NCC Group has warned that threat actors tied to governments are using ransomware branding, extortion notes, victim leak sites and negotiation channels not only to increase pressure on targets but also to complicate attribution. Its latest threat intelligence assessment highlights a campaign associated with MuddyWater in which activity presented as a Chaos ransomware incident showed signs of a targeted intelligence operation rather than a conventional profit-driven attack.
The warning comes as ransomware volumes remain elevated across the global threat landscape. NCC Group recorded 749 ransomware attacks worldwide in May 2026, with industrial organisations accounting for 29 per cent of known incidents. Qilin remained the most active ransomware operation during the month, responsible for 15 per cent of tracked activity, while The Gentlemen ranked second for another consecutive month, underscoring the rapid churn of ransomware operators and affiliate ecosystems.
MuddyWater, also tracked as Seedworm, Static Kitten, TEMP. Zagros and Mango Sandstorm, has been active since at least 2017 and is widely assessed to operate as part of Iran’s intelligence apparatus. Its targeting has included government bodies, telecommunications providers, local authorities, financial institutions, defence entities, oil and gas organisations and critical infrastructure across the Middle East, Europe, Asia, Africa and North America. The UAE and Saudi Arabia have appeared among the group’s established areas of interest.
The campaign highlighted by threat researchers began as a case that appeared to fit the pattern of a Chaos ransomware intrusion. The attackers used social engineering, remote access tools, credential theft and data exfiltration before introducing ransomware-style elements. The victim was pushed into channels associated with extortion, creating the impression of a financially motivated attack. Forensic details, however, pointed towards espionage objectives, including access maintenance, intelligence collection and operational tradecraft consistent with MuddyWater.
A key feature of the operation was the use of commercially available and legitimate remote administration software to establish access. Attackers posed as technical support personnel and persuaded a target to install remote access tooling, allowing them to deploy additional malware, harvest credentials, alter multi-factor authentication settings and move deeper into the network. This method reduces the need for bespoke malware at the initial stage and allows intruders to blend into ordinary enterprise activity.
The deployment of ransomware branding after the espionage phase marks a notable development. Traditional ransomware actors typically prioritise encryption, public pressure and payment. In the MuddyWater-linked case, the sequence of activity suggested that the extortion layer may have functioned as a smokescreen after sensitive information had already been collected. That approach can mislead investigators, delay diplomatic attribution and force victims to treat the incident as a criminal extortion case while intelligence loss remains the more serious consequence.
The tactic is not entirely new for MuddyWater. The group has previously been associated with disruptive activity disguised as ransomware, including operations that used false criminal personas to obscure state interests. What has changed is the sophistication and credibility of the cover. Ransomware-as-a-service branding, leak-site exposure and negotiation infrastructure now provide ready-made camouflage for state-backed operators seeking plausible deniability.
MuddyWater’s broader tradecraft has also evolved. Security researchers tracking its operations have identified tailored phishing lures, hijacked trusted accounts, macro-enabled documents, custom backdoors, Rust-based implants, use of Telegram for command and control, and infrastructure designed to support large-scale email delivery. Its targets have included diplomatic, maritime, aviation, energy, finance and technology entities, suggesting a focus on economic and strategic intelligence rather than random criminal gain.
The convergence between cybercrime and state activity presents a practical problem for companies and governments. Incident responders can no longer assume that a ransom note indicates a financially motivated attacker. A ransomware label may now be part of a deception strategy, especially where attackers show unusual interest in internal communications, credentials, network persistence or data linked to strategic sectors.
The risk is particularly acute for industrial and critical infrastructure operators, which remain heavily targeted by ransomware groups and are also attractive intelligence targets. Energy, ports, telecommunications, aerospace, financial services and government suppliers face overlapping pressure from criminal gangs, state-backed espionage teams and hybrid actors that move between the two worlds.
The use of legitimate commercial tools adds another complication. Remote monitoring and management platforms, cloud services and credential utilities are common inside corporate networks, making malicious activity harder to distinguish from routine administration. Attackers benefit from this ambiguity, especially when they combine social engineering with compromised accounts that appear trusted to email filters and recipients.
The latest activity also comes against a backdrop of heightened geopolitical tension, where cyber operations often accompany diplomatic and military friction. Iran-linked groups have shown repeated interest in entities connected to defence, aviation, maritime logistics, energy supply and regional policymaking. Their operations are often designed to gather intelligence, prepare access or apply pressure while avoiding a clear threshold for overt retaliation.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
