The Iranian state-sponsored hacking group known as MuddyWater (aka Mango Sandstorm, Seedworm, and Static Kitten) has been attributed to a ransomware attack in what has been described as a “false flag” operation.
The attack, observed by Rapid7 in early 2026, has been found to leverage social engineering techniques via Microsoft Teams to initiate the infection sequence. Although the incident initially appeared to be consistent with a ransomware-as-a-service (RaaS) group operating under the Chaos brand, evidence points to it being a targeted state-backed attack that masquerades as opportunistic extortion.
“The campaign was characterized by a high-touch social engineering phase conducted via Microsoft Teams, where the attackers utilized interactive screen-sharing to harvest credentials and manipulate multi-factor authentication (MFA),” Rapid7 said in a report shared with The Hacker News.
“Once inside, the group bypassed traditional ransomware workflows, forgoing file encryption in favor of data exfiltration and long-term persistence via remote management tools like DWAgent.”
The findings indicate that MuddyWater is attempting to muddy attribution efforts by increasingly relying on off-the-shelf tools available in the cybercrime underground to conduct its attacks. This shift has also been documented by Ctrl-Alt-Intel, Broadcom, Check Point, and JUMPSEC in recent months, highlighting the adversary’s use of CastleRAT and Tsundere.
With that said, this is not the first time MuddyWater has conducted ransomware attacks. In September 2020, the threat actor was attributed to a campaign targeting prominent Israeli organizations with a loader called PowGoop that deployed a variant of Thanos ransomware with destructive capabilities.
Then, in 2023, Microsoft disclosed that the hacking group teamed up with DEV-1084, a threat actor known to use the DarkBit persona, to conduct destructive attacks under the pretext of deploying ransomware. As recently as October 2025, the attackers are believed to have used the Qilin ransomware to target an Israeli government hospital.
“In this case, the emerging picture was that the attackers were likely Iranian-affiliated operators working through the cyber criminal ecosystem, using a criminal ransomware brand and methods associated with the broader extortion market, while serving a strategic Iranian objective,” Check Point noted back in March.
“The use of Qilin, and participation in its affiliate program, likely serves not only as a layer of cover and plausible deniability, but also as a meaningful operational enabler, especially as earlier attacks appear to have heightened security measures and monitoring by Israeli authorities.”
Chaos is a RaaS group that emerged in early 2025. Known for its double extortion model, the threat actor has advertised its affiliate program on cybercrime forums, like RAMP and RehubCom.
Attacks mounted by the e-crime gang leverage a combination of mail flooding and vishing using Teams, often by…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
