In a recent incident, the Iranian state-sponsored hacking group known as MuddyWater has been implicated in a ransomware attack described as a “false flag” operation. This incident was tracked by Rapid7 in early 2026, where attackers exploited social engineering techniques utilizing Microsoft Teams to initiate their malicious activities.
Initially perceived as a ransomware-as-a-service (RaaS) operation under the Chaos brand, evidence has emerged indicating that this was a state-sponsored attack that masked its intentions as opportunistic extortion. Rapid7’s analysis reveals a sophisticated campaign characterized by target-specific social engineering tactics, particularly through interactive screen-sharing on Teams for credential harvesting and manipulation of multi-factor authentication (MFA).
After gaining access, the actors diverged from conventional ransomware methodologies by forgoing file encryption. Instead, they opted for data exfiltration and maintained long-term access through remote management tools such as DWAgent. This modus operandi aims to complicate attribution while allowing state-sponsored actors to adopt commercially available tools, as documented by various cybersecurity firms including Ctrl-Alt-Intel and Check Point.
This marks a continuation of MuddyWater’s history with ransomware. Previously, the group targeted high-profile Israeli organizations, utilizing a loader dubbed PowGoop that deployed a variant of Thanos ransomware in 2020. In a subsequent operation in 2023, Microsoft disclosed MuddyWater’s collaboration with another hacking entity known as DEV-1084. Most recently, in late 2025, they targeted an Israeli government hospital using Qilin ransomware.
Check Point noted that this latest campaign appears to employ a blend of criminal and state-sponsored tactics, enabling the threat actors to exploit existing RaaS frameworks while pursuing broader strategic goals. The utilization of Chaos ransomware components seems to provide a layer of plausible deniability, obscuring the true nature of the activities while increasing operational flexibility.
Chaos, a RaaS group that emerged in early 2025, has developed a reputation for employing double extortion tactics to exert pressure on victims. By impersonating IT support personnel, they trick victims into installing remote access tools like Microsoft Quick Assist, effectively deepening their foothold within target environments. Their strategy also encompasses triple extortion threats such as distributed denial-of-service (DDoS) attacks against victims’ infrastructure, which further complicates recovery efforts.
The intrusion mechanism reported by Rapid7 involved the actors initiating unsolicited chat requests on Teams to engage employees, facilitating initial access and enabling recognition of internal weaknesses. Following this, compromised accounts were utilized for reconnaissance and establishing persistent access, where they conducted reconnaissance activities, culminating in data exfiltration followed by ransom demands.
MITRE ATT&CK frameworks indicate that tactics such as initial access, credential dumping, and lateral movement were likely employed to ensure successful infiltration and sustained presence within the environments they targeted. Significantly, the attackers appeared to leverage RDP access to download and deploy malware, initiating a multi-stage infection chain that could lead to greater system compromises.
Amid these developments, concerns are growing regarding the convergence of cybercriminal tradecraft and state-sponsored operations, which increasingly complicates attribution and defensive measures. The use of a RaaS framework serves to obscure the lines between financial motivations and state objectives, presenting novel challenges for organizations striving to safeguard their digital assets.
As the cybersecurity landscape evolves, understanding these sophisticated threats becomes paramount for business leaders. The integration of external criminal capabilities into state-sponsored operations underscores the necessity for proactive security measures that address both immediate impacts and prevent long-term repercussions.
These findings reflect an alarming trend of state-sponsored entities adopting more nuanced, commercially available hacking tools, amplifying the complexity of defending against such threats. As these campaigns continue to escalate, the integration of technological and strategic responses will be critical for maintaining cybersecurity resilience in an increasingly hostile landscape.
The ongoing evolution of these threats underscores the pressing need for robust cybersecurity frameworks that can effectively combat the multifaceted nature of modern cyber espionage and attacks.