An Iranian state-backed hacking group known as MuddyWater (also known as Mango Sandstorm, Seedworm, and Static Kitten) is believed to have been responsible for the ransomware attack, dubbed a “false flag operation.”
This attack, observed by Rapid7 in early 2026, was found to utilize social engineering techniques via Microsoft Teams to initiate the infection sequence. Although this incident initially appeared to be consistent with a ransomware-as-a-service (RaaS) group operating under the Chaos brand, evidence indicates it was a targeted state-sponsored attack disguised as opportunistic extortion.
“This campaign featured a high-touch social engineering phase conducted via Microsoft Teams, where the attackers leveraged interactive screen sharing to collect credentials and manipulate multi-factor authentication (MFA),” Rapid7 said in a report shared with The Hacker News.
“Once inside, the group bypassed traditional ransomware workflows and ignored file encryption in favor of data extraction and long-term storage via remote management tools such as DWAgent.”
The findings indicate that MuddyWater is attempting to disrupt efforts to identify the cause of its attacks by increasing its reliance on off-the-shelf tools available in the cybercrime underground to carry out its attacks. This change has also been documented by Ctrl-Alt-Intel, Broadcom, Check Point, and JUMPSEC in recent months, highlighting the attackers’ use of CastleRAT and Tsundere.
That said, this is not the first time MuddyWater has carried out a ransomware attack. In September 2020, the attacker was implicated in a campaign targeting prominent organizations in Israel using a loader called PowGoop that deployed a variant of the Thanos ransomware with destructive capabilities.
Then, in 2023, Microsoft revealed that the hacker group collaborated with attacker DEV-1084, known for using the DarkBit persona, to carry out devastating attacks under the pretext of deploying ransomware. As recently as October 2025, attackers are believed to have used Qilin ransomware to target Israeli government hospitals.
“In this case, the overall picture that emerged was that the attackers were likely Iranian-linked operators operating through the cybercrime ecosystem, using criminal ransomware brands and techniques associated with the broader extortion market, while achieving Iran’s strategic objectives,” Check Point noted in March.
“The use of Qilin and its participation in related programs is likely to serve not only as a layer of cover and plausible deniability, but also as a meaningful operational enabler, especially as previous attacks appear to have increased security measures and oversight by Israeli authorities.”
Chaos is a RaaS group that emerged in early 2025. Known for its dual extortion model, the attacker promotes affiliate programs on cybercrime forums such as RAMP and RehubCom.
Attacks launched by electronic criminal organizations often impersonate IT support personnel, use a combination of email flooding and vishing using Teams to trick victims into installing remote access tools such as Microsoft Quick Assist, and use that foothold to penetrate deeper into the victim’s environment and deploy ransomware.
“The group has also demonstrated triple extortion by threatening distributed denial of service (DDoS) attacks against victims’ infrastructure,” Rapid7 said. “These features are reportedly offered to affiliates as part of a bundled service and represent a notable feature of the RaaS model. Additionally, Chaos has been observed to utilize quadruple extortion elements, including threats to contact customers and competitors to increase pressure on victims.”
As of late March 2026, Chaos has announced 36 victims on its data breach site. Most of them are located in the United States. Construction, manufacturing and business services are some of the prominent sectors targeted by the group.
In the breach analyzed by Rapid7, the attackers allegedly initiated external chat requests via Teams, engaged employees, and gained initial access through screen sharing sessions, then used compromised user accounts to conduct reconnaissance, use tools like DWAgent and AnyDesk to establish persistence, move laterally, and steal data. The victim was then contacted via email to negotiate the ransom.
“While connecting, the TA [threat actor] “The users were instructed to run basic detection commands, access files related to the victim’s VPN configuration, and enter credentials into a locally created text file. In at least one instance, TA also deployed a remote management tool (AnyDesk) to further facilitate access,” Rapid7 explained.
Threat actors have also been observed using RDP to download an executable file (‘ms_upd.exe’) from an external server (‘172.86.126’).[.]208″) is executed using the curl utility. Once executed, the binary begins a multi-step infection chain that distributes more malicious components.
A brief description of the malware family is below.
ms_upd.exe (also known as Stagecomp). It collects system information, connects to a command and control (C2) server, and drops the next stage payload (game.exe, WebView2Loader.dll, and Visualwincomp.txt). game.exe (aka Darkcomp). This is a custom-built remote access trojan (RAT) that masquerades as a legitimate Microsoft WebView2 application. This is a trojanized version of the official Microsoft WebView2APISample project. WebView2Loader.dll. Legitimate DLL downloaded by ms_upd.exe. Microsoft Edge WebView2 is required for embedding web content in Windows applications. Visualwincomp.txt, the encrypted configuration used by the RAT to retrieve C2 information.
The RAT connects to the C2 server and enters an infinite loop, polling for new commands every 60 seconds. This allows the RAT to run commands or PowerShell scripts, perform file operations, and launch an interactive cmd.exe shell or PowerShell.
The campaign’s link to MuddyWater stems from the use of a code signing certificate purportedly belonging to ‘Donald Gay’ to sign ‘ms_upd.exe’. This certificate was previously used by the threat cluster to sign malware, including a CastleLoader downloader called Fakeset.
These findings highlight the increasing concentration of state-sponsored intrusions and cybercrime techniques that obscure attribution and delay appropriate defensive responses.
“Using a RaaS framework in this context could allow attackers to blur the distinction between state-sponsored activity and financially motivated cybercrime, thereby complicating attribution,” Rapid7 said. “Furthermore, the inclusion of extortion and negotiation elements can focus defense efforts on immediate effects and delay the identification of the underlying persistence mechanisms established via remote access tools such as DWAgent and AnyDesk.”
“In particular, the apparent absence of file encryption despite the presence of Chaos ransomware artifacts represents a departure from typical ransomware behavior. This discrepancy may indicate that the ransomware components were primarily acting as a facilitation or obfuscation mechanism, rather than as the primary purpose of the intrusion.”
This development comes as Hunt.io revealed details of an Iran-linked operation targeting Omani government agencies that exposed over 26,000 Ministry of Justice user records, court data, commission decisions, and SAM and SYSTEM registry hives.
“Open directory on 172.86.76[.]127, a RouterHosting VPS in the United Arab Emirates, has surfaced an active infiltration campaign against the Omani government, with toolkits, C2 code, session logs, and exfiltrated data all in plain view. The primary target was the Department of Justice (mjla.gov),” the company said.[.]ah). ”
The discovery also coincides with continued activity by pro-Iranian hacktivist groups such as Handara Haq, which released details of about 400 U.S. Navy personnel in the Persian Gulf and claimed to have carried out the attack on the United Arab Emirates’ port of Fujairah, gaining access to internal systems and leaking about 11,000 classified documents related to invoices, shipping records and customs documents.
“A month ago, we documented a widespread escalation in Iran-related cyber operations, including hacked camera surveillance, the leak of thousands of top secret documents from Israel’s former military chief of staff, and a visible increase in the volume of attacks across the region. At the time, we said further escalation was likely,” Sergey Shkevich, group manager at Check Point Research, told Hacker News.
“The alleged attack on the port of Fujairah, if confirmed, is an escalation of that. What has changed is the nature of the threat. It is no longer about intelligence gathering and public embarrassment. Stolen port infrastructure data was allegedly used to enable physical missile targeting.”
“The cyber and kinetic realms are now clearly intertwined. This campaign is not slowing down. Historically, periods of quiet on the physical side have been followed by escalations in cyber activity, and what we are seeing now is the most severe manifestation of that pattern to date.”
Source link
