Iranian Spies Are Pretending to Be Ransomware Operators — Inside MuddyWater's Chaos False Flag

An Iranian state-sponsored APT spent early 2026 conducting espionage while wearing the Chaos ransomware brand as a costume. Rapid7 pulled back the curtain. The Microsoft Teams screen-sharing tradecraft and the missing encryption phase are why your IR triage protocols need updating this quarter.

BOSTON, MA — Rapid7 disclosed on May 6, 2026 that MuddyWater — an Iranian state-sponsored advanced persistent threat group affiliated with Iran's Ministry of Intelligence and Security (MOIS) — has been conducting a false flag espionage operation since early 2026, masquerading as the Chaos ransomware-as-a-service group. The intrusion pattern Rapid7 documented involves Microsoft Teams screen-sharing social engineering, credential theft, and data exfiltration — but never deploys file-encrypting ransomware. The attackers nonetheless published apparent victim data on the Chaos ransomware leak site to maintain the cover. Rapid7's Christiaan Beek, the firm's Vice President of Cyber Intelligence, framed the tell: "the mismatch between the Chaos branding and the intrusion behavior" — the operation "lacked a typical encryption phase and showed stronger signs of access, credential theft, persistence, and intelligence collection." Technical indicators including a code-signing certificate and C2 infrastructure (notably the moonzonet[.] domain) tie the operation to MuddyWater.

The Microsoft Teams social engineering chain — tradecraft worth memorizing

Rapid7's attack chain reconstruction is the operationally instructive part of the disclosure. The MuddyWater operators initiate external chat requests to employees inside the target organization through Microsoft Teams. Once engaged, they use a screen-sharing session as the initial-access vector — instructing the targeted user to enter credentials into a locally created text file, ostensibly as part of an IT support workflow. The credentials, captured on the user's screen during the share, are then used by the operators to authenticate as the user — bypassing multi-factor authentication entirely because the legitimate user has already completed the MFA challenge in the active session. From there, MuddyWater establishes persistence with DWAgent and AnyDesk, two remote management tools that legitimate IT teams use and that EDR products often allow by default. Lateral movement uses the compromised legitimate accounts. Code injection runs through pythonw.exe against suspended processes. Exfiltration moves via Rclone to Wasabi Technologies cloud storage.

None of those individual elements is exotic. Microsoft Teams external chat. Screen-sharing. Credentials typed into a text file. Remote management tools used for persistence. What makes the chain effective is the social engineering frame — the attacker presents as a trusted IT or vendor support persona inside a corporate collaboration tool the user already trusts. The MFA bypass is not a cryptographic break; it is the operator riding a legitimate authenticated session. The pattern echoes the ransomware extortion tradecraft defenders saw in the Cushman & Wakefield ShinyHunters disclosure — except where ShinyHunters monetizes through extortion, MuddyWater appears to monetize through state-aligned intelligence collection.

Why the 'looks like ransomware' triage default is now a liability

Beek's editorial framing in the Rapid7 disclosure is the line CISOs and IR leads should circulate this week: if an operation looks like ransomware, defenders may initially treat it as financially motivated cybercrime rather than a state-linked operation. The inclusion of extortion and negotiation elements, Rapid7 notes, could serve to focus defensive efforts on immediate impact, likely delaying the identification of underlying persistence mechanisms. The operational consequence is that incident classification drives notification timelines, regulatory disclosures, stakeholder communications, and remediation scope. If the initial classification is wrong, every downstream track runs on the wrong assumptions.

The broader Iranian pattern matters too. CISA, the FBI, and DC3's 2024 joint advisory warned that Iran state-sponsored attackers collaborate with ransomware groups — specifically Pioneer Kitten — and that Iranian operators sometimes conceal affiliation from RaaS operators while leveraging stolen data for espionage. Check Point's Sergey Shykevich, group manager at Check Point Research, told The Hacker News that Iranian use of cybercrime tools provides "considerably more operational flexibility and access to extensive toolkits without the need for internal development investment" and makes "attribution considerably more difficult, adding another layer of complexity for defenders." Iran-affiliated operators are also documented using Qilin's affiliate program as a layer of cover. The false flag pattern is operational, not exotic. The pattern intersects with the defense sector attack surface documented in the Schemata DoD case — same audience, same asymmetric strategic value to adversaries.

Other MuddyWater 2026 activity that supports the attribution

Beyond the Chaos false flag case, MuddyWater has been targeting US and Canadian organizations since early February 2026 across multiple victim profiles: a US bank, a US airport, multiple nonprofits, and a software supplier to defense and aerospace customers (with Israel operations). The toolset is broad. Dindoor is a new backdoor relying on the Deno runtime and signed with a certificate issued to "Amy Cherne." Fakeset is a Python backdoor observed at the US airport and nonprofit networks. Darkcomp is a custom RAT (executable name Game.exe) with command execution, file manipulation, and persistent shell capabilities. The targeting, taken together, fits the Iranian intelligence collection profile — strategic-value organizations in adversary, allied, and neutral states.

Adjacent Iranian-nexus activity reported by Hunt.io confirms the broader pattern. Iranian operators targeted Omani government institutions and exfiltrated 26,000-plus Ministry of Justice user records, judicial case data, committee decisions, and SAM and SYSTEM registry hives. C2 infrastructure ran on a RouterHosting VPS in the UAE. The targeting and infrastructure choices — Western and Middle Eastern victims, regional hosting infrastructure, civilian government and defense-adjacent targets — match the Iranian operational signature. The 2026 escalation in tradecraft sophistication, including the false flag pattern, is the part defenders should mark on their threat model.

The CyberSignal Analysis

Signal 01 — Intrusion classification matters more than ever, and 'looks like ransomware' is no longer load-bearing

The MuddyWater false flag case is the year's most operationally instructive example of why incident classification matters. Your IR runbook should not allow surface indicators (extortion message, leak site listing, ransom demand) to drive classification on their own. If the behavior pattern shows credential focus, persistence-heavy tradecraft, intelligence-style data selection, and no encryption phase, treat that as state-sponsored framing until proven otherwise. The downstream tracks — regulatory notifications, executive communications, board reporting, customer-facing disclosures — operate differently for state-sponsored espionage than for criminal ransomware. Pre-script the triage workflow this week.

Signal 02 — Microsoft Teams external collaboration is now a documented APT initial-access vector

Restrict Microsoft Teams external chat capabilities — particularly screen-sharing from external users — as a documented threat-driven hardening measure. Block or restrict remote management tools (DWAgent, AnyDesk, AnyConnect) at the network and endpoint level for non-IT users. Add detection rules for credentials entered into local text files, anomalous outbound connections to Wasabi Technologies cloud storage, and Python-based code injection patterns (pythonw.exe targeting suspended processes). Hunt for the specific MuddyWater IOCs Rapid7 published: moonzonet[.] domain, Dindoor backdoor, Fakeset, Darkcomp / Game.exe. This is the moment your SOC and threat hunting teams catch the operators who are still inside the environment.

What to do this week

1. Update IR triage protocols so surface ransomware indicators (extortion message, leak site listing) do not auto-classify an intrusion as criminal. Add behavioral checks: presence or absence of an encryption phase, credential-theft focus, persistence-heavy tradecraft, intelligence-style data selection. Document the divergent regulatory and stakeholder tracks for state-sponsored versus criminal classifications.
2. Restrict Microsoft Teams external chat and screen-sharing. For most organizations, external screen-sharing from non-allowlisted domains should be off by default. Audit your Teams configuration this week. Document the exception process for legitimate external collaboration.
3. Block or restrict DWAgent, AnyDesk, AnyConnect, and equivalent remote management tools for non-IT users at the endpoint and network level. Maintain an allowlist of approved tools for the IT teams that legitimately need them. Add detection rules for installation and execution outside the allowlist.
4. Add MuddyWater IOCs to detection rules: moonzonet[.] domain, Dindoor backdoor (Deno runtime, "Amy Cherne" cert), Fakeset Python backdoor, Darkcomp/Game.exe RAT. Hunt for pythonw.exe injecting into suspended processes. Monitor for outbound Rclone exfiltration to Wasabi Technologies cloud storage.
5. If you operate in defense, aerospace, banking, government, or NGO sectors — brief your executive team that you may be in MuddyWater's target set. Engage with your national cybersecurity authority for sector-specific threat briefings. Update tabletop exercises to include false-flag attribution scenarios.

Sources