INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
MuddyWater uses Chaos ransomware as decoy
| 2026-05-06 13:02 CRITICAL HIGHExecutive Summary AI-generated
The MuddyWater Iranian cyber-espionage group, notorious for long-term network intrusion campaigns targeting organizations in the United States and other countries, has been linked to a ransomware-as-a-service (RaaS) operation known as Chaos. This threat actor's tactics include social engineering, credential theft, persistence, remote access, data exfiltration, extortion emails, and an entry on the Chaos leak portal. MuddyWater is believed to have pivoted from using this RaaS component in a late 2025 attack against an Israeli organization, suggesting that it may be adapting its strategy as attribution efforts intensify.
Technical Mitigations AI-generated
* Implement robust multi-factor authentication (MFA) policies to prevent unauthorized access and reduce the attack surface.
* Regularly update and patch software, including Microsoft Teams, to ensure that known vulnerabilities are addressed before they can be exploited by attackers.
* Use secure communication channels, such as encrypted messaging apps or email services with end-to-end encryption, for sensitive communications.
* Conduct regular security audits and vulnerability assessments of systems and networks to identify potential entry points for attackers.
* Educate employees on social engineering tactics and phishing attempts, and provide training on how to respond to suspicious emails and messages.
Technical Observables
AI Podcast (EN) detail_available
detail_listen_ai (EN)
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
MuddyWaterMuddyWater
PowGoopPowGoopQilinQilin
Target & Sectors
GCC
GCC
NORTH_AMERICA
NORTH_AMERICA
Incident Timeline
September 2020
MuddyWater hackers used Chaos ransomware as a decoy in attacks targeting prominent Israeli organizations.
Click on any entity below to view its context and source!
tactic
Ransomware
In September 2020, the threat actor was
attributed
to a campaign targeting prominent Israeli organizations with a loader called PowGoop that deployed a variant of Thanos ransomware with destructive capabilities.
target_region
Israel
In September 2020, the threat actor was
attributed
to a campaign targeting prominent Israeli organizations with a loader called PowGoop that deployed a variant of Thanos ransomware with destructive capabilities.
malware
PowGoop
In September 2020, the threat actor was
attributed
to a campaign targeting prominent Israeli organizations with a loader called PowGoop that deployed a variant of Thanos ransomware with destructive capabilities.
late 2025
The MOIS operatives deployed Qilin ransomware in an attack against the Israeli organization late in 2025.
Click on any entity below to view its context and source!
tactic
Ransomware
In late 2025, the threat actor deployed Qilin ransomware in an attack against an Israeli organization.
The researchers suggest that the threat group might have pivoted to a different ransomware branding following the attribution of that late 2025 to MOIS operatives.
malware
Qilin
In late 2025, the threat actor deployed Qilin ransomware in an attack against an Israeli organization.
target_region
Israel
In late 2025, the threat actor deployed Qilin ransomware in an attack against an Israeli organization.
organisation
MOIS
The researchers suggest that the threat group might have pivoted to a different ransomware branding following the attribution of that late 2025 to MOIS operatives.
early 2025
MuddyWater hackers used Chaos ransomware as a decoy in early 2025 attacks targeting the group.
October 2025
The MuddyWater hackers used Qilin ransomware to target an Israeli government hospital in October 2025.
Click on any entity below to view its context and source!
tactic
Ransomware
As recently as October 2025, the attackers are believed to have
used the Qilin ransomware
to target an Israeli government hospital.
malware
Qilin
As recently as October 2025, the attackers are believed to have
used the Qilin ransomware
to target an Israeli government hospital.
target_region
Israel
As recently as October 2025, the attackers are believed to have
used the Qilin ransomware
to target an Israeli government hospital.
late March 2026
MuddyWater hackers used Chaos ransomware to target the U.S. Construction sector in late March 2026, claiming 36 victims on its data leak site.
Click on any entity below to view its context and source!
tactic
Data Leak
"
As of late March 2026, Chaos has claimed 36 victims on its data leak site, most of which are located in the U.S. Construction, manufacturing, and business services are some of the prominent sectors targeted by the group.
organisation
the U.S. Construction
"
As of late March 2026, Chaos has claimed 36 victims on its data leak site, most of which are located in the U.S. Construction, manufacturing, and business services are some of the prominent sectors targeted by the group.
victims
36 victims
"
As of late March 2026, Chaos has claimed 36 victims on its data leak site, most of which are located in the U.S. Construction, manufacturing, and business services are some of the prominent sectors targeted by the group.
2026/05/06
MuddyWater hackers used Chaos ransomware as a decoy in their attacks.
Click on any entity below to view its context and source!
threat_actor
MuddyWater
MuddyWater hackers use Chaos ransomware as a decoy in attacks.
The MuddyWater Iranian hackers disguised their operations as a Chaos ransomware attack, relying on Microsoft Teams social engineering to gain access and establish persistence.
Overview of the attack
Source: Rapid7
Rapid7 notes that MuddyWater has used ransomware in the past to mask its cyber-espionage operations.
MuddyWater Uses Microsoft Teams to Steal Credentials in False Flag Ransomware Attack.
The Iranian state-sponsored hacking group known as
MuddyWater
(aka Mango Sandstorm, Seedworm, and Static Kitten) has been attributed to a ransomware attack in what has been described as a "false flag" operation.
With that said, this is not the first time MuddyWater has conducted ransomware attacks.
Although the attack involved credential theft, persistence, remote access, data exfiltration, extortion emails, and an entry on the Chaos leak portal, the attackers used infrastructure and techniques associated with the MuddyWater attacks.
MuddyWater is an Iranian state-sponsored cyber-espionage group, notorious for long-term
network intrusion campaigns
that align with the country's Ministry of Intelligence and Security (MOIS).
Despite the facade, Rapid7 has moderate confidence in attributing the incident to MuddyWater, a threat group also known as Static Kitten, Mango Sandstorm, and Seedworm.
The campaign's links to MuddyWater stem from the use of a
code-signing certificate
attributed to "Donald Gay" to sign "ms_upd.exe."
The findings indicate that MuddyWater is attempting to muddy attribution efforts by increasingly relying on off-the-shelf tools available in the cybercrime underground to conduct its attacks.
organisation
Microsoft Teams
The MuddyWater Iranian hackers disguised their operations as a Chaos ransomware attack, relying on Microsoft Teams social engineering to gain access and establish persistence.
organisation
DWAgent
"Once inside, the group bypassed traditional ransomware workflows, forgoing file encryption in favor of data exfiltration and long-term persistence via remote management tools like DWAgent."
After compromising accounts, the attackers authenticated to internal systems, including a domain controller, and established persistence using RDP, DWAgent, and AnyDesk.
organisation
Microsoft
Then, in 2023, Microsoft
disclosed
that the hacking group teamed up with DEV-1084, a threat actor known to use the DarkBit persona, to conduct destructive attacks under the pretext of deploying ransomware.
Next, they leveraged a malware loader (ms_upd.exe) to drop a custom backdoor (Game.exe), disguised as a Microsoft WebView2 application.
organisation
DarkBit
Then, in 2023, Microsoft
disclosed
that the hacking group teamed up with DEV-1084, a threat actor known to use the DarkBit persona, to conduct destructive attacks under the pretext of deploying ransomware.
organisation
Microsoft Quick Assist
Attacks mounted by the e-crime gang leverage a combination of mail flooding and vishing using Teams, often by impersonating IT support personnel, to trick victims into installing remote access tools like Microsoft Quick Assist, and then abuse that foothold to burrow deeper into the victim's environment and deploy ransomware.
Credential theft occurred either via phishing pages masquerading as Microsoft Quick Assist or by tricking victims into typing their passwords into local text files.
organisation
Teams
Attacks mounted by the e-crime gang leverage a combination of mail flooding and vishing using Teams, often by impersonating IT support personnel, to trick victims into installing remote access tools like Microsoft Quick Assist, and then abuse that foothold to burrow deeper into the victim's environment and deploy ransomware.
organisation
RAMP
Known for its double extortion model, the threat actor has advertised its affiliate program on cybercrime forums, like RAMP and RehubCom.
organisation
RehubCom
Known for its double extortion model, the threat actor has advertised its affiliate program on cybercrime forums, like RAMP and RehubCom.
organisation
MFA
Attack progression
The intrusion Rapid7 examined started through Microsoft Teams social engineering, where the attackers initiated chats with employees, established screen-sharing sessions, harvested credentials, manipulated multi-factor authentication (MFA) settings, and, in some cases, deployed AnyDesk for remote access.
"The campaign was characterized by a high-touch
social engineering phase conducted via Microsoft Teams
, where the attackers utilized interactive screen-sharing to harvest credentials and manipulate multi-factor authentication (MFA)," Rapid7 said in a
report
shared with The Hacker News.
organisation
AnyDesk
Attack progression
The intrusion Rapid7 examined started through Microsoft Teams social engineering, where the attackers initiated chats with employees, established screen-sharing sessions, harvested credentials, manipulated multi-factor authentication (MFA) settings, and, in some cases, deployed AnyDesk for remote access.
"In at least one instance, the TA also deployed a remote management tool (AnyDesk) to further facilitate access.
organisation
The Hacker News
"The campaign was characterized by a high-touch
social engineering phase conducted via Microsoft Teams
, where the attackers utilized interactive screen-sharing to harvest credentials and manipulate multi-factor authentication (MFA)," Rapid7 said in a
report
shared with The Hacker News.
organisation
Static Kitten
Despite the facade, Rapid7 has moderate confidence in attributing the incident to MuddyWater, a threat group also known as Static Kitten, Mango Sandstorm, and Seedworm.
organisation
Seedworm
Despite the facade, Rapid7 has moderate confidence in attributing the incident to MuddyWater, a threat group also known as Static Kitten, Mango Sandstorm, and Seedworm.
data_breach
26,000 user records
The development comes as Hunt.io revealed details of an Iranian-nexus operation targeting Omani government institutions to exfiltrate more than 26,000 Ministry of Justice user records, judicial case data, committee decisions, and SAM and SYSTEM registry hives.
organisation
TA
"In at least one instance, the TA also deployed a remote management tool (AnyDesk) to further facilitate access.
organisation
Credential
Credential theft occurred either via phishing pages masquerading as Microsoft Quick Assist or by tricking victims into typing their passwords into local text files.
organisation
Next
Next, they leveraged a malware loader (ms_upd.exe) to drop a custom backdoor (Game.exe), disguised as a Microsoft WebView2 application.
organisation
DLL
WebView2Loader.dll
, a legitimate DLL downloaded by ms_upd.exe.
organisation
U.S. Navy
"
The discovery also coincides with continued activity from pro-Iran-aligned hacktivist groups, such as Handala Hack, which has claimed to have published details on nearly 400 U.S. Navy personnel in the Persian Gulf and carried out an attack on the Port of Fujairah in the United Arab Emirates, enabling it to gain access to its internal systems and leak about 11,000 sensitive documents related to invoices, shipping records, and customs documents.
infrastructure
Windows
It's required by Microsoft Edge WebView2 to embed web content in Windows applications.
organisation
Microsoft Edge
It's required by Microsoft Edge WebView2 to embed web content in Windows applications.
organisation
the Ministry of Justice
"The primary target was the Ministry of Justice and Legal Affairs (mjla.gov[.]om).
organisation
Legal Affairs
"The primary target was the Ministry of Justice and Legal Affairs (mjla.gov[.]om).
organisation
Ctrl-Alt-Intel
This shift has also been
documented
by Ctrl-Alt-Intel, Broadcom, Check Point, and JUMPSEC in recent months, highlighting the adversary's use of CastleRAT and Tsundere.
organisation
Broadcom, Check Point
This shift has also been
documented
by Ctrl-Alt-Intel, Broadcom, Check Point, and JUMPSEC in recent months, highlighting the adversary's use of CastleRAT and Tsundere.
organisation
JUMPSEC
This shift has also been
documented
by Ctrl-Alt-Intel, Broadcom, Check Point, and JUMPSEC in recent months, highlighting the adversary's use of CastleRAT and Tsundere.
organisation
CastleLoader
The certificate has been
previously put to use
by the threat cluster to sign its malware, including a CastleLoader downloader called
Fakeset
.
organisation
Check Point Research
We said then that further escalation was likely," Sergey Shykevich, group manager at Check Point Research, told The Hacker News.
early 2026
MuddyWater hackers used Chaos ransomware as a decoy in their attacks, targeting Microsoft Teams.
Click on any entity below to view its context and source!
tactic
Social Engineering
The attack, observed by Rapid7 in early 2026, has been found to leverage social engineering techniques via Microsoft Teams to initiate the infection sequence.
organisation
Microsoft Teams
The attack, observed by Rapid7 in early 2026, has been found to leverage social engineering techniques via Microsoft Teams to initiate the infection sequence.
May 12
MuddyWater hackers used Chaos ransomware as a decoy in the Autonomous Validation Summit.
Click on any entity below to view its context and source!
organisation
the Autonomous Validation Summit
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop.
general_metric
14 May
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop.
Tactical Metrics
Metrics
victims
36
Victims
Click for context!
"
As of late March 2026, Chaos has claimed 36 victims on its data leak site, most of which are located in the U.S. Construction, manufacturing, and business services are some of the prominent sectors targeted by the group.
Metrics
infrastructure
Windows
Affected Product
It's required by Microsoft Edge WebView2 to embed web content in Windows applications.
Metrics
data_breach
26,000
User Records
The development comes as Hunt.io revealed details of an Iranian-nexus operation targeting Omani government institutions to exfiltrate more than 26,000 Ministry of Justice user records, judicial case data, committee decisions, and SAM and SYSTEM registry hives.
Intelligence Sources
BleepingComputer
2026-05-06
MuddyWater hackers use Chaos ransomware as a decoy in attacks
BleepingComputer
The Hacker News
2026-05-06
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Reset / Delete
Incident Version History
CURRENT VERSION
Last Updated: 2026-05-07T07:01
Comprehensive Tactical Telemetry
Highly Correlated Entities
29x
organisation
Identified Entity
Microsoft Teams
entity
10x
timeline
Temporal Reference
2025
date
9x
tactic
Cyber Operation Type
Ransomware
tactic
5x
target region
Target Country
United States
country
4x
attribution
Attributing Entity
Ministry of Intelligence and Security
authority
2x
malware
Malware Payload
Qilin
tool
2x
tactic
MITRE ATT&CK Technique
T1059.001 - PowerShell
technique
Contextual Telemetry
Context Block
10 METRICS
threat actor
APT Group
MuddyWater
actor
source region
Origin Country
Iran, Islamic Republic of
country
general metric
Commands
12
commands
general metric
May
14
may
general metric
U.S. Navy Personnel
400
u.s. navy personnel
general metric
Sensitive Documents
11,000
sensitive documents
victims
Victims
36
victims
infrastructure
Affected Product
Windows
software
general metric
Seconds
60
seconds
data breach
User Records
26,000
user records
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.