**MuddyWater**, an Iranian state-sponsored threat actor, has been observed disguising their operations as a **Chaos** ransomware attack. The group relied on **Microsoft Teams** social engineering to gain initial access and establish persistence within compromised systems. ### Decoy Ransomware While the attack involved credential theft, persistence, remote access, data exfiltration, extortion emails, and even a listing on the **Chaos** leak site, investigators determined that the infrastructure and techniques employed were consistent with previous **MuddyWater** campaigns. **Rapid7** researchers believe that the ransomware component was strategically deployed to obfuscate the true objective: cyber-espionage, and to complicate attribution efforts. "The strategy highlights the convergence between state-sponsored intrusion activity and criminal tradecraft, where a big “tell” lies in the techniques that were deployed - and those that weren’t. This strategy suggests the primary goal was not financial gain,” [explains Rapid7](https://www.rapid7.com/blog/post/tr-muddying-tracks-state-sponsored-shadow-behind-chaos-ransomware/). Despite the deceptive facade, **Rapid7** expresses moderate confidence in attributing the incident to **MuddyWater**, a threat group also known as Static Kitten, Mango Sandstorm, and Seedworm. This attribution is based on overlapping infrastructure, a specific code-signing certificate previously used by the group to sign Stagecomp and Darkcomp malware, and shared operational tactics, techniques, and procedures (TTPs). **MuddyWater** is known for conducting long-term network intrusion campaigns, often aligning with the objectives of Iran's Ministry of Intelligence and Security (MOIS). **Chaos** is a ransomware-as-a-service (RaaS) operation that emerged in 2025, known for its big-game hunting tactics, double-extortion methods, and social engineering campaigns primarily targeting organizations in the United States. ### Attack Progression The intrusion examined by **Rapid7** began with social engineering via **Microsoft Teams**. Attackers initiated chats with employees, established screen-sharing sessions, harvested credentials, manipulated multi-factor authentication (MFA) settings, and, in some cases, deployed **AnyDesk** for remote access. Credential theft occurred either through phishing pages disguised as **Microsoft** Quick Assist or by tricking victims into entering their passwords into local text files. After compromising accounts, the attackers authenticated to internal systems, including a domain controller, and established persistence using RDP, DWAgent, and **AnyDesk**. Next, they deployed a malware loader (ms_upd.exe) to drop a custom backdoor (Game.exe), disguised as a **Microsoft WebView2** application. This malware featured anti-analysis and anti-VM checks and supported 12 commands, including **PowerShell** and CMD command execution, file upload and deletion, and persistent shell access.  **Rapid7** notes that **MuddyWater** has a history of using ransomware to mask cyber-espionage operations. In late 2025, the threat actor deployed **Qilin** ransomware in an attack against an Israeli organization. The researchers suggest that the threat group might have shifted to a different ransomware "brand" following the attribution of that late 2025 attack to MOIS operatives. ## [99% of What Mythos Found Is Still Unpatched.](https://hubs.li/Q04crVgD0) AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming. At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop. [Claim Your Spot](https://hubs.li/Q04crVgD0)