Muddying the Tracks: The State-Sponsored Shadow Behind Chaos Ransomware
Rapid7, Wednesday, May 6th, 2026
Iranian APT MuddyWater conducted a false-flag operation masquerading as Chaos ransomware to establish persistence and exfiltrate data.
In early 2026, Rapid7 investigated a sophisticated intrusion initially attributed to Chaos ransomware that was assessed to be a state-sponsored operation by MuddyWater, an Iranian APT linked to the Ministry of Intelligence and Security.
The threat actors conducted a targeted social engineering campaign via Microsoft Teams to harvest credentials and manipulate MFA, then established persistence using remote access tools like DWAgent while forgoing traditional ransomware encryption in favor of data exfiltration.
This 'false flag' attack demonstrates how state-sponsored actors are increasingly leveraging the cybercriminal ecosystem to provide plausible deniability for geopolitical espionage, blurring the lines between state-sponsored intrusions and criminal activity.
The campaign's focus on long-term persistence and data collection rather than financial gain suggests the primary objective was intelligence gathering and prepositioning rather than ransom.