Fakeout: Iranian APT caught hiding behind Chaos ransomware activity

Hackers in disguise

Researchers at Rapid7 spotted what at first appeared to be a typical Chaos ransomware attack in early 2026.

However, upon investigation, the incident bore all the hallmarks of an operation run by a group known as MuddyWater, an Iranian advanced persistent threat (APT).

“The campaign was characterised by a high-touch social engineering phase conducted via Microsoft Teams, where the attackers utilised interactive screen-sharing to harvest credentials and manipulate multifactor authentication (MFA),” Rapid7 said in a blog post.

“Once inside, the group bypassed traditional ransomware workflows, forgoing file encryption in favour of data exfiltration and long-term persistence via remote management tools like DWAgent.”

Chaos is known to employ double extortion techniques, first exfiltrating data and then encrypting it, pressuring victims into paying a ransom to not only unlock the data on their systems but also prevent its publication online.

VIEW ALL

The lack of encryption and other ransomware telltale signs, according to Rapid7, suggests the motive behind the recent activity was not financial gain, but gathering information.

Another giveaway is a change in victimology. Traditionally, Chaos had tended to target entities in Europe and the United Kingdom, but recent telemetry suggests a sudden change in targeting, with a focus on entities in the Middle East, North Africa, and south-east Asia.

Activity was also detected in North America, and specific hits were also identified in Australia. Essentially, the threat actor is targeting countries with some level of involvement in the conflict in and around Iran.

But perhaps one of the biggest giveaways was a complete lack of ransom note or means to negotiate with the “extortionists”, despite the actor claiming a note had been left behind.

“A threat hunt across all assets, focusing on files created or accessed within desktop directories and subdirectories, did not identify any artifacts consistent with the TA’s claims,” Rapid7 said.

“The victim further validated the affected user systems and confirmed the absence of such files.”

Nonetheless, perhaps in an effort to maintain the fiction, the data was eventually published on Chaos’ darknet leak site.

The final proof is a match between the certificates and infrastructure previously observed in use by MuddyWater, and that used in this incident.

Muddying the tracks

There’s long been a link between cyber criminal and state-sanctioned operations.

Many Russian-speaking ransomware groups, for instance, ban any malicious activity targeting members of the Commonwealth of Independent States. At the same time, in return, Russian authorities turn a blind eye to criminal activity that only targets its perceived enemies and brings cryptocurrency into the Russian economy.

In this case, the Iranian activity indicates a “continued evolution in the group’s operational approach”.

“This case underscores the importance of looking beyond overt ransomware indicators. Defenders should also focus on the underlying intrusion life cycle. Techniques such as social engineering via enterprise communication platforms, credential harvesting with MFA manipulation, and the abuse of legitimate remote access tools remain critical enablers of compromise,” Rapid7 said.

“Ultimately, this activity is best understood as a hybrid intrusion model, in which ransomware is leveraged not as an end goal but as a mechanism for concealment, coercion, and operational flexibility within a broader intelligence-driven campaign.”