The Iranian state-sponsored hacking group often known as MuddyWater (aka Mango Sandstorm, Seedworm, and Static Kitten) has been attributed to a ransomware assault in what has been described as a “false flag” operation.
The assault, noticed by Rapid7 in early 2026, has been discovered to leverage social engineering methods through Microsoft Groups to provoke the an infection sequence. Though the incident initially gave the impression to be per a ransomware-as-a-service (RaaS) group working beneath the Chaos model, proof factors to it being a focused state-backed assault that masquerades as opportunistic extortion.
“The marketing campaign was characterised by a high-touch social engineering section performed through Microsoft Groups, the place the attackers utilized interactive screen-sharing to reap credentials and manipulate multi-factor authentication (MFA),” Rapid7 mentioned in a report shared with The Hacker Information.
“As soon as inside, the group bypassed conventional ransomware workflows, forgoing file encryption in favor of knowledge exfiltration and long-term persistence through distant administration instruments like DWAgent.”
The findings point out that MuddyWater is trying to muddy attribution efforts by more and more counting on off-the-shelf instruments out there within the cybercrime underground to conduct its assaults. This shift has additionally been documented by Ctrl-Alt-Intel, Broadcom, Examine Level, and JUMPSEC in current months, highlighting the adversary’s use of CastleRAT and Tsundere.
With that mentioned, this isn’t the primary time MuddyWater has performed ransomware assaults. In September 2020, the risk actor was attributed to a marketing campaign concentrating on distinguished Israeli organizations with a loader known as PowGoop that deployed a variant of Thanos ransomware with harmful capabilities.
Then, in 2023, Microsoft disclosed that the hacking group teamed up with DEV-1084, a risk actor identified to make use of the DarkBit persona, to conduct harmful assaults beneath the pretext of deploying ransomware. As lately as October 2025, the attackers are believed to have used the Qilin ransomware to focus on an Israeli authorities hospital.
“On this case, the rising image was that the attackers have been seemingly Iranian-affiliated operators working via the cyber legal ecosystem, utilizing a legal ransomware model and strategies related to the broader extortion market, whereas serving a strategic Iranian goal,” Examine Level famous again in March.
“The usage of Qilin, and participation in its associates program, seemingly serves not solely as a layer of canopy and believable deniability, but in addition as a significant operational enabler, particularly as earlier assaults seem to have heightened security measures and monitoring by Israeli authorities.”
Chaos is a RaaS group that emerged in early 2025. Identified for its double extortion mannequin, the risk actor has marketed its associates program on cybercrime boards, like RAMP and RehubCom.
Attacks mounted by the e-crime gang leverage a mixture of mail flooding and vishing utilizing Groups, typically by impersonating IT help personnel, to trick victims into putting in distant entry instruments like Microsoft Fast Help, after which abuse that foothold to burrow deeper into the sufferer’s atmosphere and deploy ransomware.
“The group has additionally demonstrated triple extortion by threatening distributed denial-of-service (DDoS) assaults in opposition to the sufferer’s infrastructure,” Rapid7 mentioned. “These capabilities are reportedly provided to associates as a part of bundled companies, representing a notable function of its RaaS mannequin. Moreover, Chaos has been noticed leveraging components of quadruple extortion, together with threats to contact clients or rivals to extend stress on victims.”
As of late March 2026, Chaos has claimed 36 victims on its knowledge leak website, most of that are situated within the U.S. Building, manufacturing, and enterprise companies are among the distinguished sectors focused by the group.
Within the intrusion analyzed by Rapid7, the risk actor is alleged to have initiated exterior chat requests through Groups to interact with staff to acquire preliminary entry via screen-sharing periods, adopted by utilizing compromised consumer accounts to conduct reconnaissance, set up persistence utilizing instruments like DWAgent and AnyDesk, transfer laterally, and exfiltrate knowledge. The sufferer was then contacted through electronic mail for ransom negotiations.
“Whereas linked, the TA [threat actor] executed primary discovery instructions, accessed information associated to the sufferer’s VPN configuration, and instructed customers to enter their credentials into regionally created textual content information,” Rapid7 defined. “In a minimum of one occasion, the TA additionally deployed a distant administration device (AnyDesk) to additional facilitate entry.”
The risk actor has additionally been noticed utilizing RDP to obtain an executable (“ms_upd.exe”) from an exterior server (“172.86.126[.]208”) utilizing the curl utility. Upon execution, the binary kicks off a multi-stage an infection chain that delivers extra malicious parts.
A quick description of the malware households is beneath –
- ms_upd.exe (aka Stagecomp), which collects system info and reaches out to a command-and-control (C2) server to drop next-stage payloads (recreation.exe, WebView2Loader.dll, and visualwincomp.txt).
- recreation.exe (aka Darkcomp), which is a bespoke distant entry trojan (RAT) that masquerades as a reliable Microsoft WebView2 software. It is a trojanized model of the official Microsoft WebView2APISample venture.
- WebView2Loader.dll, a reliable DLL downloaded by ms_upd.exe. It is required by Microsoft Edge WebView2 to embed net content material in Home windows purposes.
- visualwincomp.txt, an encrypted configuration utilized by the RAT to acquire the C2 info.
The RAT connects to the C2 server and enters an infinite loop to ballot for brand new instructions each 60 seconds, permitting it to run instructions or PowerShell scripts, carry out file operations, and spawn an interactive cmd.exe shell or PowerShell.
The marketing campaign’s hyperlinks to MuddyWater stem from the usage of a code-signing certificates attributed to “Donald Homosexual” to signal “ms_upd.exe.” The certificates has been beforehand put to make use of by the risk cluster to signal its malware, together with a CastleLoader downloader known as Fakeset.
These findings underscore the rising convergence of state-sponsored intrusion exercise and cybercriminal tradecraft to obscure attribution and delay applicable defensive response.
“The usage of a RaaS framework on this context might allow the actor to blur distinctions between state-sponsored exercise and financially motivated cybercrime, thereby complicating attribution,” Rapid7 mentioned. “Moreover, the inclusion of extortion and negotiation components might serve to focus defensive efforts on speedy impression, seemingly delaying the identification of underlying persistence mechanisms established through distant entry instruments similar to DWAgent or AnyDesk.”
“Notably, the obvious absence of file encryption, regardless of the presence of Chaos ransomware artifacts, represents a deviation from typical ransomware habits. This inconsistency might point out that the ransomware element functioned primarily as a facilitating or obfuscation mechanism, relatively than as the first goal of the intrusion.”
The event comes as Hunt.io revealed particulars of an Iranian-nexus operation concentrating on Omani authorities establishments to exfiltrate greater than 26,000 Ministry of Justice consumer data, judicial case knowledge, committee choices, and SAM and SYSTEM registry hives.
“An open listing on 172.86.76[.]127, a RouterHosting VPS within the United Arab Emirates, surfaced an lively intrusion marketing campaign in opposition to the Omani authorities, with the toolkit, C2 code, session logs, and exfiltrated knowledge all sitting in plain sight,” the corporate mentioned. “The first goal was the Ministry of Justice and Authorized Affairs (mjla.gov[.]om).”
The invention additionally coincides with continued exercise from pro-Iran-aligned hacktivist teams, similar to Handala Hack, which has claimed to have revealed particulars on almost 400 U.S. Navy personnel within the Persian Gulf and carried out an assault on the Port of Fujairah within the United Arab Emirates, enabling it to realize entry to its inside programs and leak about 11,000 delicate paperwork associated to invoices, delivery data, and customs paperwork.
“A month in the past, we documented a broad escalation in Iranian-linked cyber operations — surveillance through hacked cameras, the leak of hundreds of extremely delicate paperwork from Israel’s former Navy Chief of Workers, and a measurable rise in assault quantity throughout the area. We mentioned then that additional escalation was seemingly,” Sergey Shykevich, group supervisor at Examine Level Analysis, advised The Hacker Information.
“The claimed assault on the Port of Fujairah is that escalation, if confirmed. What’s modified is the character of the risk: that is not about intelligence gathering or public embarrassment. Stolen port infrastructure knowledge was allegedly used to allow bodily missile concentrating on.”
“The cyber and kinetic domains are actually explicitly linked. This marketing campaign shouldn’t be slowing down. Each quiet interval on the bodily entrance has traditionally been adopted by intensified cyber exercise — and what we’re seeing now’s probably the most critical manifestation of that sample so far.”
