An APT group linked to the Iranian government pretended to be a Chaos ransomware affiliate in order to provide plausible deniability for geopolitical espionage and prepositioning, Rapid7 has claimed.
The security vendor made the revelations in a new report published on May 6, Muddying the Tracks: The State-Sponsored Shadow Behind Chaos Ransomware.
Rapid7 branded an intrusion which occurred in early 2026 as a false flag operation by the MuddyWater (aka Seedworm, Static Kitten and Mango Sandstorm) group affiliated with the Iranian Ministry of Intelligence and Security.
Read more on Chaos: New Chaos Ransomware Emerges, Launches Wave of Attacks.
The intrusion itself, which took place at an unnamed organization, began with social engineering of an employee via Microsoft Teams screen sharing.
“By operating interactively through compromised users, the attacker [TA] conducted initial discovery, harvested credentials, including MFA manipulation, and quickly transitioned to using legitimate accounts for internal access,” Rapid7 explained.
“From there, the TA established persistence using remote access tools such as DWAgent and AnyDesk, before deploying additional payloads and further control of the environment. Following this, the TA exfiltrated data from the compromised environment and subsequently contacted the victim via email, claiming data theft and initiating ransom negotiations.”
Obfuscation Can’t Hide Iran Links
Although the threat actor alleged successful data exfiltration, the Chaos group operates a “blind” countdown timer, meaning no victim details could be viewed on the RaaS outfit’s data leak site (DLS).
The actor also claimed to have placed a note in the victim organization’s desktop directory containing “access credentials” for a secure chat – however, Rapid7 was unable to locate it.
“Despite these inconsistencies in the initial proof-of-compromise, the TA later published the stolen data on its DLS in line with modern extortion tactics,” the report continued.
While the leaked data was assessed to be legitimate, the group didn’t deploy a ransomware payload, which a regular financially motivated Chaos affiliate would be expected to.
Aside from this unusual behavior, Rapid7 discovered several links to previous infrastructure used by MuddyWater including:
- A code-signing certificate (“Donald Gay”) used to validate the malware samples
- The moonzonet[.]com domain, which supported command-and-control (C2) infrastructure
- Use of pythonw.exe to inject code into suspended processes
- Use of interactive Microsoft Teams sessions to harvest MFA and credentials
MuddyWater has previous when it comes to impersonating RaaS groups. In late 2025 it was linked to activity involving the Qilin RaaS ecosystem in an attack targeting an Israeli organization, Rapid7 noted.
It may have switched to Chaos to further reduce the risk of attribution, the report claimed.
“The use of a RaaS framework in this context may enable the actor to blur distinctions between state-sponsored activity and financially motivated cybercrime, thereby complicating attribution,” Rapid7 said.
“Furthermore, the inclusion of extortion and negotiation elements could serve to focus defensive efforts on immediate impact, likely delaying the identification of underlying persistence mechanisms established via remote access tools such as DWAgent or AnyDesk.”
The lesson for investigators is to look “beyond overt ransomware indicators” and study the intrusion lifecycle closely, the report concluded.
“Ultimately, this activity is best understood as a hybrid intrusion model, in which ransomware is leveraged not as an end goal but as a mechanism for concealment, coercion, and operational flexibility within a broader intelligence-driven campaign,” it said.
