Iranian APT MuddyWater Masquerades as Chaos Ransomware in Elaborate False Flag

According to a recent investigation by Rapid7 Labs, a sophisticated intrusion initially appearing to be a standard Chaos ransomware attack was assessed to be consistent with a targeted state-sponsored operation. Instead of a typical cybercriminal syndicate looking for a quick payday, forensic evidence points to MuddyWater (also known as Seedworm), an advanced persistent threat (APT) affiliated with Iran’s Ministry of Intelligence and Security (MOIS).

Rather than exploiting a complex software vulnerability, the attackers targeted the human element. The campaign was characterized by a high-touch social engineering phase conducted via Microsoft Teams, where the attackers utilized interactive screen-sharing to harvest credentials and manipulate Multi-Factor Authentication (MFA).

By initiating one-on-one chats from a controlled account, the threat actors managed to persuade users to explicitly enter their credentials into locally created text files. Once they established this initial foothold, the group’s behavior shifted dramatically from the typical ransomware playbook.

Once inside, the group bypassed traditional ransomware workflows, forgoing file encryption in favor of data exfiltration and long-term persistence via remote management tools like DWAgent. They also deployed a custom Remote Access Trojan (RAT) named “Game.exe” that masquerades as a legitimate Microsoft WebView2 application.

To throw security teams off their trail, MuddyWater orchestrated a remarkably detailed illusion. They operated under the banner of the Chaos ransomware-as-a-service (RaaS) group, a syndicate known for “big-game hunting” and demanding ransoms of up to $300,000.

The attackers sent out extortion emails claiming they had stolen data, and open-source intelligence even found a corresponding entry on the real Chaos data leak site utilizing the group’s signature “blind” countdown timer.

However, Rapid7 researchers quickly spotted a glaring flaw in the illusion. “Notably, the apparent absence of file encryption, despite the presence of Chaos ransomware artifacts, represents a deviation from typical ransomware behavior,” the report states. This inconsistency may indicate that the ransomware component functioned primarily as a facilitating or obfuscation mechanism, rather than as the primary objective of the intrusion.

The true identity of the attackers was unmasked by a critical operational mistake: the reuse of known infrastructure.

The primary technical bridge to the APT group Muddy Water (Seedworm) is the code-signing certificate used to validate the malware samples. During the analysis, researchers discovered the malware was signed with a certificate issued to “Donald Gay”. This specific certificate is a known shared resource within MuddyWater’s toolkit and has been tied directly to “Operation Olalampo,” a MuddyWater campaign targeting organizations across the U.S. and the Middle East in early 2026.

Coupled with overlapping command-and-control infrastructure and the group’s signature use of pythonw.exe to inject code, the evidence firmly points to the Iranian state-sponsored group.

“This incident highlights the increasing convergence between state-sponsored intrusion activity and cybercriminal tradecraft,” Rapid7’s report concludes. By adopting the branding of the Chaos RaaS ecosystem, MuddyWater likely aimed to blur the distinctions between state-sponsored activity and financially motivated cybercrime, thereby complicating attribution and delaying defensive responses.