MUDDYWATER , the Iranian state‑sponsored group also known as Mango Sandstorm, Seedworm and Static Kitten, has been attributed to a ransomware operation described as a false flag by Rapid7. The attack, observed in early 2026, leveraged social engineering via Microsoft Teams to initiate infection, with Rapid7 noting a high‑touch social‑engineering phase conducted through Teams where attackers used interactive screen‑sharing to harvest credentials and manipulate MFA.
Once inside, the group bypassed typical ransomware workflows, preferring data exfiltration and long‑term persistence via remote management tools such as DWAgent rather than encrypting files. The activity appears to blend cybercrime tradecraft with state‑backed aims, as analysts say MuddyWater is attempting to muddy attribution by using off‑the‑shelf tools and a Chaos ransomware brand in a broader extortion framework.
Rapid7 reported that Chaos is a RaaS group, with external chat requests via Teams and the use of stolen credentials to enable reconnaissance, persistence and data exfiltration, while Check Point noted that as of late March 2026 Chaos had claimed 36 victims on its data leak site.