Ransomware , Malware , Threat Management , Threat Intelligence Iranian threat group used Chaos ransomware as a ‘false flag,’ researchers say May 7, 2026 Share By Laura French A threat actor suspected to have ties with the Iranian state-sponsored threat group MuddyWater recently conducted an attack that used Chaos ransomware as a “false flag” to obscure its true motives, Rapid7 reported Wednesday . Rapid7 researchers investigated the attack in early 2026, finding that despite ransom demands and the apparent publication of victim data to the Chaos ransomware leak site, no files were encrypted and the attacker used certificates and infrastructure tied to MuddyWater. “What stands out is the mismatch between the Chaos branding and the intrusion behavior: extortion and publication occurred, but the operation lacked a typical encryption phase and showed stronger signs of access, credential theft, persistence, and intelligence collection,” Rapid7 Vice President of Cyber Intelligence Christiaan Beek told SC Media. Chaos is a ransomware-as-a-service (RaaS) operation that has been active since February 2025 and mostly targets large organizations in the United States. Typical Chaos ransomware attacks involve double extortion, including both exfiltration and encryption of victim files. MuddyWater, also known as Seedworm, is an Iranian advanced persistent threat (APT) group linked to Iran’s Ministry of Intelligence and Security (MOIS). The group has historically targeted government and critical infrastructure organizations in the Middle East with the goal of long-term espionage and has also conducted similar attacks against U.S. and European organizations . Microsoft Teams social engineering enabled credential theft Earlier this year, the advanced persistent threat group (APT) infiltrated the networks of multiple U.S. companies including financial institutions, an airport and a defense and aerospace supplier. The recent intrusion investigated by Rapid7 began with social engineering via Microsoft Teams, where employees were convinced to share their screen, enter their credentials into text files and, in some cases, submit their credentials through a phishing link. Some employees were also made to add attacker-controlled devices to their multi-factor authentication (MFA) settings. The attackers used the stolen credentials to gain access to internal systems and establish persistence via remote desktop protocol (RDP) sessions and use of the remote management tool DWAgent, Rapid7 said. RDP sessions were also leveraged to achieve lateral movement between systems. A curl command was used to install a downloader called “ms_upd.exe,” which contacted the command-and-control (C2) domain “moonzonet[.]com” and installed additional payloads including a custom backdoor called “Game.exe.” Game.exe is a trojanized version of the legitimate Microsoft WebView2 application, and performs a range of anti-analysis checks before connecting to the C2 domain “uploadfiler[.]com.” The malware sends victim host information to the C2 and then infinitely polls the server for incoming commands every 60 seconds. Espionage, persistence and extortion blurred the attack’s true motive The backdoor supports the execution of commands via cmd.exe or PowerShell, writing of base64-encoded files, deleting of files and starting and stopping of interactive shells. Rapid7 said that while it discovered Chaos ransomware artifacts in its investigation, no files were encrypted, nor was a ransom note found on the affected systems. Overall, the attack chain was noted to be inconsistent with typical ransomware behavior. The attacker later emailed employees and attempted to initiate ransom negotiations for the allegedly stolen data. Rapid7 did not find any sign of the note containing “access credentials” referenced by the attacker on the affected systems, however, data was subsequently published on the data leak site and confirmed to be legitimate by the victim organization. Rapid7 attributed the attack to MuddyWater with moderate confidence based on evidence that included a code-signing certificate and C2 domain known to be used by the group. The ms_upd.exe downloader was signed using a certificate under the name “Donald Gay,” which has previously been used by MuddyWater to sign its Stagecomp downloader. Additionally, the “moonzonet[.]” C2 domain used by the downloader was also used in MuddyWater attacks targeting Israeli and Western organizations in early 2026. Additional supporting evidence includes the use of pythonw.exe to inject code into suspended processes and the use of interactive Microsoft Teams social engineering to harvest credentials, both consistent with MuddyWater’s tradecraft, according to Rapid7. The U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI) and Department of Defense Cyber Crime Center (DC3) previously issued a joint advisory in 2024 warning that Iran state-sponsored attackers were collaborating with ransomware groups, namely members of the Iranian APT known as Pioneer Kitten. In some cases these attackers would conceal their Iranian affiliation from RaaS operators while leveraging extracted data for espionage purposes, officials said. While Rapid7 concluded the use of Chaos ransomware branding was likely an attempt to complicate attribution, and possibly delay the discovery of persistence mechanisms, Beek told SC Media that direct collaboration with a ransomware actor could not be ruled out. “The 2024 CISA/FBI/DC3 advisory established precedent for Iran-based actors enabling ransomware activity while also conducting espionage-aligned operations. This case could fit several models: a state-linked actor using Chaos as cover, a state-linked actor collaborating with or leveraging a ransomware affiliate, or an operator using criminal monetization alongside tasking that serves state objectives,” Beek said. An In-Depth Guide to Ransomware Get essential knowledge and practical strategies to protect your organization from ransomware attacks. Learn More Laura French Related Security Operations DAEMON Tools installers compromised in new supply chain attack SC Staff May 6, 2026 The attack involved tampering with three core DAEMON Tools components: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. Identity CloudZ RAT plugin targets Windows Phone Link for possible OTP theft Laura French May 6, 2026 The Pheno plugin monitors active Phone Link connections to eavesdrop on texts and notifications. Malware Silver Fox expands Asia cyber campaign with new ABCDoor malware SC Staff May 5, 2026 Kaspersky reported that the campaign utilized phishing emails styled as official notices regarding tax audits, prompting users to download an archive containing a "list of tax violations." Related Events Cybercast Ransomware reloaded: Finding resilience when attackers wield AI Wed May 13 Virtual Conference Ransomware Resilience: Strategies to Defend, Mitigate, and Recover On-Demand Event Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Corruption Deauthentication Attack Defacement Denial of Service Dictionary Attack Drive-by Download DumpSec Google Hacking Information Warfare Morris Worm You can skip this ad in 5 seconds