What happened
Rapid7 researchers have attributed a cyberattack to MuddyWater, an Iranian state-sponsored espionage group linked to the Ministry of Intelligence and Security, after identifying that the group disguised its operations as a Chaos ransomware attack to obscure its true intelligence-gathering objectives and complicate attribution.
The intrusion began with Microsoft Teams social engineering, where attackers initiated chats with employees, established screen-sharing sessions, harvested credentials, and manipulated MFA settings. In some cases AnyDesk was deployed for remote access. Credential theft occurred through phishing pages impersonating Microsoft Quick Assist or by tricking victims into typing passwords into local text files. After compromising accounts, attackers authenticated to internal systems including a domain controller and established persistence using RDP, DWAgent, and AnyDesk.
A malware loader named ms_upd.exe was used to drop a custom backdoor called Game.exe, disguised as a Microsoft WebView2 application. The backdoor includes anti-analysis and anti-VM checks and supports 12 commands covering PowerShell and CMD execution, file upload and deletion, and persistent shell access. The attack involved credential theft, data exfiltration, extortion emails, and a listing on the Chaos leak portal, but Rapid7 noted that several techniques typical of financially motivated ransomware operations were absent, suggesting the primary goal was espionage rather than financial gain.
Rapid7’s attribution to MuddyWater carries moderate confidence and is based on infrastructure overlap, a specific code-signing certificate previously used to sign Stagecomp and Darkcomp malware attributed to the group, and operational tradecraft consistent with prior MuddyWater campaigns. Rapid7 noted that MuddyWater deployed Qilin ransomware in a late 2025 attack against an Israeli organization and assessed that the group may have shifted to Chaos branding following attribution of that earlier incident to MOIS operatives.
Who is affected
The specific victim organization has not been named. Given MuddyWater’s documented focus on long-term network intrusion aligned with Iranian state intelligence interests, organizations in government, defense, critical infrastructure, and sectors of strategic interest to Iran face the most relevant targeting risk.
Why CISOs should care
MuddyWater’s use of ransomware as a cover for espionage is a direct challenge to incident response frameworks that triage attacks based on the apparent objective. An organization that responds to a Chaos ransomware listing as a financially motivated extortion event may miss the espionage collection that was the actual goal, leaving persistent access and exfiltrated intelligence unaddressed. The convergence of state-sponsored tradecraft with criminal ransomware infrastructure also degrades the reliability of attribution as a decision-making input during an active incident.
The Microsoft Teams social engineering vector, combined with MFA manipulation and credential harvesting through screen-sharing sessions, mirrors the UNC6692 Snow malware campaign documented earlier this week, suggesting this delivery method is being adopted across multiple threat actor groups simultaneously.
3 practical actions
- Treat ransomware incidents as potential espionage operations until proven otherwise: When a ransomware listing appears alongside indicators of persistent access, credential theft, and data exfiltration, conduct a full forensic investigation into what data was accessed and retained by the attacker before focusing response resources on restoration. Ransomware deployment does not preclude a concurrent intelligence collection objective.
- Restrict Microsoft Teams external messaging and enforce strict controls on screen-sharing sessions initiated by unknown contacts: MuddyWater’s initial access relied on Teams social engineering. Review your Teams configuration to limit external contact initiation, and establish policies requiring out-of-band verification before any screen-sharing session is granted to a party the employee cannot independently verify.
- Monitor for WebView2 process anomalies and unsigned or misattributed application execution: Game.exe disguised itself as a Microsoft WebView2 application. Implement application allowlisting or monitoring that flags WebView2 process instances exhibiting unexpected network behavior, command execution, or file operations inconsistent with legitimate WebView2 usage patterns.
Also in the news today:
- CMS Provider Directory Database Found Leaking Healthcare Providers’ Social Security Numbers
- RXNT Healthcare Software Breach Exposes Patient Data Across Multiple Provider Clients
- CISA Launches CI Fortify to Prepare Critical Infrastructure for Geopolitical Cyber Conflict
- Mirai-Based xlabs_v1 Botnet Exploits Android Debug Bridge to Hijack IoT Devices
- Cisco Releases Fix for DoS Flaw That Requires Manual Reboot to Recover
- Palo Alto Networks Warns of Firewall RCE Zero-Day Exploited in Attacks
