The Iran-linked APT actor MuddyWater has been observed performing an intrusion masquerading as a ransomware attack, according to Rapid7 research. The intrusion relied on social engineering tactics combined with espionage-focused operations but notably did not deploy file-encrypting ransomware.

Attack Methodology

The threat actors engaged with victim organization employees via Microsoft Teams, establishing screen-sharing sessions to access user assets. During these sessions, attackers:

  • Stole credentials
  • Manipulated MFA protections
  • Compromised accounts
  • Executed basic discovery commands
  • Accessed files related to VPN configuration
  • Instructed users to enter credentials into locally created text files

Attackers deployed the AnyDesk remote management tool to facilitate broader access, then established persistent access through RDP sessions and the DWAgent remote access tool, enabling lateral movement and data exfiltration.

The Extortion Deception

The threat actors sent extortion emails claiming stolen information and threatening to leak it unless ransom was paid. Victims were directed to the Chaos ransomware leak site. However, no ransomware was actually deployed on compromised machines.

This tactic serves a dual purpose: creating financial pressure on victims while obscuring the true intelligence-gathering nature of the operation.

Attribution

The infrastructure and malware used link directly to MuddyWater, also known as Mango Sandstorm, Mercury, Seedworm, and Static Kitten. The U.S. has officially linked this group to Iran's Ministry of Intelligence and Security (MOIS).

A custom RAT called Darkcomp (Game.exe) was deployed, supporting command execution, file manipulation, and persistent shell access. The backdoor was signed with a certificate previously linked to MuddyWater operations and used a command-and-control domain associated with the Iranian threat actor.

Rapid7 notes: "The convergence of technical and contextual evidence is consistent with attribution to MuddyWater with moderate confidence." The use of Chaos ransomware appears designed to obscure operational intent rather than representing a strategic shift for the group.