MuddyWater Hides Iranian Espionage Behind Chaos Ransomware Brand via Teams Phishing

Rapid7 attributes an early-2026 intrusion to Iran’s MuddyWater group operating under the cover of the Chaos ransomware-as-a-service brand. Operators initiated contact through external Microsoft Teams chats, ran interactive screen-sharing sessions to harvest credentials and walk targets through MFA prompts, then pivoted to RDP, AnyDesk, and DWAgent for persistence. Notably, no files were encrypted — the ransomware veneer appears to be misdirection while the real objective was data exfiltration and long-term access.

The infection chain pulls ms_upd.exe (Stagecomp) via curl from an external IP, which stages a bespoke RAT (Darkcomp) disguised as Microsoft’s WebView2APISample, paired with a legitimate WebView2Loader.dll and an encrypted config file. The RAT polls a C2 every 60 seconds for shell, PowerShell, and file commands. Attribution back to MuddyWater rests on a ‘Donald Gay’ code-signing certificate previously used on the group’s CastleLoader/Fakeset tooling.

This fits a broader pattern — also flagged by Check Point, Broadcom, and JUMPSEC — of Iranian state actors renting commodity cybercrime infrastructure (Qilin, Chaos, CastleRAT, Tsundere) to blur the line between espionage and extortion. The payoff is plausible deniability and reduced internal tooling cost; the cost to defenders is that incident response anchors on ransomware playbooks while the persistent footholds quietly remain.