MuddyWater Disguised Espionage Intrusion as Chaos Ransomware Attack
Rapid7 assessed with moderate confidence that an intrusion initially presented as a Chaos ransomware incident was in fact a false-flag operation by the Iranian MOIS-linked group MuddyWater (also tracked as Seedworm). The attackers reportedly used Microsoft Teams social engineering, screen sharing, credential theft, and MFA manipulation to gain access, then deployed legitimate remote administration tools including AnyDesk and DWAgent to maintain persistence and move deeper into the environment, including toward a domain controller. Researchers said the operation diverged from a typical ransomware playbook because it emphasized long-term access, internal footholds, and data theft over disruptive encryption for profit.
Rapid7 linked the activity to MuddyWater through overlapping infrastructure such as moonzonet[.]com, tradecraft consistent with prior operations, and use of the revoked "Donald Gay" code-signing certificate previously tied to MuddyWater malware including Stagecomp and Darkcomp. The intrusion also used a loader, ms_upd.exe, to deploy a custom backdoor, Game.exe, which masqueraded as a Microsoft WebView2 sample application and enabled command execution, file operations, and persistent shell access. Researchers concluded that the ransomware branding and extortion behavior were likely intended to delay attribution and mask espionage or prepositioning objectives, continuing a pattern in which MuddyWater uses criminal ransomware themes as operational cover.
Timeline
May 6, 2026
Rapid7 publishes analysis attributing the operation to MuddyWater
On May 6, 2026, Rapid7 published research concluding that the apparent Chaos ransomware incident was likely a false-flag operation linked to MuddyWater. The attribution was based on infrastructure overlap, tradecraft, and use of the revoked 'Donald Gay' code-signing certificate previously associated with MuddyWater malware.
Jan 1, 2026
Attackers deploy ms_upd.exe and Game.exe during the intrusion
During the same early-2026 compromise, the operators used a malware chain in which ms_upd.exe deployed a custom RAT called Game.exe, disguised as a Microsoft WebView2 sample application. The backdoor enabled command execution, file operations, and persistent shell access while supporting the attackers' focus on exfiltration and long-term access rather than encryption.
Jan 1, 2026
MuddyWater conducts false-flag intrusion disguised as Chaos ransomware
In early 2026, attackers assessed with moderate confidence as the Iranian MOIS-affiliated group MuddyWater carried out an intrusion that initially appeared to be a Chaos ransomware attack. The operation used Microsoft Teams social engineering, credential harvesting, MFA manipulation, and remote access tools such as AnyDesk and DWAgent to gain access and persistence.
Dec 1, 2025
MuddyWater deploys Qilin ransomware against an Israeli organization
Rapid7 noted that MuddyWater had previously used ransomware as cover, including a late-2025 deployment of Qilin ransomware against an Israeli organization. This earlier activity provided historical context for the group's later use of ransomware branding to mask espionage objectives.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
MuddyWater Cyberespionage Campaign Leveraging Snake Game-Inspired Malware
Iranian state-aligned threat group MuddyWater has launched a new cyberespionage campaign targeting organizations in Israel and Egypt, with a focus on technology, engineering, manufacturing, local government, and educational sectors. Researchers from ESET and other security firms have identified that MuddyWater is using a novel loader, dubbed Fooder, which masquerades as the classic Snake video game to deliver a new backdoor called MuddyViper. This loader introduces execution delays, inspired by the Snake game's mechanics, to evade antivirus detection. The campaign also employs spearphishing emails with PDF attachments that link to remote monitoring and management software installers, hosted on free file-sharing services, to gain initial access. The MuddyViper backdoor enables attackers to collect system information, execute files and shell commands, transfer files, and exfiltrate Windows login credentials and browser data. Additional tools, such as credential stealers and another backdoor named VAX One, have also been deployed. MuddyWater's evolving tactics, including the use of reflective loading for in-memory execution and the impersonation of legitimate software, demonstrate increased sophistication and a continued focus on defense evasion and persistence. Security researchers note the possibility that MuddyWater may be acting as an initial access broker for other Iranian threat actors, given observed overlaps in operations.
1 months ago
MuddyWater Phishing Campaign Targets Middle East and North Africa Government Networks
Iranian state-sponsored threat actor MuddyWater has conducted a large-scale cyberespionage campaign breaching over 100 government entities and international organizations across the Middle East and North Africa. The attackers leveraged a compromised enterprise mailbox, accessed via NordVPN, to send convincing phishing emails from legitimate addresses to embassies, ministries, and telecom providers. These emails contained weaponized Microsoft Word attachments that, when opened and macros enabled, deployed the updated "Phoenix" backdoor, granting persistent remote access, credential theft, and file exfiltration capabilities. The campaign also utilized off-the-shelf remote management tools such as PDQ and Action1 to blend in with legitimate administrative traffic and pilfered browser passwords from Chrome, Edge, Opera, and Brave. Researchers at Group-IB highlighted that MuddyWater, also known as Seedworm, APT34, OilRig, and TA450, has demonstrated evolving tradecraft and operational maturity in this operation, mixing official government and personal email addresses to increase the likelihood of successful compromise. The campaign's scale and targeting suggest either a significant increase in capability or a broader intelligence collection mandate from Iranian authorities. MuddyWater, linked to Iran's Ministry of Intelligence and Security, has a history of targeting government, energy, telecom, and defense sectors, focusing on long-term espionage rather than destructive attacks. Analysts warn that further activity is likely amid ongoing regional tensions.
1 months ago
MuddyWater (Seedworm) Espionage Campaign Using Dindoor Backdoor Against U.S. Organizations
Security researchers reported a cyber-espionage campaign attributed to Iran-linked **MuddyWater** (aka **Seedworm**), assessed as operating under Iran’s **Ministry of Intelligence and Security (MOIS)**, targeting multiple U.S.-based organizations and related operations. Victims cited across reporting include a **U.S. airport**, a **U.S. bank**, **non-governmental/non-profit organizations** in North America, and the **Israeli operations of a U.S. software supplier** connected to the defense and aerospace sector—indicating interest in both critical infrastructure-adjacent environments and the defense supply chain. The intrusions were described as beginning in **early 2026** (with Symantec/Carbon Black tracking activity starting in early February) and focused on establishing and maintaining access consistent with long-term intelligence collection. One report highlighted deployment of a newly observed backdoor, **Dindoor**, alongside additional tooling to sustain persistence in victim networks, while broader analysis framed the activity as potentially aligned with heightened regional tensions and warned that Iranian-aligned actors may continue reconnaissance and access operations; organizations were advised to increase monitoring and defensive readiness, particularly where exposed services could enable initial access.
1 months ago