MuddyWater Disguised Espionage Intrusion as Chaos Ransomware Attack
Rapid7 assessed with moderate confidence that an intrusion initially presented as a Chaos ransomware incident was in fact a false-flag operation by the Iranian MOIS-linked group MuddyWater (also tracked as Seedworm). The attackers reportedly used Microsoft Teams social engineering, screen sharing, credential theft, and MFA manipulation to gain access, then deployed legitimate remote administration tools including AnyDesk and DWAgent to maintain persistence and move deeper into the environment, including toward a domain controller. Researchers said the operation diverged from a typical ransomware playbook because it emphasized long-term access, internal footholds, and data theft over disruptive encryption for profit.
Rapid7 linked the activity to MuddyWater through overlapping infrastructure such as moonzonet[.]com, tradecraft consistent with prior operations, and use of the revoked "Donald Gay" code-signing certificate previously tied to MuddyWater malware including Stagecomp and Darkcomp. The intrusion also used a loader, ms_upd.exe, to deploy a custom backdoor, Game.exe, which masqueraded as a Microsoft WebView2 sample application and enabled command execution, file operations, and persistent shell access. Researchers concluded that the ransomware branding and extortion behavior were likely intended to delay attribution and mask espionage or prepositioning objectives, continuing a pattern in which MuddyWater uses criminal ransomware themes as operational cover.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Rapid7 publishes analysis attributing the operation to MuddyWater
On May 6, 2026, Rapid7 published research concluding that the apparent Chaos ransomware incident was likely a false-flag operation linked to MuddyWater. The attribution was based on infrastructure overlap, tradecraft, and use of the revoked 'Donald Gay' code-signing certificate previously associated with MuddyWater malware.
Attackers deploy ms_upd.exe and Game.exe during the intrusion
During the same early-2026 compromise, the operators used a malware chain in which ms_upd.exe deployed a custom RAT called Game.exe, disguised as a Microsoft WebView2 sample application. The backdoor enabled command execution, file operations, and persistent shell access while supporting the attackers' focus on exfiltration and long-term access rather than encryption.
MuddyWater conducts false-flag intrusion disguised as Chaos ransomware
In early 2026, attackers assessed with moderate confidence as the Iranian MOIS-affiliated group MuddyWater carried out an intrusion that initially appeared to be a Chaos ransomware attack. The operation used Microsoft Teams social engineering, credential harvesting, MFA manipulation, and remote access tools such as AnyDesk and DWAgent to gain access and persistence.
MuddyWater deploys Qilin ransomware against an Israeli organization
Rapid7 noted that MuddyWater had previously used ransomware as cover, including a late-2025 deployment of Qilin ransomware against an Israeli organization. This earlier activity provided historical context for the group's later use of ransomware branding to mask espionage objectives.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Iranian threat group used Chaos ransomware as a ‘false flag,’ researchers say | news | SC Media
scworld.com
Open sourceIranian government hackers using Chaos ransomware as cover, researchers say | The Record from Recorded Future News
therecord.media
Open sourceIranian cyber espionage disguised as a Chaos Ransomware attack
securityaffairs.com
Open sourceMuddyWater hackers use Chaos ransomware as a decoy in attacks
bleepingcomputer.com
Open sourceMuddying the Tracks: The State-Sponsored Shadow Behind Chaos Ransomware
rapid7.com
Open sourceIran cyberspies LARPing as ransomware crims in espionage ops
theregister.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
MuddyWater Used DLL Side-Loading and PowerShell Tooling in Multi-Country Espionage Campaign
Iran-linked **MuddyWater** (also tracked as **Seedworm**) was tied to an espionage campaign that compromised at least nine organizations across nine countries and four continents, hitting sectors including manufacturing, education, government, financial services, professional services, telecommunications, and an international airport. Researchers said the group used **DLL side-loading** with legitimate signed binaries such as `fmapp.exe` from Fortemedia and `sentinelmemoryscanner.exe` from SentinelOne to launch malicious DLLs, including the open-source **ChromElevator** tool for browser-data theft. One confirmed victim was a major South Korean electronics manufacturer, where the attackers reportedly maintained access for about a week, while earlier activity also targeted telecom providers in Egypt, Sudan, and Tanzania. The operators combined stealthy execution with a broad post-compromise toolkit, using **Node.js** to launch PowerShell payloads for reconnaissance, screenshot capture, privilege escalation, credential theft, and SOCKS5 reverse-proxy tunneling. Symantec also linked MuddyWater to the **MuddyC2Go** PowerShell framework, use of legitimate remote-management software **SimpleHelp**, and the publicly available **Venom Proxy** to maintain access and move through victim networks. Persistence was established through registry modifications, credentials were harvested through fake login prompts and registry hive dumping, and stolen data was exfiltrated via the public file-transfer service `sendit[.]sh`, indicating a sustained intelligence-collection effort aligned with Iranian state interests.
May 27, 2026
MuddyWater Cyberespionage Campaign Leveraging Snake Game-Inspired Malware
Iranian state-aligned threat group MuddyWater has launched a new cyberespionage campaign targeting organizations in Israel and Egypt, with a focus on technology, engineering, manufacturing, local government, and educational sectors. Researchers from ESET and other security firms have identified that MuddyWater is using a novel loader, dubbed Fooder, which masquerades as the classic Snake video game to deliver a new backdoor called MuddyViper. This loader introduces execution delays, inspired by the Snake game's mechanics, to evade antivirus detection. The campaign also employs spearphishing emails with PDF attachments that link to remote monitoring and management software installers, hosted on free file-sharing services, to gain initial access. The MuddyViper backdoor enables attackers to collect system information, execute files and shell commands, transfer files, and exfiltrate Windows login credentials and browser data. Additional tools, such as credential stealers and another backdoor named VAX One, have also been deployed. MuddyWater's evolving tactics, including the use of reflective loading for in-memory execution and the impersonation of legitimate software, demonstrate increased sophistication and a continued focus on defense evasion and persistence. Security researchers note the possibility that MuddyWater may be acting as an initial access broker for other Iranian threat actors, given observed overlaps in operations.
Mar 21, 2026
MuddyWater Linked to Iranian MOIS Uses Russian MaaS in ChainShell Campaign
Iran-linked threat group **MuddyWater** has been tied to a **ChainShell** campaign that reportedly uses Russian malware-as-a-service infrastructure, underscoring growing overlap between state-backed espionage and criminal tooling. Reporting on the activity said the operation relied on **blockchain-based command-and-control** and reflected operational links between the Iran-aligned actor and Russian cybercrime services, extending a long-running pattern of MuddyWater adapting external tools and tradecraft for intrusion operations. U.S. and allied agencies have previously attributed MuddyWater to Iran’s **Ministry of Intelligence and Security (MOIS)** and described the group as targeting government and commercial organizations across Asia, Africa, Europe, and North America, including telecommunications, defense, local government, and oil and gas. Public reporting and government advisories say the group has used spearphishing, exploitation of known flaws such as `CVE-2020-0688` and `CVE-2020-1472`, **DLL side-loading**, obfuscated PowerShell, and malware including **PowGoop**, **Mori**, **Small Sieve**, **Canopy/Starwhale**, and **POWERSTATS** to establish access, maintain persistence, exfiltrate data, and in some cases deploy ransomware.
May 25, 2026