Iranβs MuddyWater β the state-sponsored hacking group tied to the Ministry of Intelligence and Security β spent the first quarter of 2026 impersonating a financially motivated ransomware gang. The operation never encrypted a single file. It was always about access, and it ran long enough to hit a U.S. bank, an airport, multiple nonprofits, and a software supplier serving the defense and aerospace sectors with operations in Israel.
Researchers at Rapid7 pulled the threads on what looked like a routine Chaos ransomware intrusion and found a nation-state underneath.
The Ransomware That Wasnβt
The attack had every visual hallmark of a financially motivated extortion campaign. Victims received ransom notes bearing the Chaos ransomware branding. There were extortion demands. The group maintained a leak site with 36 claimed victims and a consistent operational tempo that mimicked a professional criminal outfit.
But Rapid7 noticed something off: no encryption had actually occurred. The operation combined credential theft, data exfiltration, and extortion theater β without the encryption step that defines ransomware. Investigators assess with moderate confidence that the intrusion is linked to MuddyWater (also tracked as Mango Sandstorm, Seedworm, and Static Kitten), an Iranian APT operating under MOIS direction.
The assessment wasnβt guesswork. Attribution rested on two concrete artifacts: a code-signing certificate issued to βDonald Gayβ used to sign a dropper named ms_upd.exe β a certificate previously tied to MuddyWater activity including the Fakeset/CastleLoader downloader β and the C2 domain moonzonet[.]com, which had already been linked to MuddyWater during a late 2025 wave of operations against Israeli and Western targets.
Microsoft Teams as an Attack Vector
The initial access phase was sophisticated. Attackers sent unsolicited external chat requests to employees via Microsoft Teams, initiating contact under the guise of IT support or urgent security notifications. Once a target accepted the chat, operators requested screen-sharing sessions.
From there, the attack moved fast. With direct line-of-sight to victim desktops, operators ran discovery commands β ipconfig /all, whoami, net start β while the employee watched. The screen-sharing pretext let attackers manipulate the MFA enrollment flow in real time, either walking victims through approving fraudulent authentication requests or enrolling attacker-controlled devices.
This technique sidesteps the technical complexity of phishing infrastructure. Thereβs no malicious link to detect, no payload to block. The employee is socially engineered into handing over access interactively, in a session that looks indistinguishable from legitimate IT support.
Targets and Victim Profile
As of late March 2026, the operation had claimed 36 victims. The confirmed target profile includes:
- A U.S. bank
- A U.S. airport
- Multiple nonprofits
- A software supplier to the defense and aerospace sectors with active operations in Israel
The U.S.-Canada focus, combined with the defense/aerospace supplier and the Israel link, fits cleanly with MuddyWaterβs documented mandate. MOIS uses the group primarily for intelligence collection β understanding the supply chains and vendors that support Western military infrastructure is a high-value target set.
Why Ransomware Branding
The choice to operate under the Chaos ransomware banner was deliberate. Financially motivated ransomware groups generate enormous volume β dozens of incidents per week, across every sector and jurisdiction. Attributing any individual intrusion to a nation-state rather than a criminal gang requires piecing together technical artifacts that most incident responders donβt have time to hunt for.
By adopting ransomware aesthetics, MuddyWater pushed its operations into that noise. An intrusion that looks like Chaos is investigated as a criminal matter. Response is focused on restoration and ransom negotiation, not long-term access or intelligence collection. The espionage objective gets obscured while defenders look at the wrong threat model.
Rapid7βs report makes explicit what the group was trying to achieve: this βdoes not represent a strategic shift toward ransomware operations, but rather an evolution in deception and misdirection techniques designed to complicate attribution and response.β
What Defenders Should Watch
MuddyWaterβs operational security in this campaign was strong enough to sustain the false flag for months. A few indicators to monitor:
- External Microsoft Teams chat requests from unknown tenants requesting screen sharing should trigger immediate escalation β legitimate IT support does not initiate sessions this way
- The domain
moonzonet[.]comand code-signing certificate tied to βDonald Gayβ are confirmed indicators of compromise - Extortion without encryption is a red flag for misclassification β incident response teams should assess whether a βransomwareβ intrusion actually deployed any encryptor before treating it as a criminal matter
The Rapid7 research is publicly available and includes full technical artifacts. Organizations in the defense supply chain, financial sector, and critical infrastructure should review it immediately.
Sources:
- Rapid7 β Muddying the Tracks: The State-Sponsored Shadow Behind Chaos Ransomware
- The Hacker News β MuddyWater Uses Microsoft Teams to Steal Credentials in False Flag Ransomware Attack
- SecurityWeek β Iranian APT Intrusion Masquerades as Chaos Ransomware Attack
- BleepingComputer β MuddyWater Hackers Use Chaos Ransomware as a Decoy in Attacks
- The Record β Iranian Government Hackers Using Chaos Ransomware as Cover
