“By operating interactively through compromised users, the attacker [TA] conducted initial discovery, harvested credentials, including MFA manipulation, and quickly transitioned to using legitimate accounts for internal access,” Rapid7 explained.
MuddyWater’s false flag: state-linked APT posing as Chaos
Rapid7 says an intrusion in early 2026, branded a false flag operation, was conducted by MuddyWater — a group the vendor links to the Iranian Ministry of Intelligence and Security and also identifies as Seedworm, Static Kitten and Mango Sandstorm. In a report published on May 6, Muddying the Tracks: The State-Sponsored Shadow Behind Chaos Ransomware, Rapid7 concluded the actor pretended to be a Chaos ransomware affiliate to provide plausible deniability while conducting geopolitical espionage and prepositioning.
Rapid7 notes MuddyWater has a recent precedent for impersonating ransomware-as-a-service (RaaS) ecosystems: in late 2025 the group was linked to activity that involved the Qilin RaaS ecosystem in an attack targeting an Israeli organization. The vendor says the shift to using the Chaos brand may have been intended to further reduce the risk of attribution.
Social-engineered Microsoft Teams screen sharing and MFA theft
The intrusion began with social engineering delivered over Microsoft Teams: an employee was tricked into a screen-sharing session, Rapid7 reports. From that live, interactive access the attacker performed initial discovery, harvested credentials and manipulated multi-factor authentication (MFA).
Rapid7’s account emphasizes the interactive nature of the compromise: by operating through compromised users the attacker moved quickly to legitimate accounts for internal access rather than initial remote tools alone. That approach enabled follow-on activity while masking the actor’s initial foothold.
Persistence and tools: DWAgent, AnyDesk, pythonw.exe and familiar infrastructure
After initial access the threat actor established persistence using remote access tools such as DWAgent and AnyDesk, then deployed additional payloads and expanded control of the environment, Rapid7 reports. The actor subsequently exfiltrated data and contacted the victim via email claiming data theft and initiating ransom negotiations.
Rapid7 identified links between the intrusion and infrastructure previously used by MuddyWater, including a code-signing certificate labelled “Donald Gay,” the moonzonet[.]com domain that supported command-and-control, and the use of pythonw.exe to inject code into suspended processes. The report also reiterates the use of interactive Microsoft Teams sessions as a credential- and MFA-harvesting vector.
Why the Chaos brand was used — and what it disguised
Although the actor claimed successful data theft and later published data on a ransomware-as-a-service data leak site (DLS), Rapid7 highlights several anomalies inconsistent with a standard financially motivated Chaos affiliate. The Chaos DLS operates a “blind” countdown timer, meaning victim details could not be viewed on the site, and initial proof-of-compromise details — such as a purported desktop note containing “access credentials” for a secure chat — could not be found by Rapid7.
Crucially, Rapid7 reports the group did not deploy a ransomware payload during the intrusion — behavior that departs from what a regular Chaos affiliate would be expected to do. Rapid7 argues the inclusion of extortion-style negotiation and a public DLS entry can serve as a deliberate obfuscation technique: using a RaaS framework “may enable the actor to blur distinctions between state-sponsored activity and financially motivated cybercrime,” complicating attribution, and “could serve to focus defensive efforts on immediate impact, likely delaying the identification of underlying persistence mechanisms established via remote access tools such as DWAgent or AnyDesk.”
What this means for defenders, policymakers, and affected enterprises
- Technologists and security teams: Rapid7’s findings underscore that interactive social engineering plus MFA manipulation can convert legitimate accounts into long-lasting access paths; defenders should investigate intrusion lifecycles rather than only observable ransomware artifacts.
- Policymakers and incident responders: The report frames RaaS-branded activity as a potential cover for state-directed espionage, suggesting attribution and response frameworks must account for hybrid intrusions that mix intelligence objectives with extortion tactics.
- Affected enterprises and procurement leaders: The presence of code-signing certificates and recurring infrastructure indicators such as moonzonet[.]com signals the value of telemetry that ties tools and certificates back to prior incidents when assessing incidents that appear to be standard ransomware.
Rapid7’s central prescription is straightforward: look beyond overt ransomware indicators and study the full intrusion lifecycle. As the vendor puts it, this activity is “best understood as a hybrid intrusion model, in which ransomware is leveraged not as an end goal but as a mechanism for concealment, coercion, and operational flexibility within a broader intelligence-driven campaign.” That characterization reframes a familiar extortion playbook as a potential cloak for more persistent, intelligence-driven operations — and it sets a clear investigative next step: track persistence, not just headlines.
