Researchers at Rapid7 have detailed an intrusion that masqueraded as a Chaos ransomware attack but was, in their assessment, a state-sponsored espionage operation linked with moderate confidence to the Iranian APT MuddyWater (also known as Seedworm), a group affiliated with Iran's Ministry of Intelligence and Security. The campaign blended social engineering, credential theft, data exfiltration, and extortion — but with no evidence that any files were actually encrypted.

The early-2026 incident initially looked routine: victims were led to believe they were dealing with the Chaos ransomware-as-a-service crew, which runs a data-leak site. Forensic analysis told a different story. A specific code-signing certificate and command-and-control infrastructure pointed to MuddyWater, suggesting the ransomware branding was a deliberate “false flag” over the group's usual intelligence-gathering tradecraft.

Initial access came through Microsoft Teams. Posing as internal IT staff or business contacts, the attackers persuaded employees into screen-sharing sessions, then ran reconnaissance, opened VPN configuration files, and tricked users into typing credentials into locally saved text files. In at least one case they installed AnyDesk to keep a foothold.

From there the operators used RDP and the DWAgent remote-management tool for persistence, deployed additional payloads, harvested more credentials, and exfiltrated sensitive data. They then emailed the victim claiming data theft and opened ransom negotiations — reinforcing the ransomware cover story while the real objective was espionage.