Iranian State-Backed Hackers Masquerade as Ransomware Group in False Flag Attack
In early 2026, cybersecurity firm Rapid7 uncovered a sophisticated ransomware attack attributed to MuddyWater an Iranian state-sponsored hacking group also known as Mango Sandstorm, Seedworm, and Static Kitten. The operation, however, was a false flag, designed to mimic the tactics of the Chaos ransomware-as-a-service (RaaS) group while serving Iranian strategic objectives.
The attack began with high-touch social engineering via Microsoft Teams, where threat actors used interactive screen-sharing to harvest credentials and bypass multi-factor authentication (MFA). Unlike typical ransomware campaigns, the group forwent file encryption, instead focusing on data exfiltration and long-term persistence through remote management tools like DWAgent and AnyDesk.
MuddyWater’s shift toward off-the-shelf cybercrime tools including CastleRAT and Tsundokere has been documented by multiple security firms, complicating attribution. This tactic aligns with past behavior: in 2020, the group deployed Thanos ransomware via the PowGoop loader in attacks on Israeli organizations, and in 2023, it collaborated with DEV-1084 (linked to the DarkBit persona) to conduct destructive attacks under the guise of ransomware. By October 2025, MuddyWater was observed using Qilin ransomware against an Israeli government hospital, further blurring the line between state-sponsored and criminal activity.
The Chaos RaaS group, which emerged in early 2025, employs a double extortion model, combining data theft with threats of DDoS attacks and customer/competitor leaks to pressure victims. As of March 2026, Chaos had claimed 36 victims, primarily in the U.S., targeting sectors like construction, manufacturing, and business services. The group’s tactics include vishing via Teams, impersonating IT support to trick victims into installing Microsoft Quick Assist or other remote access tools.
In the attack analyzed by Rapid7, MuddyWater initiated external Teams chat requests, luring employees into screen-sharing sessions. Once inside, the threat actors conducted reconnaissance, accessed VPN configurations, and deployed AnyDesk for persistence. They also used RDP to download a malicious executable (ms_upd.exe) from a command-and-control (C2) server, triggering a multi-stage infection chain that delivered a custom remote access trojan (RAT) disguised as a Microsoft WebView2 application.
The malware game.exe (Darkcomp) connected to a C2 server every 60 seconds, enabling command execution, file operations, and PowerShell script deployment. The attack’s link to MuddyWater was confirmed through a code-signing certificate attributed to "Donald Gay", previously used to sign other malware, including the CastleLoader downloader (Fakeset).
The incident underscores the growing convergence of state-sponsored and cybercriminal tactics, with threat actors leveraging RaaS frameworks to obscure attribution and delay defensive responses. The absence of file encryption despite Chaos ransomware artifacts suggests the ransomware component was used primarily for obfuscation, not financial gain.
Meanwhile, Iranian-linked cyber operations continue to escalate. Security firm Hunt.io revealed an Omani government breach, where attackers exfiltrated 26,000 Ministry of Justice records, judicial case data, and registry hives from an open directory on a UAE-based VPS. Pro-Iran hacktivist group Handala Hack also claimed attacks on U.S. Navy personnel and the Port of Fujairah, leaking 11,000 sensitive documents including shipping records and customs data potentially enabling physical targeting by Iranian forces.
Check Point Research noted that these campaigns reflect a shift from intelligence gathering to kinetic impact, with cyber operations now directly supporting military objectives. The pattern suggests that periods of relative quiet in physical conflicts are followed by intensified cyber activity, marking the most serious escalation to date.
Source: https://thehackernews.com/2026/05/muddywater-uses-microsoft-teams-to.html
Ministry of Energy of I.R.IRAN - وزارت نیرو cybersecurity rating report: https://www.rankiteo.com/company/iran-energy-ministry
"id": "IRA1778078883",
"linkid": "iran-energy-ministry",
"type": "Cyber Attack",
"date": "1/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': ['government',
'healthcare',
'construction',
'manufacturing',
'business services'],
'location': ['Israel', 'U.S.', 'Oman', 'UAE'],
'type': ['government',
'healthcare',
'construction',
'manufacturing',
'business services']}],
'attack_vector': ['social engineering',
'Microsoft Teams',
'interactive screen-sharing',
'remote access tools (AnyDesk, DWAgent)',
'RDP',
'malicious executables'],
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': ['26,000 (Omani Ministry of '
'Justice)',
'11,000 (Port of Fujairah, U.S. '
'Navy)'],
'personally_identifiable_information': True,
'sensitivity_of_data': 'high',
'type_of_data_compromised': ['judicial case data',
'registry hives',
'sensitive documents',
'shipping records',
'customs data',
'personnel records']},
'date_detected': '2026-01',
'date_publicly_disclosed': '2026-03',
'description': 'In early 2026, cybersecurity firm Rapid7 uncovered a '
'sophisticated ransomware attack attributed to MuddyWater, an '
'Iranian state-sponsored hacking group. The operation was a '
'false flag, designed to mimic the tactics of the Chaos '
'ransomware-as-a-service (RaaS) group while serving Iranian '
'strategic objectives. The attack involved high-touch social '
'engineering via Microsoft Teams, interactive screen-sharing '
'to harvest credentials, and bypassing MFA. The group focused '
'on data exfiltration and long-term persistence rather than '
'file encryption.',
'impact': {'data_compromised': True,
'identity_theft_risk': True,
'operational_impact': ['reconnaissance',
'persistence establishment',
'data exfiltration'],
'systems_affected': ['VPN configurations',
'remote access tools',
'command-and-control servers']},
'initial_access_broker': {'backdoors_established': ['AnyDesk',
'DWAgent',
'RAT (game.exe/Darkcomp)'],
'entry_point': ['Microsoft Teams', 'vishing']},
'investigation_status': 'ongoing',
'lessons_learned': 'The incident underscores the growing convergence of '
'state-sponsored and cybercriminal tactics, with threat '
'actors leveraging RaaS frameworks to obscure attribution '
'and delay defensive responses. The absence of file '
'encryption despite ransomware artifacts suggests the '
'ransomware component was used primarily for obfuscation, '
'not financial gain.',
'motivation': ['strategic objectives',
'data exfiltration',
'long-term persistence',
'obfuscation of attribution'],
'post_incident_analysis': {'root_causes': ['high-touch social engineering',
'MFA bypass',
'abuse of remote access tools',
'use of off-the-shelf cybercrime '
'tools']},
'ransomware': {'data_exfiltration': True,
'ransomware_strain': ['Chaos RaaS', 'Qilin', 'Thanos']},
'references': [{'source': 'Rapid7'},
{'source': 'Hunt.io'},
{'source': 'Check Point Research'}],
'response': {'third_party_assistance': 'Rapid7'},
'threat_actor': 'MuddyWater (Mango Sandstorm, Seedworm, Static Kitten)',
'title': 'Iranian State-Backed Hackers Masquerade as Ransomware Group in '
'False Flag Attack',
'type': ['ransomware', 'false flag', 'state-sponsored'],
'vulnerability_exploited': ['MFA bypass',
'credential harvesting',
'remote management tool abuse']}