Iranian APT group MuddyWater deployed Chaos ransomware as a “false flag” in a sophisticated hybrid espionage campaign targeting Western organizations, bypassing encryption in favor of data theft and long-term persistence.
In early 2026, Rapid7 incident responders were called into what initially appeared to be a routine Chaos ransomware intrusion, but forensic analysis quickly revealed something far more calculated beneath the surface.
The attack, though bearing all the visual hallmarks of a financially motivated extortion campaign, was assessed with moderate confidence to be a state-sponsored operation linked to MuddyWater (also tracked as Mango Sandstorm, Seedworm, and Static Kitten), an Iranian Advanced Persistent Threat (APT) group affiliated with the Ministry of Intelligence and Security (MOIS).
Rather than encrypting files for ransom, the threat actor focused exclusively on credential harvesting, data exfiltration, and long-term persistence hallmarks of intelligence-gathering, not cybercrime.
According to the Rapid7 report, the campaign represents a deliberate “false flag” strategy: operators adopted the Chaos ransomware-as-a-service (RaaS) brand to project a criminal identity while conducting covert espionage operations against organizations in the United States and the MENA region.
Microsoft Teams as the Attack Vector
The intrusion began with unsolicited external chat requests sent to employees via Microsoft Teams. Once contact was established, the threat actor initiated interactive screen-sharing sessions, leveraging direct visibility into user desktops to execute discovery commands including ipconfig /all, whoami, and net start.
Victims were then explicitly instructed to type their credentials into locally created text files named credentials.txt and cred.txt and to add attacker-controlled devices to their MFA configurations.
This technique mirrors a broader trend of Teams-based social engineering that has surged in 2026. Microsoft Defender Research documented a large-scale credential theft campaign in March 2026 that similarly exploited Teams’ trusted environment to bypass traditional security controls.
Hackers impersonating Microsoft Teams help desk workers to trick victims into installing data-stealing malware have been independently confirmed by Mandiant researchers as recently as April 2026.
Following the credential compromise, the threat actor authenticated to internal systems, including Domain Controllers, using the harvested accounts and deployed the remote management tool DWAgent alongside AnyDesk to establish persistent access.
Subsequently, a custom downloader, ms_upd.exe, was delivered via curl from the C2 infrastructure at 172.86.126[.]208:443.
The downloader collected host information, generated a unique client identifier, and registered the victim with the C2 domain moonzonet[.]com before retrieving a three-component payload: a legitimate WebView2Loader.dll, an encrypted configuration file (visualwincomp.txt), and the primary backdoor, Game.exe.
Game.exe is a custom Remote Access Trojan (RAT) that masquerades as a legitimate Microsoft WebView2 application, trojanizing the official WebView2APISample project.
The RAT implements 12 core capabilities, including arbitrary command execution via hidden cmd.exe or encoded PowerShell sessions, chunked file uploads, interactive shell establishment, and file deletion, all reported back to the C2 server uploadfiler[.]com on port 443.
It also features sandbox detection, virtual machine detection via CPU analysis, and AES-256-GCM encrypted configuration storage, though its inconsistent use of obfuscation, leaving critical strings like RAT commands and JSON registration formats in plaintext, suggests an unseasoned developer.
The technical pivot that broke the false flag open was a code-signing certificate issued under the name “Donald Gay” by Microsoft ID Verified CS AOC CA 02, with thumbprint B674578D4BDB24CD58BF2DC884EAA658B7AA250C.
This certificate is a known shared resource within MuddyWater’s toolkit — directly tied by multiple threat intelligence vendors to “Operation Olalampo,” a 2026 campaign targeting U.S. and MENA organizations.
Additional technical artifacts reinforced attribution. The C2 domain moonzonet[.]com was linked to MuddyWater activity in early 2026 during a wave targeting Israeli and Western organizations, reads the Rapid7 report.
The group’s signature use of pythonw.exe to inject code into suspended processes was also observed as a consistent hallmark of their deployment chain.
Furthermore, the interactive Teams-based MFA harvesting technique aligns closely with the “IT Support” persona MuddyWater has refined throughout 2026, consistent with previously documented social engineering patterns exploiting enterprise communication platforms.
Chaos ransomware emerged in early 2025 as a successor to the disrupted BlackSuit infrastructure and is believed to be composed of former BlackSuit and Royal members.
It is known for double- and triple-extortion tactics, threatening data publication, DDoS attacks, and even contacting victims’ customers, and its data-leak site employs a distinctive “blind” countdown timer that withholds victims’ identities until negotiations expire.
As of late March 2026, the group had claimed 36 victims, predominantly in U.S. construction, manufacturing, and business services sectors.
MuddyWater’s adoption of this criminal brand is not accidental. In late 2025, the group was linked to similar activity involving the Qilin RaaS ecosystem in an operation targeting an Israeli organization.
By wrapping espionage activity in a ransomware narrative, the group shifts defender focus toward immediate-impact triage and away from identifying the persistent access channels DWAgent, AnyDesk, and the Game.exe RAT that represent the true objective.
Mitigations
Security teams should treat the following behaviors as high-priority threat indicators:
- Unsolicited Microsoft Teams external chat requests followed by screen-sharing requests, particularly from accounts impersonating IT support.
- Credential files (
credentials.txt,cred.txt) created in user-accessible directories, indicating interactive social engineering sessions. - Deployment of dual remote access tools (DWAgent + AnyDesk) alongside lateral movement via RDP — a pattern inconsistent with legitimate IT operations.
- MFA configuration changes originating from unusual sessions or devices not associated with the affected user.
- Outbound connections to
moonzonet[.]com,uploadfiler[.]com, oradm-pulse[.]com, which served as C2 and phishing infrastructure in this campaign.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
