Iranian Apt — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/iranian-apt/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 07 May 2026 12:00:00 +0000MuddyWater Disguises Cyber-Espionage as Chaos Ransomware Attackhttps://feed.craftedsignal.io/briefs/2026-05-muddywater-chaos-ransomware/Thu, 07 May 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-muddywater-chaos-ransomware/The MuddyWater group is disguising its cyber-espionage operations as Chaos ransomware attacks, using Microsoft Teams social engineering for initial access and establishing persistence, likely to complicate attribution and mask their true objectives.MuddyWater, an Iranian state-sponsored cyber-espionage group known for aligning with the country’s Ministry of Intelligence and Security (MOIS), is disguising its operations as Chaos ransomware attacks. Starting in 2025, they have used Microsoft Teams social engineering to gain initial access and establish persistence within targeted organizations. The attackers engage in credential theft, data exfiltration, and extortion emails, while also making an entry on the Chaos leak portal. Rapid7 researchers believe the ransomware component serves as a decoy to complicate attribution and conceal their true cyber-espionage objectives. The group has previously deployed ransomware, such as Qilin in late 2025, to mask their activities, possibly pivoting to Chaos to avoid attribution following the Qilin incident.

Attack Chain

  1. The attackers initiate chats with employees via Microsoft Teams, using social engineering to establish screen-sharing sessions.
  2. Credential theft occurs via phishing pages masquerading as Microsoft Quick Assist or by tricking victims into typing their passwords into local text files.
  3. Compromised accounts are used to authenticate to internal systems, including the domain controller.
  4. Persistence is established using RDP, DWAgent, and AnyDesk for remote access to the compromised systems.
  5. A malware loader (ms_upd.exe) is used to drop a custom backdoor (Game.exe), disguised as a Microsoft WebView2 application.
  6. The backdoor malware performs anti-analysis and anti-VM checks.
  7. The backdoor supports 12 commands, including PowerShell and CMD command execution, file upload and deletion, and persistent shell access.
  8. Data exfiltration occurs alongside the deployment of Chaos ransomware and an extortion attempt, likely to obfuscate the true objective of cyber espionage.

Impact

The MuddyWater group’s activities can lead to significant data breaches, system compromise, and potential financial losses for targeted organizations. While the Chaos ransomware component suggests a financial motive, the primary goal is believed to be cyber espionage aligned with the interests of the Iranian government. Past operations attributed to MuddyWater have targeted organizations in various sectors, and this shift to using ransomware as a decoy could broaden their target scope. If successful, these attacks can result in the theft of sensitive information, disruption of critical services, and reputational damage.

Recommendation

  • Monitor process creations for ms_upd.exe dropping Game.exe, disguised as a Microsoft WebView2 application, and deploy the Sigma rule “Detect MuddyWater Backdoor Deployment” to identify this activity.
  • Monitor network connections for processes associated with AnyDesk and DWAgent, and review for unusual network connections to external IP addresses to detect persistence mechanisms.
  • Implement and enforce multi-factor authentication (MFA) to mitigate the impact of credential theft, and educate employees on the risks of social engineering via Microsoft Teams to prevent initial access.
]]>highthreatmuddywaterchaos ransomwarecyberespionagedata theftiranian apt