IRANIAN cyber espionage was found to be disguising itself as a Chaos Ransomware attack, with Rapid7 reporting that the campaign blended social engineering, credential theft, data exfiltration, and extortion under a ransomware veneer but showed no evidence of actual file encryption.
The intrusion, uncovered as occurring in early 2026 and described by Rapid7 as a false flag masquerade, appears linked to MuddyWater (Seedworm), an Iran-linked APT associated with MOIS, with attribution assessed by Rapid7 as moderate confidence.
Attackers gained access through social engineering via Microsoft Teams, persuading employees to share screens and expose desktops, then moved laterally, harvested credentials, and exfiltrated internal information using tools such as DWAgent and AnyDesk to maintain persistence, followed by remote access via RDP.
Extortion emails were sent claiming data theft and directing victims to the Chaos site, but when a ransom note could not be located, the stolen data was released publicly, indicating the objective was data theft rather than financial gain. The report notes this as part of a broader trend where state actors blend espionage with criminal aesthetics to mislead defenders and complicate attribution. The incident underscores how MuddyWater’s operations are evolving to hide intelligence gathering behind ransomware-like theatrics. 6 May 2026