{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/iranian-apt/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["MuddyWater"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft Teams","Microsoft Quick Assist","Microsoft WebView2","AnyDesk"],"_cs_severities":["high"],"_cs_tags":["muddywater","chaos ransomware","cyberespionage","data theft","iranian apt"],"_cs_type":"threat","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eMuddyWater, an Iranian state-sponsored cyber-espionage group known for aligning with the country\u0026rsquo;s Ministry of Intelligence and Security (MOIS), is disguising its operations as Chaos ransomware attacks. Starting in 2025, they have used Microsoft Teams social engineering to gain initial access and establish persistence within targeted organizations. The attackers engage in credential theft, data exfiltration, and extortion emails, while also making an entry on the Chaos leak portal. Rapid7 researchers believe the ransomware component serves as a decoy to complicate attribution and conceal their true cyber-espionage objectives. The group has previously deployed ransomware, such as Qilin in late 2025, to mask their activities, possibly pivoting to Chaos to avoid attribution following the Qilin incident.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attackers initiate chats with employees via Microsoft Teams, using social engineering to establish screen-sharing sessions.\u003c/li\u003e\n\u003cli\u003eCredential theft occurs via phishing pages masquerading as Microsoft Quick Assist or by tricking victims into typing their passwords into local text files.\u003c/li\u003e\n\u003cli\u003eCompromised accounts are used to authenticate to internal systems, including the domain controller.\u003c/li\u003e\n\u003cli\u003ePersistence is established using RDP, DWAgent, and AnyDesk for remote access to the compromised systems.\u003c/li\u003e\n\u003cli\u003eA malware loader (ms_upd.exe) is used to drop a custom backdoor (Game.exe), disguised as a Microsoft WebView2 application.\u003c/li\u003e\n\u003cli\u003eThe backdoor malware performs anti-analysis and anti-VM checks.\u003c/li\u003e\n\u003cli\u003eThe backdoor supports 12 commands, including PowerShell and CMD command execution, file upload and deletion, and persistent shell access.\u003c/li\u003e\n\u003cli\u003eData exfiltration occurs alongside the deployment of Chaos ransomware and an extortion attempt, likely to obfuscate the true objective of cyber espionage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe MuddyWater group\u0026rsquo;s activities can lead to significant data breaches, system compromise, and potential financial losses for targeted organizations. While the Chaos ransomware component suggests a financial motive, the primary goal is believed to be cyber espionage aligned with the interests of the Iranian government. Past operations attributed to MuddyWater have targeted organizations in various sectors, and this shift to using ransomware as a decoy could broaden their target scope. If successful, these attacks can result in the theft of sensitive information, disruption of critical services, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creations for \u003ccode\u003ems_upd.exe\u003c/code\u003e dropping \u003ccode\u003eGame.exe\u003c/code\u003e, disguised as a Microsoft WebView2 application, and deploy the Sigma rule \u0026ldquo;Detect MuddyWater Backdoor Deployment\u0026rdquo; to identify this activity.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for processes associated with AnyDesk and DWAgent, and review for unusual network connections to external IP addresses to detect persistence mechanisms.\u003c/li\u003e\n\u003cli\u003eImplement and enforce multi-factor authentication (MFA) to mitigate the impact of credential theft, and educate employees on the risks of social engineering via Microsoft Teams to prevent initial access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-07T12:00:00Z","date_published":"2026-05-07T12:00:00Z","id":"/briefs/2026-05-muddywater-chaos-ransomware/","summary":"The MuddyWater group is disguising its cyber-espionage operations as Chaos ransomware attacks, using Microsoft Teams social engineering for initial access and establishing persistence, likely to complicate attribution and mask their true objectives.","title":"MuddyWater Disguises Cyber-Espionage as Chaos Ransomware Attack","url":"https://feed.craftedsignal.io/briefs/2026-05-muddywater-chaos-ransomware/"}],"language":"en","title":"CraftedSignal Threat Feed — Iranian Apt","version":"https://jsonfeed.org/version/1.1"}