An Iranian threat actor known as MuddyWater has been detected staging cyber intrusions disguised as ransomware attacks, according to a report from Rapid7. The operation, identified in early 2026, leveraged social engineering to gain initial access and conducted espionage-like activities such as reconnaissance, credential harvesting, and data exfiltration, all while avoiding the deployment of file-encrypting ransomware.
Deceptive Tactics and Initial Access
The attackers engaged employees of the target organization using Microsoft Teams, initiating screen-sharing sessions to access credentials and bypass multi-factor authentication. This access enabled them to manipulate user accounts and extract sensitive information. Rapid7 noted that the attackers executed basic discovery commands, examined VPN configurations, and instructed users to input their credentials into text files. In some cases, they installed the AnyDesk remote management tool to enhance their access capabilities.
Persistence and Data Exfiltration
After establishing a foothold, the attackers maintained access using RDP sessions and the DWAgent remote access tool. They moved laterally across the network, deploying additional payloads and extracting data. Subsequently, the attackers sent extortion emails to multiple users, claiming to possess stolen information and threatening its release unless a ransom was paid. The victims were directed to a site associated with the Chaos ransomware, although no actual ransomware was deployed during the intrusion.
False Flags and Attribution
The use of Chaos ransomware artifacts appeared to serve as a distraction, concealing the state-sponsored nature of the attack. Rapid7 highlights that these tactics might have aimed to divert defensive efforts towards immediate impacts, thus delaying the discovery of persistent threat mechanisms established via remote tools like DWAgent and AnyDesk. The infrastructure and tactics used pointed to MuddyWater, also known as Mango Sandstorm, which has ties to the Iranian Ministry of Intelligence and Security (MOIS).
During the attack, the group used a custom remote access tool named Darkcomp, capable of executing commands, manipulating files, and maintaining persistent shell access. This tool, along with its command-and-control infrastructure, was consistent with MuddyWater’s previous operations.
Analysis and Future Outlook
Technical and contextual evidence supports the attribution of this operation to MuddyWater, with moderate confidence. The appearance of Chaos ransomware does not suggest a change in the group’s objectives but highlights their ongoing strategy to obscure their true intentions and complicate attribution. This incident underscores the increasing sophistication of cyber threats and the importance of robust cybersecurity measures.
