The Iranian state-sponsored hacking group known as MuddyWater (aka Mango Sandstorm, Seedworm, and Static Kitten) has been attributed to a ransomware attack in what has been described as a “false flag” operation.
The attack, observed by Rapid7 in early 2026, has been found to leverage social engineering techniques via Microsoft Teams to initiate the infection sequence. Although the incident initially appeared to be consistent with a ransomware-as-a-service (RaaS) group operating under the Chaos brand, evidence points to it being a targeted state-backed attack that masquerades as opportunistic extortion.
“The campaign was characterized by a high-touch social engineering phase conducted via Microsoft Teams, where the attackers utilized interactive screen-sharing to harvest credentials and manipulate multi-factor authentication (MFA),” Rapid7 said in a report shared with The Hacker News.
“Once inside, the group bypassed traditional ransomware workflows, forgoing file encryption in favor of data exfiltration and long-term persistence via remote management tools like DWAgent.”
The findings indicate that MuddyWater is attempting to muddy attribution efforts by increasingly relying on off-the-shelf tools available in the cybercrime underground to conduct its attacks. This shift has also been documented by Ctrl-Alt-Intel, Broadcom, Check Point, and JUMPSEC in recent months, highlighting the adversary’s use of CastleRAT and Tsundere.
With that said, this is not the first time MuddyWater has conducted ransomware attacks. In September 2020, the threat actor was attributed to a campaign targeting prominent Israeli organizations with a loader called PowGoop that deployed a variant of Thanos ransomware with destructive capabilities.
Then, in 2023, Microsoft disclosed that the hacking group teamed up with DEV-1084, a threat actor known to use the DarkBit persona, to conduct destructive attacks under the pretext of deploying ransomware. As recently as October 2025, the attackers are believed to have used the Qilin ransomware to target an Israeli government hospital.
“In this case, the emerging picture was that the attackers were likely Iranian-affiliated operators working through the cyber criminal ecosystem, using a criminal ransomware brand and methods associated with the broader extortion market, while serving a strategic Iranian objective,” Check Point noted back in March.
“The use of Qilin, and participation in its affiliate program, likely serves not only as a layer of cover and plausible deniability, but also as a meaningful operational enabler, especially as earlier attacks appear to have heightened security measures and monitoring by Israeli authorities.”
Chaos is a RaaS group that emerged in early 2025. Known for its double extortion model, the threat actor has advertised its affiliate program on cybercrime forums, like RAMP and RehubCom.
Attacks mounted by the e-crime gang leverage a combination of mail flooding and vishing using Teams, often by impersonating IT support personnel, to trick victims into installing remote access tools like Microsoft Quick Assist, and then abuse that foothold to burrow deeper into the victim’s environment and deploy ransomware.
“The group has also demonstrated triple extortion by threatening distributed denial-of-service (DDoS) attacks against the victim’s infrastructure,” Rapid7 said. “These capabilities are reportedly offered to affiliates as part of bundled services, representing a notable feature of its RaaS model. Additionally, Chaos has been observed leveraging elements of quadruple extortion, including threats to contact customers or competitors to increase pressure on victims.”
As of late March 2026, Chaos has claimed 36 victims on its data leak site, most of which are located in the U.S. Construction, manufacturing, and business services are some of the prominent sectors targeted by the group.
In the intrusion analyzed by Rapid7, the threat actor is said to have initiated external chat requests via Teams to engage with employees and obtain initial access through screen-sharing sessions, followed by using compromised user accounts to conduct reconnaissance, establish persistence using tools like DWAgent and AnyDesk, move laterally, and exfiltrate data. The victim was then contacted via email for ransom negotiations.
“While connected, the TA [threat actor] executed basic discovery commands, accessed files related to the victim’s VPN configuration, and instructed users to enter their credentials into locally created text files,” Rapid7 explained. “In at least one instance, the TA also deployed a remote management tool (AnyDesk) to further facilitate access.”
The threat actor has also been observed using RDP to download an executable (“ms_upd.exe”) from an external server (“172.86.126[.]208”) using the curl utility. Upon execution, the binary kicks off a multi-stage infection chain that delivers more malicious components.
A brief description of the malware families is below –
- ms_upd.exe (aka Stagecomp), which collects system information and reaches out to a command-and-control (C2) server to drop next-stage payloads (game.exe, WebView2Loader.dll, and visualwincomp.txt).
- game.exe (aka Darkcomp), which is a bespoke remote access trojan (RAT) that masquerades as a legitimate Microsoft WebView2 application. It’s a trojanized version of the official Microsoft WebView2APISample project.
- WebView2Loader.dll, a legitimate DLL downloaded by ms_upd.exe. It’s required by Microsoft Edge WebView2 to embed web content in Windows applications.
- visualwincomp.txt, an encrypted configuration used by the RAT to obtain the C2 information.
The RAT connects to the C2 server and enters an infinite loop to poll for new commands every 60 seconds, allowing it to run commands or PowerShell scripts, perform file operations, and spawn an interactive cmd.exe shell or PowerShell.
The campaign’s links to MuddyWater stem from the use of a code-signing certificate attributed to “Donald Gay” to sign “ms_upd.exe.” The certificate has been previously put to use by the threat cluster to sign its malware, including a CastleLoader downloader called Fakeset.
These findings underscore the growing convergence of state-sponsored intrusion activity and cybercriminal tradecraft to obscure attribution and delay appropriate defensive response.
“The use of a RaaS framework in this context may enable the actor to blur distinctions between state-sponsored activity and financially motivated cybercrime, thereby complicating attribution,” Rapid7 said. “Furthermore, the inclusion of extortion and negotiation elements could serve to focus defensive efforts on immediate impact, likely delaying the identification of underlying persistence mechanisms established via remote access tools such as DWAgent or AnyDesk.”
“Notably, the apparent absence of file encryption, despite the presence of Chaos ransomware artifacts, represents a deviation from typical ransomware behavior.
Uncovering a Complex Cyber Intrusion Targeting Omani Government Institutions
Recent findings suggest that a ransomware component may have served as a tool for facilitating or obscuring rather than being the primary objective of a cyber intrusion.
The revelations surfaced as Hunt.io disclosed details of an operation linked to Iran that aimed at exfiltrating over 26,000 Ministry of Justice user records, judicial case data, committee decisions, and SAM and SYSTEM registry hives from Omani government institutions.
Notably, an open directory on 172.86.76[.]127, a RouterHosting VPS located in the United Arab Emirates, exposed an ongoing intrusion campaign against the Omani government. The toolkit, C2 code, session logs, and exfiltrated data were all conspicuously present, with the Ministry of Justice and Legal Affairs (mjla.gov[.]om) identified as the primary target.
Simultaneously, there has been a surge in activities from hacktivist groups aligned with Iran, including Handala Hack, which purportedly disclosed information on close to 400 U.S. Navy personnel in the Persian Gulf. Furthermore, the group claimed responsibility for an attack on the Port of Fujairah in the UAE, leading to a breach of internal systems and leakage of approximately 11,000 sensitive documents.
Sergey Shykevich, a group manager at Check Point Research, highlighted a concerning escalation in Iranian-linked cyber operations, involving surveillance through compromised cameras, the leak of sensitive documents from Israel’s former Military Chief of Staff, and a rise in attack frequency across the region.
Shykevich emphasized the interconnectedness of cyber and kinetic domains, citing the alleged use of stolen port infrastructure data for physical missile targeting in the Port of Fujairah incident. The evolving nature of the threat indicates a shift from intelligence gathering to potential physical harm.
As the cyber landscape continues to evolve, the interconnectedness of cyber and physical threats poses significant challenges. The current wave of cyber activities underscores the need for heightened vigilance and proactive measures to safeguard critical infrastructure and sensitive data.
