting U. S. organizations.
The attack chain began with Microsoft Teams social engineering. Attackers initiated chats with employees, established screen-sharing sessions, harvested credentials, manipulated multi-factor authentication (MFA) settings, and in some cases deployed AnyDesk for remote access. Credential theft occurred either through phishing pages mimicking Microsoft Quick Assist or by tricking victims into typing passwords into local text files.
Once accounts were compromised, the attackers authenticated to internal systems, including a domain controller, and established persistence using RDP, DWAgent, and AnyDesk. They then deployed a malware loader (ms_upd.exe) to drop a custom backdoor (Game.exe) disguised as a Microsoft WebView2 application. This backdoor includes anti-analysis and anti-VM checks and supports 12 commands, including PowerShell and CMD execution, file upload and deletion, and persistent shell access.
Rapid7 notes that MuddyWater has previously used ransomware to mask espionage operations. In late 2025, the group deployed Qilin ransomware against an Israeli organization. Researchers suggest the group may have switched to Chaos branding after that earlier attack was publicly attributed to MOIS operatives.
(Source: BleepingComputer)
