"Historically, organizations could draw a relatively clear distinction between ransomware attacks driven by financial gain and nation-state operations designed to support strategic objectives." That observation, from Matt Hull, VP of cyber intelligence and response at NCC Group, sits at the center of a warning published on June 24: the line separating criminal ransomware and state-backed espionage is rapidly blurring.
MuddyWater posed as the Chaos ransomware group
In the June 24 edition of the NCC Group Monthly Threat Pulse, researchers described a deliberate campaign in which MuddyWater — identified in the report as a hacking and cyber espionage group associated with Iran’s Ministry of Intelligence and Security — dressed its operations to look like a financially motivated ransomware attack. According to NCC Group, the operators went beyond superficial mimicry: they incorporated extortion notes, established victim negotiation channels and even arranged for a listing on the Chaos leak site to reinforce the appearance of a genuine ransomware intrusion.
Convergence of criminal and state-backed activity
“What we're seeing is a convergence of criminal and state-backed activity,” Hull said in the report. NCC Group’s analysis documents multiple ways that convergence is occurring: threat actors sharing infrastructure, adopting common tooling, and deliberately operating behind established ransomware brands in order to obscure attribution and delay response efforts. The payoff for the attackers is increased plausible deniability; the cost for defenders is a more complex and ambiguous incident response landscape.
State-Backed Use of Dark Web Malware
The report also catalogues broader patterns beyond the MuddyWater case. NCC Group noted that 2026 has seen several Iran-linked threat actors leverage cybercriminal operational models, off-the-shelf tools and infrastructure hosted by cybercriminals to conduct state-sponsored hacking. One Iranian state-backed group was observed working with Russian cybercriminals to deploy a remote access trojan — a tool available for purchase on the dark web — against espionage targets. NCC Group further observed that China-, Russia- and North Korea-linked state-backed operations have used ransomware-as-a-service campaigns as a front for espionage, data exfiltration and other attacks.
Defensive priorities NCC Group recommends
Recognizing the tactical mixing of criminal and espionage playbooks, NCC Group made a strategic recommendation for defenders: mature defensive strategies should prioritize behavioral analysis, operational context, observed tradecraft and adversary objectives over signature-based artefacts. The report frames this shift as necessary because organizations can no longer assume a ransomware incident is purely financially motivated; understanding an adversary’s behavior and goals is becoming as important as identifying the malware or the named ransomware group involved.
What this means for security operation centers, enterprises, and adversaries
- Security operation centers and incident response teams: They will be pressed to expand investigations beyond indicators tied to a ransomware family and add contextual analysis of negotiation channels, leak-site behavior and atypical data-exfiltration patterns to determine whether an intrusion serves espionage aims.
- Enterprises and other organizations: Victim organizations that see extortion notes or leak-site listings cannot assume a purely financial motive; the report suggests those signs may be deliberate deception. That has implications for whether affected entities disclose incidents, engage law enforcement, or deploy counterintelligence consultations.
- Adversaries and threat actors: According to NCC Group, the tactic of borrowing criminal infrastructure and brands provides state-backed groups with operational benefits — shared tooling, marketplace access, and plausible deniability — and can be expected to persist where it serves strategic objectives.
The NCC Group analysis makes a clear, practical claim: the familiar binary — criminal versus state — is no longer a safe assumption when an organization finds ransom notes in its environment. If the pattern documented on June 24 continues, defenders will need to follow behavior and context as closely as code signatures. How quickly organizations can shift their detection and response models to that reality will determine whether these masquerades succeed or fail.
