Iranian APT MuddyWater Deployed Chaos Ransomware as a False Flag to Disguise State-Sponsored Espionage

Overview

An intrusion that initially appeared to be a routine Chaos ransomware attack has been assessed with moderate confidence by Rapid7 researchers as a state-sponsored operation linked to MuddyWater, an Iranian Advanced Persistent Threat group affiliated with Iran’s Ministry of Intelligence and Security. The May 6, 2026 report, titled “Muddying the Tracks: The State-Sponsored Shadow Behind Chaos Ransomware,” found that despite ransomware branding and extortion demands, no files were ever encrypted — pointing to espionage and long-term access as the true objectives.

What We Know

The campaign, observed in early 2026, began with social engineering conducted through Microsoft Teams. According to Rapid7, attackers “initiated one-on-one chats with users from a controlled account,” then established screen-sharing sessions to conduct initial discovery, harvest credentials, and manipulate multi-factor authentication settings. Victims were also directed to type credentials into locally created text files, and phishing pages impersonating Microsoft Quick Assist were used to supplement credential theft, as reported by BleepingComputer.

Once inside, the attackers deployed DWAgent and AnyDesk for persistent remote access, and leveraged RDP to download additional executables. A custom malware loader — ms_upd.exe, internally called Stagecomp — was used to install a bespoke remote access trojan (RAT) named Game.exe (also called Darkcomp), which masqueraded as a Microsoft WebView2 application and supported 12 commands including PowerShell and CMD execution, file upload and deletion, and persistent shell access. The RAT polled its command-and-control infrastructure every 60 seconds and incorporated anti-analysis techniques including virtual machine detection and sandbox evasion, according to Rapid7.

Despite extortion emails and the victim’s purported listing on the Chaos ransomware leak site, Rapid7’s forensic analysis found “the absence of encryption despite Chaos ransomware artifacts suggests the primary goal was not financial gain.” The attackers instead focused on data exfiltration and sustained access — tradecraft consistent with MuddyWater’s long-standing intelligence-gathering profile.

Attribution

Rapid7’s attribution rests primarily on a code-signing certificate bearing the identity “Donald Gay” (Thumbprint: B674578D4BDB24CD58BF2DC884EAA658B7AA250C), which is historically linked to MuddyWater’s Operation Olalampo, along with overlapping command-and-control infrastructure including the domain moonzonet[.]com. The group, also tracked as Static Kitten, Mango Sandstorm, and Seedworm, has been publicly linked by the United States government to Iran’s Ministry of Intelligence and Security.

Rapid7 stated the attack reflects “the convergence between state-sponsored intrusion activity and criminal tradecraft, where a big ‘tell’ lies in the techniques that were deployed — and those that weren’t,” as reported by BleepingComputer. Researcher Christiaan Beek noted: “If an operation looks like ransomware, defenders may initially treat it as financially motivated cybercrime rather than a state-linked operation,” according to Cybersecurity Dive.

SecurityWeek characterized the campaign as a “hybrid intrusion model, in which ransomware is leveraged not as an end goal but as a mechanism for concealment,” adding that “the inclusion of extortion and negotiation elements could serve to focus defensive efforts on immediate impact” rather than the underlying espionage.

Targets and Scale

The Chaos ransomware-as-a-service operation, which emerged in early 2025 after a law enforcement takedown of the BlackSuit group known as Operation Checkmate, had claimed 36 victims as of late March 2026, with ransom demands reaching $300,000, according to Rapid7. Targets are primarily U.S. organizations in construction, manufacturing, and business services, though Cybersecurity Dive and The Hacker News report that specific attacks also occurred in Jordan and Australia.

This is not MuddyWater’s first use of ransomware as operational cover. BleepingComputer notes the group previously deployed Thanos ransomware in September 2020 and Qilin ransomware in October 2025 against an Israeli organization.

What We Don’t Know

Rapid7’s attribution carries only moderate confidence, meaning alternative explanations — such as a criminal actor reusing MuddyWater infrastructure — have not been fully ruled out. The full list of organizations targeted in the early 2026 campaign has not been disclosed, and it is unclear how many of the 36 Chaos-claimed victims involve the state-sponsored operator versus genuinely criminal Chaos affiliates operating independently.

The specific nature of the data exfiltrated, and whether the operation represents pre-positioning for future disruptive attacks or solely intelligence collection, also remains unknown.

Analysis

The MuddyWater-Chaos campaign illustrates a maturing tactic in nation-state cyber operations: borrowing the infrastructure and branding of cybercriminal groups to degrade attribution confidence and redirect incident response. Defenders who treat an intrusion as ransomware will focus on recovering encrypted files and negotiating a decryption key — activities that do nothing to address the underlying persistent access and data exfiltration.

The technique also exploits the structural overlap between criminal and state-sponsored tooling that has grown over the past several years. As criminal RaaS markets have lowered the barrier to sophisticated malware, state actors have found it increasingly practical to operate under their cover — gaining plausible deniability at the cost of some operational control.