Iran-Linked Hackers Posed as Ransomware Group in Spy Campaign

A state-linked Iranian threat actor masqueraded as a ransomware affiliate to cloak espionage operations in plausible criminality, according to a new analysis from Rapid7. The cybersecurity firm’s report, released on May 6, details how the group known as MuddyWater (also tracked as Seedworm, Static Kitten, and Mango Sandstorm) exploited the Chaos ransomware brand as a cover for intelligence gathering.

The intrusion, which occurred in early 2026 at an unnamed organization, began with a simple but effective tactic: social engineering via Microsoft Teams screen sharing. Rapid7 described how the attacker, operating through a compromised user’s account, conducted initial reconnaissance, harvested credentials, and manipulated multi-factor authentication (MFA) before pivoting to legitimate accounts for deeper access. “From there, the TA established persistence using remote access tools such as DWAgent and AnyDesk, before deploying additional payloads and further control of the environment,” the report explains. After exfiltrating data, the actor contacted the victim by email, claiming theft and initiating ransom talks.

Several red flags point to state sponsorship rather than typical cybercrime. Although the threat actor claimed successful data exfiltration, the Chaos group operates a “blind” countdown timer on its data leak site, meaning no victim details could be viewed. The actor also claimed to have left a note containing “access credentials” for a secure chat in the victim’s desktop directory, but Rapid7 could not find it. Despite these inconsistencies, the stolen data was later published on the leak site. Crucially, however, no ransomware payload was actually deployed, a departure from what a financially motivated Chaos affiliate would do.

Rapid7 identified multiple technical links to MuddyWater’s previous infrastructure, including a code-signing certificate issued to “Donald Gay,” the domain moonzonet[.]com used for command-and-control, and the use of pythonw.exe to inject code into suspended processes. The group also relied on interactive Microsoft Teams sessions to harvest MFA tokens and credentials.

This is not MuddyWater’s first attempt at impersonating a ransomware operation. In late 2025, the group was tied to activity involving the Qilin RaaS ecosystem in an attack on an Israeli organization. By switching to Chaos, the report suggests, the actor may be trying to further reduce attribution risk. “The use of a RaaS framework in this context may enable the actor to blur distinctions between state-sponsored activity and financially motivated cybercrime, thereby complicating attribution,” Rapid7 said. The inclusion of extortion and negotiation elements, the firm added, could also serve to “focus defensive efforts on immediate impact, likely delaying the identification of underlying persistence mechanisms established via remote access tools such as DWAgent or AnyDesk.”

For investigators, the takeaway is clear: look “beyond overt ransomware indicators” and examine the full intrusion lifecycle. As the report concludes, “This activity is best understood as a hybrid intrusion model, in which ransomware is leveraged not as an end goal but as a mechanism for concealment, coercion, and operational flexibility within a broader intelligence-driven campaign.”