Security researchers at Rapid7 have identified a state-sponsored operation in which the Iranian-linked group MuddyWater disguised espionage activity as a ransomware incident. The campaign, observed in early 2026, initially appeared to involve the Chaos Ransomware-as-a-Service group but was later assessed as a false flag operation. Forensic analysis linked the intrusion to MuddyWater through specific code-signing certificates and command-and-control infrastructure.
Article HERE
The activity is attributed with moderate confidence to the Iranian Advanced Persistent Threat group, also tracked as SeedWorm, TEMP.Zagros, Mango Sandstorm, TA450 and Static Kitten, and affiliated with Iran’s Ministry of Intelligence and Security. Attackers gained initial access through high-touch social engineering conducted via Microsoft Teams. They contacted employees while posing as internal IT staff or business associates and used interactive screen-sharing sessions to harvest credentials and manipulate multi-factor authentication. Once inside the network, the group performed reconnaissance, accessed VPN configuration files, and deployed remote access tools including AnyDesk and DWAgent to maintain persistence.
Rather than deploying ransomware and encrypting files, the operators focused on data exfiltration and long-term access. Victims received extortion emails directing them to the Chaos ransomware leak site, where the organization was listed as a target. No ransomware was deployed and no encryption occurred. When the expected ransom note could not be found, the stolen data was released publicly, confirming the primary goal was intelligence collection rather than financial extortion.
Rapid7 concluded that the ransomware elements served as a deliberate deception to divert attention from implanted persistence mechanisms. The operation reflects a broader pattern among Iranian cyber actors. Related groups such as the pro-Palestinian hacktivist collective Handala have conducted phishing, data theft and leak campaigns against Israeli and Gulf targets. The Iranian APT Seedworm has carried out spear-phishing against academic institutions, non-governmental organizations and government entities, while another group known as Marshtreader has scanned vulnerable cameras in Israel for reconnaissance purposes.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. redskyalliance. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
Comments