Cybersecurity investigators have linked a deceptive ransomware-style intrusion to MuddyWater, a state-sponsored hacking group associated with Tehran’s intelligence apparatus, after forensic evidence showed the operation was built around espionage rather than financial extortion.
The campaign, observed in early 2026, was presented to victims as an attack by an affiliate of the Chaos ransomware-as-a-service ecosystem. Yet the intrusion lacked a defining feature of ransomware: there was no file encryption. Instead, the attackers focused on social engineering, credential theft, multi-factor authentication manipulation, persistence, lateral movement and data exfiltration, indicating an intelligence-led operation masked by criminal branding.
The attackers approached employees through Microsoft Teams, using external chat requests and screen-sharing sessions to gain direct interaction with targeted users. During those sessions, they ran basic discovery commands, examined VPN-related files and instructed victims to enter credentials into locally created text files. Some users were also directed towards a phishing page designed to mimic Microsoft Quick Assist, reinforcing the impression of an IT support interaction.
Once credentials were obtained, the hackers used legitimate accounts to authenticate into internal systems, including a domain controller. They then established access through Remote Desktop Protocol and deployed remote administration tools such as AnyDesk and DWAgent, allowing them to retain control even after the initial social engineering phase ended. This reliance on legitimate software made detection more difficult and gave the attackers the ability to blend into normal administrative activity.
The intrusion later moved into payload delivery. A downloader named ms_upd. exe was used to retrieve components including a custom backdoor identified as Game. exe, which masqueraded as a Microsoft WebView2 application. The malware supported command execution, PowerShell activity, file upload, file deletion and persistent shell access. It also contained anti-analysis and virtual machine detection features, although parts of its code and configuration remained unusually exposed, suggesting the tool may have been prepared for a limited deployment rather than a broad criminal campaign.
Attribution was strengthened by a code-signing certificate and command-and-control infrastructure previously associated with MuddyWater operations. The certificate, issued under the name “Donald Gay”, has appeared in earlier malware linked to the same network. A command-and-control domain tied to the downloader also overlapped with infrastructure associated with campaigns against organisations in the United States, the Middle East and allied environments.
MuddyWater, also tracked under names including Seedworm, Mango Sandstorm, Mercury and Static Kitten, has long been associated with cyber-espionage activity aligned with the Ministry of Intelligence and Security. Its operations have traditionally focused on intelligence collection, credential harvesting and long-term access across government, telecommunications, energy, defence, academic and critical infrastructure targets.
The Chaos branding appears to have served several purposes. By invoking a ransomware-as-a-service operation, the attackers could push defenders towards an incident-response model focused on containment, negotiation and leak-site monitoring, while deeper persistence mechanisms remained harder to identify. The tactic also offered plausible deniability, allowing state-linked activity to be framed as financially motivated cybercrime.
Chaos itself emerged in 2025 as a ransomware-as-a-service brand distinct from the older Chaos malware builder. It has been associated with big-game hunting, double-extortion tactics, social engineering and leak-site pressure campaigns. Reported ransom demands have reached hundreds of thousands of dollars, and its activity has focused heavily on organisations in the United States, particularly in construction, manufacturing and business services.
The campaign examined by investigators followed that surface pattern only partially. The attackers sent extortion emails to multiple users, claimed they had stolen data and directed the victim towards a Chaos leak portal. A later message instructed recipients to find a note supposedly placed on their desktop containing credentials for a secure negotiation chat. Threat hunting did not locate such a note, but the stolen data was later published, and the victim confirmed that the leaked material was genuine.
That sequence points to a hybrid model in which ransomware theatre was used to support an espionage campaign. The absence of encryption, the emphasis on credential control and the use of established MuddyWater infrastructure suggest the attackers were not primarily seeking ransom proceeds. Their priority appeared to be intelligence gathering, access retention and possible prepositioning for future disruptive activity.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
