- The Iranian MuddyWater APT posed as IT staff via Microsoft Teams, tricking victims into granting them remote access.
- They deployed data stealers, disrupted MFA, exfiltrated data, and organized a Chaos ransomware infection as cover.
- Investigators concluded that the real motive was espionage, not profit, highlighting the overlap of state-sponsored commercial tactics and criminal tactics.
Iranian state-sponsored hackers carried out a cyber espionage campaign and then tried to mislead researchers with a ransomware infection, experts warned.
An investigation into a recent attack by security researchers Rapid7 uncovered how an anonymous victim was recently approached by someone outside their organization via Microsoft Teams. They posed as IT technicians, discussed troubleshooting a technical issue with the victim, and got them to install and run an AnyDesk session.
After gaining remote access, they deployed different variants of malware and data theft, harvested credentials and modified multi-factor authentication (MFA) settings, established persistence, and extracted sensitive information from the now-compromised endpoints.
MuddyWater behind the attacks
The last step was to implement the Chaos ransomware encryptor. Chaos is a relatively new RaaS operation, first observed in 2025, and known for targeting large entities, double extortion tactics, and social engineering.
Most of its victims are in the United States. The victim of this attack was even added to the Chaos data leak site, making the whole thing seem as if this was, in fact, a ransomware attack.
However, Rapid7 is not fooled. After analyzing the techniques, code signing certificates, and other operational techniques, the researchers determined, with moderate confidence, that this was actually the work of MuddyWater, a threat actor also known as Static Kitten, Mango Sandstorm, and Seedworm.
“The strategy highlights the convergence between state-sponsored intrusion activity and criminal art, where a large ‘indicator’ lies in the techniques that were implemented and those that were not. This strategy suggests that the primary objective was not financial gain,” Rapid7 said in its report.
MuddyWater is apparently on the payroll of the Iranian Ministry of Intelligence and Security (MOIS). The Iranian government has multiple hacker collectives doing its bidding, which primarily consists of cyber espionage and data collection. These include CyberAv3ngers, APT35 (aka Charming Kitten), and APT 34 (aka OilRig or Helix Kitten).
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
