ACCORDING to SecurityWeek, the Iran-linked APT group MuddyWater conducted an intrusion in early 2026 that masqueraded as a Chaos ransomware attack, using social engineering, persistence, credential harvesting and data theft without deploying file-encrypting ransomware. The operation saw the attackers contact the victim via Microsoft Teams, run reconnaissance and credential theft, and even deploy remote access tools such as AnyDesk and DWAgent to facilitate access and movement within the network.
Rapid7 notes that the intruders established persistent access through RDP sessions, moved laterally, exfiltrated information, and then sent extortion emails claiming stolen data would be leaked unless a ransom was paid. The victim was directed to Chaos’ leak site, but the data was leaked online and Chaos artefacts were later described as false flags to obscure the underlying state-sponsored activity.
The campaign also involved a custom RAT dubbed Darkcomp (Game[.]exe) and a certificate-linked backdoor tied to MuddyWater, with the group’s activity attributed to MuddyWater with moderate confidence according to Rapid7.