The Iranian state-sponsored hacking group known as MuddyWater (also known as Mango Sandstorm, Seedworm, and Static Kitten) has been linked to a recent ransomware attack that has been described as a “false flag” operation.
The attack, which was observed by Rapid7 in early 2026, utilized social engineering techniques through Microsoft Teams to initiate the infection process. Initially thought to be the work of a ransomware-as-a-service (RaaS) group operating under the Chaos brand, evidence now points to a targeted state-sponsored attack disguised as opportunistic extortion.
According to Rapid7’s report shared with The Hacker News, the attackers conducted a high-touch social engineering phase via Microsoft Teams, using interactive screen-sharing to gather credentials and manipulate multi-factor authentication (MFA). Instead of encrypting files, the group opted for data exfiltration and long-term persistence through remote management tools like DWAgent.
MuddyWater’s tactics have evolved to include off-the-shelf tools from the cybercrime underground, as noted by various cybersecurity firms. This shift in strategy has also been observed in recent attacks, with the group utilizing CastleRAT and Tsundere.
While this recent attack may seem like a departure from MuddyWater’s usual tactics, the group has a history of conducting ransomware attacks. In previous incidents, MuddyWater targeted Israeli organizations using destructive ransomware variants.
The emergence of Chaos, a RaaS group known for its double extortion model, has added a new dimension to the cyber threat landscape. By leveraging mail flooding and vishing techniques through Teams, Chaos has targeted a variety of sectors, including construction, manufacturing, and business services.
The connection between MuddyWater and Chaos was further solidified by the use of a code-signing certificate associated with MuddyWater in signing malicious files. This collaboration highlights the increasing convergence of state-sponsored intrusions and cybercriminal activities to obfuscate attribution and delay defensive responses.
Overall, the use of a RaaS framework in these attacks serves to blur the lines between state-sponsored cyber activities and financially motivated cybercrime. The absence of file encryption in the recent attack suggests that the ransomware component may have been used as a distraction rather than the primary objective.
As the cyber threat landscape continues to evolve, it is essential for organizations to remain vigilant and implement robust security measures to protect against sophisticated attacks like those orchestrated by MuddyWater and Chaos.
