Iran's MuddyWater Is Running an Espionage Campaign Disguised as Ransomware—the Tip-Off Was That Nothing Got Encrypted

On May 6, Rapid7's threat research team published the analysis that ties what looked like an opportunistic ransomware outbreak to one of Iran's most prolific state-aligned intrusion groups. The cluster known as Chaos — a self-styled ransomware-as-a-service brand that has claimed 36 victims since late 2025 in U.S. construction, manufacturing, and business services firms — is now assessed with high confidence to be a front for MuddyWater, the Iranian Ministry of Intelligence and Security operator also tracked as Mango Sandstorm, Seedworm, and Static Kitten.

The most striking detail in the report is the operational tell. In a normal Chaos engagement, the encryption payload runs and a ransom note appears. In every MuddyWater run of this campaign, the ransomware artifacts were dropped on the host but the encryption never executed. The intruders stayed on the network, harvested credentials and email, and quietly walked back out. The ransomware brand was not the goal. It was a cover story.

For defenders, the takeaway is harder than "patch this." If the same playbook works — Teams chat, screen share, persistent remote access tool — the attribution does not change the controls you need. But it does change how seriously you treat what looked like a routine ransomware incident response. A "ransomware that didn't encrypt" is not a lucky escape. It is the signature of an espionage operator that wants you to file the incident under the wrong category.

The Attack Starts In a Teams Chat

The initial access vector is the part of the campaign every defender needs to internalize. The attackers do not send phishing email. They send a Microsoft Teams chat request from an external tenant, posing as IT help desk staff or a Microsoft support technician. The pretext is usually that the recipient's account has been flagged for suspicious activity and needs a quick check.

If the target accepts the chat, the attacker walks them through a screen sharing session and asks them to install a "support tool." In Rapid7's documented cases the tool was Microsoft Quick Assist, the legitimate built in remote control utility. From there the attacker either guides the user through a credential prompt — capturing the password and the MFA approval in real time — or persuades them to run a small executable that drops a remote management agent.

The reason this works is that the Teams chat carries the trust of the platform itself. Email phishing in 2026 hits a wall of spam filters, link sandboxes, and DMARC enforcement. Teams external messaging, by default in most tenants, is allowed and unfiltered. A user who would never click a link in a "Microsoft Support" email will accept a chat from an account whose display name says "Microsoft Support." This is the same gap the Microsoft Teams Mandiant report documented earlier this year, and the same gap Storm 2755's payroll pirate campaign exploited against HR teams.

What Happens After Quick Assist Is Installed

Rapid7 mapped the post-access chain in detail. With remote control of the workstation, the operator drops a series of payloads from the IP 172.86.126.208:

• DWAgent and AnyDesk. Two redundant remote management tools so a single takedown does not cut off the operator. Both are commercial products with legitimate uses, which makes them harder for endpoint tools to flag.
• ms_upd.exe ("Stagecomp"). A reconnaissance binary that pulls system metadata and contacts a command and control server.
• game.exe ("Darkcomp"). A custom remote access trojan that masquerades as a Microsoft WebView2 component. Darkcomp is the one that does the real work — credential harvesting, file collection, lateral movement.
• Encrypted configuration files and supporting DLLs. Loaded sideways into legitimate processes via DLL hijacking so that the running process tree looks normal.

During the interactive phase the attacker also writes the harvested credentials to a local text file on the victim's desktop, which the malware then exfiltrates. This is a stylistic detail Rapid7 flags as a MuddyWater fingerprint — the group has done this in earlier campaigns going back at least three years.

The Attribution Evidence

Three independent pivots tie this to MuddyWater rather than a financially motivated Chaos affiliate.

First, the code signing certificate. The ms_upd.exe binary is signed with a certificate issued to a "Donald Gay." The same certificate was previously used to sign Fakeset, a CastleLoader downloader Microsoft and Mandiant publicly attributed to MuddyWater in 2024. Code signing certificates are reusable but not freely shareable, and a financially motivated affiliate would have no reason to inherit a state actor's signing identity.

Second, the infrastructure. The C2 domain moonzonet[.]com appeared in earlier MuddyWater campaigns documented by Sekoia and PRODAFT. Reusing infrastructure is sloppy from an operational security standpoint, and Rapid7 frames it as a likely sign that the same operators were managing both campaigns.

Third, the tradecraft. The use of pythonw.exe to inject code into suspended processes, the local credential file dropping pattern, and the preference for living-off-the-land tools like Quick Assist all match documented MuddyWater patterns rather than the noisier, ransom-focused tradecraft of typical Chaos affiliates.

Rapid7's confidence rating is "high" — the wording the firm reserves for assessments backed by multiple independent indicators. Independent researchers at The Hacker News and Infosecurity Magazine confirmed the assessment after reviewing the indicators of compromise the team published.

Why a State Actor Wears a Ransomware Mask

The strategic logic of a false flag ransomware operation is straightforward once you trace it through. State sponsored intrusions get incident response budget, FBI coordination, and threat intelligence sharing across sector ISACs. Ransomware intrusions get a forensic firm, an insurance claim, and a quiet writeup that never reaches a national reporting framework.

If MuddyWater can convince the victim that the breach was a routine extortion attempt, several things happen at once. The victim does not call CISA. The victim does not pull threat intelligence from peer companies that might be hosting the same operator. The investigators focus on encryption recovery rather than persistent access. The lateral movement and email collection that actually mattered to the operator gets buried under the ransomware response.

This is the same reason Russian groups like Sandworm have used commodity ransomware as a wiper cover — the misdirection is cheap and the misclassification is expensive to undo. Rapid7 does not name specific Iranian intelligence priorities behind the campaign, but the targeted sectors (U.S. construction, manufacturing, business services) align with the supply chain and engineering targets MuddyWater has historically pursued.

What Email Is to a State Operator

For a financially motivated ransomware affiliate, email mailboxes are a means to an end — they get used for phishing the next target. For a state actor running an espionage operation behind a ransomware front, email is the prize itself. Two of the most consequential MuddyWater campaigns in the last five years ended in long term mailbox access at energy and engineering firms in the Middle East and the United States. The mailboxes are how the operator learns who is bidding on what, which projects are on which timelines, and which employees have access to design files worth stealing.

The Teams initial access vector is, in that sense, less about the desktop than about the Microsoft 365 token it produces. Once the operator captures a session cookie or refresh token from the screen share, the workstation can be cleaned up and the mailbox access persists. The same dynamic showed up in the APT28 router DNS hijacking campaign, where Russia's GRU stopped deploying malware altogether and just stole Outlook tokens through home routers. The end state in both campaigns is the same: silent, persistent mailbox access with no payload to detect.

What Defenders Should Do Now

Five concrete controls map directly onto the campaign Rapid7 documented.

• Restrict external Teams chats. In the Teams admin center, set External Access to either fully blocked or a strict allow list of approved partner tenants. The default of "anyone can chat" is the reason this campaign works.
• Disable Quick Assist where it is not needed. Microsoft now lets administrators block Quick Assist organization wide via Intune. Most workforces never need it. The ones that do can stage a controlled deployment.
• Detect on remote management tool installs. AnyDesk, DWAgent, ScreenConnect, Atera, and Quick Assist all leave installation telemetry. Treat any unexpected install on a workstation as an incident, not an alert.
• Look for the indicators Rapid7 published. The IP 172.86.126.208, the moonzonet[.]com domain, and the "Donald Gay" code signing certificate are all blockable today. The full IOC list is in the Rapid7 writeup.
• Audit OAuth tokens after any credential incident. A captured password is recoverable with a reset. A captured Microsoft 365 refresh token survives the reset and gives the attacker mailbox access until the token is explicitly revoked. Force token revocation on any account involved in a Teams social engineering incident.

The Bigger Pattern

MuddyWater wearing a Chaos mask is the third major false flag operation documented in the last six months. ScarCruft trojanized a Korean card game in China to surveil North Korean defectors while presenting as a regional gaming developer. Bluenoroff used fake Calendly and Zoom invitations to compromise crypto executives, with the operator's North Korean attribution only emerging weeks after the initial industry response classified it as financial crime.

The common thread is that state operators are deliberately picking categories — ransomware, gaming, crypto fraud — that get triaged as commodity crime. The misclassification is the campaign's first defense layer. The defenders treat the incident with the wrong urgency and the wrong scope, and the operator stays inside long enough to extract the data that actually matters.

If a "ransomware" intrusion in your environment ends without an encryption event and without a ransom note, the right working assumption is no longer that you got lucky. The right working assumption is that you are dealing with an espionage operator that does not want you to look too closely.