State-Sponsored Deception: MuddyWater’s Evolving Tactics
In a sophisticated and alarming development, the Iranian state-sponsored hacking collective known as MuddyWater (also identified as Mango Sandstorm, Seedworm, and Static Kitten) has been linked to a series of ‘false flag’ ransomware attacks. Observed by cybersecurity firm Rapid7 in early 2026, these operations cleverly leverage social engineering via Microsoft Teams to initiate their malicious campaigns, blurring the lines between state-backed espionage and opportunistic cybercrime.
While initial assessments suggested the involvement of Chaos, a prominent ransomware-as-a-service (RaaS) group, deeper analysis reveals a targeted state-sponsored agenda masquerading as typical extortion. This strategic misdirection aims to complicate attribution, making it harder for defenders to pinpoint the true orchestrators behind the breaches.
The Microsoft Teams Deception: A New Frontier for Credential Theft
Rapid7’s investigation highlights a ‘high-touch’ social engineering phase where attackers engage directly with victims through Microsoft Teams. This interactive approach involves screen-sharing sessions, during which the threat actors meticulously harvest credentials and manipulate multi-factor authentication (MFA) mechanisms.
Crucially, once inside a target network, MuddyWater deviates from conventional ransomware playbooks. Instead of encrypting files for ransom, the group prioritizes data exfiltration and establishing long-term persistence using remote management tools like DWAgent. This shift underscores their primary objective: intelligence gathering and strategic disruption, rather than mere financial gain.
Muddying the Waters: A History of Attribution Evasion
The use of off-the-shelf tools and a ‘false flag’ approach is a deliberate attempt by MuddyWater to obscure its tracks. This tactic has been increasingly documented by other security researchers, including Ctrl-Alt-Intel, Broadcom, Check Point, and JUMPSEC, who have noted the adversary’s adoption of tools like CastleRAT and Tsundere.
This isn’t MuddyWater’s first foray into ransomware. In September 2020, the group targeted Israeli organizations with PowGoop, deploying a destructive variant of Thanos ransomware. More recently, in 2023, Microsoft revealed MuddyWater’s collaboration with DEV-1084 (known as the DarkBit persona) in destructive attacks disguised as ransomware deployments. As late as October 2025, they were suspected of using Qilin ransomware against an Israeli government hospital.
Check Point elaborated on this strategy, noting, “The emerging picture was that the attackers were likely Iranian-affiliated operators working through the cyber criminal ecosystem, using a criminal ransomware brand and methods associated with the broader extortion market, while serving a strategic Iranian objective.” The adoption of RaaS affiliate programs like Qilin’s provides both plausible deniability and operational advantages, especially as targets enhance their security measures.
Chaos RaaS: The Unwitting Accomplice?
Chaos, a RaaS group that emerged in early 2025, is known for its aggressive double extortion model and has advertised its affiliate program on prominent cybercrime forums. Their typical attack vector combines mail flooding and ‘vishing’ via Teams, often impersonating IT support to trick victims into installing remote access tools like Microsoft Quick Assist. This initial foothold allows them to deepen their access and deploy ransomware.
Beyond double extortion, Chaos has also demonstrated triple extortion (threatening DDoS attacks) and even quadruple extortion (threatening to contact customers or competitors). These capabilities, offered as bundled services to affiliates, highlight the sophistication of the RaaS model MuddyWater is leveraging.
As of late March 2026, Chaos had claimed 36 victims, predominantly in the U.S., across sectors like construction, manufacturing, and business services.
Anatomy of a MuddyWater Intrusion
Rapid7’s analysis of a specific intrusion revealed MuddyWater’s meticulous approach:
- Initial Access: External chat requests via Teams engaged employees, leading to screen-sharing sessions for initial access.
- Reconnaissance & Persistence: Compromised user accounts were used for reconnaissance, followed by establishing persistence with tools like DWAgent and AnyDesk.
- Lateral Movement & Exfiltration: The group moved laterally within the network and exfiltrated data.
- Ransom Negotiation (False Flag): The victim was then contacted via email for ransom negotiations, reinforcing the ransomware facade.
During these sessions, the threat actor executed basic discovery commands, accessed VPN configuration files, and even instructed users to input credentials into local text files. They also deployed AnyDesk for further access and used RDP to download an executable (“ms_upd.exe”) from an external server, initiating a multi-stage infection chain.
The Enduring Threat
MuddyWater’s adoption of ‘false flag’ ransomware operations via Microsoft Teams represents a significant evolution in state-sponsored cyber warfare. By mimicking cybercriminal groups, they aim to complicate attribution and evade detection, making it harder for organizations to defend against these sophisticated and politically motivated attacks. Vigilance, robust MFA, and comprehensive incident response plans are more critical than ever in countering this deceptive and persistent threat.
For more details, visit our website.
Source: Link
Leave a comment