- Iranian APT MuddyWater posed as IT staff via Microsoft Teams, tricking victims into granting remote access
- They deployed infostealers, altered MFA, exfiltrated data, and staged a Chaos ransomware infection as cover
- Researchers concluded the true motive was espionage, not profit, highlighting state‑sponsored tradecraft overlap with criminal tactics
Iranian state-sponsored hackers ran a cyber-espionage campaign, and then tried to throw investigators off track with a ransomware infection, experts have warned.
An investigation into a recent attack from security researchers Rapid7 found how an unnamed victim was recently approached via Microsoft Teams, by someone from outside their organization. They posed as IT technicians, discussed solving a technical problem with the victim, and managed to get them to install and run an AnyDesk session.
After getting remote access, they deployed different malware and infostealer variants, harvesting credentials and modifying multi-factor authentication (MFA) settings, establishing persistence, and exfiltrating sensitive information from the now-compromised endpoints.
MuddyWater behind the attacks
The final move was to deploy the Chaos ransomware encryptor. Chaos is a relatively new RaaS operation, first observed in 2025 and known for targeting large entities, double-extortion tactics, and social engineering.
The majority of their victims are located in the United States. The victim of this attack was even added to Chaos’ data leak site, making it all look as if this was, indeed, a ransomware attack.
However, Rapid7 can’t be fooled. After analyzing the techniques, code-signing certificates, and other operational tradecraft, the researchers determined - with moderate confidence - that this was in fact the work of MuddyWater, a threat actor also known as Static Kitten, Mango Sandstorm, and Seedworm.
“The strategy highlights the convergence between state-sponsored intrusion activity and criminal tradecraft, where a big “tell” lies in the techniques that were deployed - and those that weren’t. This strategy suggests the primary goal was not financial gain,” Rapid7 said in its report.
MuddyWater is apparently on the payroll of the Iranian Ministry of Intelligence and Security (MOIS). The Iranian government has multiple hacking collectives doing its bidding, which is mostly cyber-espionage and data harvesting. These include CyberAv3ngers, APT35 (AKA Charming Kitten), and APT 34 (AKA OilRig or Helix Kitten).
Via BleepingComputer
