MuddyWater
Iranian state-sponsored (MOIS) · Espionage / intelligence collection / false flag operations
Tactics, Techniques & Procedures (TTPs)
- Social engineering via Microsoft Teams — screen-sharing sessions to harvest credentials
- False flag operations using criminal ransomware branding (Chaos ransomware) to obscure espionage
- MFA manipulation — instructing victims to register attacker-controlled devices as MFA factors
- Credential file social engineering (victims directed to type passwords into credentials.txt)
- MOIS-linked C2 infrastructure (moonzonet domain cluster)
- Living-off-the-land techniques to minimise custom malware footprint
Known Targets
Analyst Notes
Operates under Iran's Ministry of Intelligence and Security (MOIS). Persistent user of social engineering and living-off-the-land techniques. The 2026 Chaos ransomware false flag campaign represents a tactical evolution — using criminal ransomware branding to obscure state-directed espionage objectives and complicate attribution. Organisations investigating what appears to be ransomware activity may incorrectly apply criminal incident response playbooks rather than state-actor ones, allowing MuddyWater footholds to persist after apparent remediation.
Also Known As
Intelligence Reports
CISA Confirms Active Exploitation: Apex One Endpoint Platform Turned Against Defenders, Langflow Linked to Iranian APT
CISA's May 21 KEV additions confirm active exploitation of Trend Micro Apex One's directory traversal flaw — which allows attackers to push malicious code through the defender's own endpoint management — alongside a Langflow AI workflow vulnerability tied to MuddyWater intrusions.
Iranian APT MuddyWater Deploys Chaos Ransomware as False Flag to Mask Espionage
Rapid7 researchers have attributed a series of intrusions using Chaos ransomware branding to MuddyWater — an Iranian state-sponsored group — in a deliberate false flag operation designed to obscure intelligence collection behind the appearance of criminal extortion.