Rapid7 researchers have linked a campaign deploying Chaos ransomware to MuddyWater — the Iranian state-sponsored APT affiliated with the Ministry of Intelligence and Security (MOIS) — in what the firm describes as a deliberate false flag operation. The intrusions, observed in early 2026, were designed to appear as opportunistic criminal ransomware activity while actually serving state-directed intelligence collection objectives.
What Happened
The campaign used a high-touch social engineering approach conducted over Microsoft Teams. Attackers posed as IT support personnel, establishing screen-sharing sessions with employees at targeted organisations. Victims were explicitly instructed to type credentials into locally created text files — named credentials.txt and cred.txt — and to add attacker-controlled devices to their MFA configurations. This gave the adversary persistent authenticated access without deploying any password-stealing malware that might trigger endpoint detection.
Despite the presence of Chaos ransomware artefacts on compromised systems, no file encryption was deployed. This is the tell that distinguishes a false flag from a genuine ransomware intrusion: the ransomware branding created the appearance of a criminal operation, while the actual objective was credential harvesting, reconnaissance, and data exfiltration consistent with a state-sponsored espionage mandate.
Attribution
Rapid7’s attribution to MuddyWater (also tracked as Seedworm, Mango Sandstorm, and Static Kitten) rests on technical artefacts including a specific code-signing certificate and command-and-control infrastructure. Notably, the moonzonet[.] C2 domain used during the campaign had previously appeared in confirmed MuddyWater operations targeting Israeli and Western organisations earlier in 2026. The attribution is assessed with moderate confidence.
Sectors and Geography
The campaign targeted organisations across construction, manufacturing, and business services sectors in the United States and several European countries including the United Kingdom, Sweden, Austria, Germany, Poland, and Italy. While these don’t map precisely to critical national infrastructure, manufacturing and business services organisations frequently hold sensitive intellectual property and supply-chain relationships that are of intelligence value to Iranian state actors.
Why This Matters
The false flag technique is not new — Russia’s Sandworm has previously used it — but its adoption by Iranian APTs reflects a maturation in Iranian tradecraft. Organisations investigating what appears to be ransomware activity may spend critical time engaging criminal incident response playbooks rather than state-actor ones. The differences matter: a criminal ransomware group is motivated by payment; a state actor’s implants may persist after apparent remediation.
The use of Microsoft Teams for initial access is also significant. Most phishing defences are calibrated for email; Teams-based social engineering exploits the assumption of trusted internal communication. Employees who would scrutinise an email requesting credential input are often less suspicious when the request appears in what feels like a helpdesk or IT support channel.
Recommended Actions
- Review Teams external access policies. Organisations allowing external guests or federated users to initiate screen-sharing sessions should evaluate whether that permission is necessary.
- Audit recently added MFA devices. Check authenticator registrations for any devices added in the last 90 days that were not provisioned through standard IT workflows.
- Treat apparent ransomware as potential cover. If Chaos ransomware indicators are present without active encryption, treat the incident as a potential state-actor intrusion and preserve forensic evidence accordingly.
- Hunt for the moonzonet C2 domain and associated IP infrastructure in DNS and proxy logs. Rapid7 has published IOCs.
- Brief incident response teams on the distinction between criminal and state-sponsored ransomware appearances — the initial triage posture should differ significantly.