“The strategy highlights the convergence between state-sponsored intrusion activity and criminal tradecraft, where a big ‘tell’ lies in the techniques that were deployed - and those that weren’t. This strategy suggests the primary goal was not financial gain,” explains Rapid7.
Rapid7 attributes the incident to MuddyWater
Rapid7 reports moderate confidence that the intrusion was the work of MuddyWater — a state-sponsored Iranian cyber-espionage group also identified as Static Kitten, Mango Sandstorm, and Seedworm. The researchers base the attribution on an overlap in infrastructure, use of a specific code-signing certificate previously used by the group to sign Stagecomp and Darkcomp malware, and multiple elements of operational tradecraft. Rapid7 notes that MuddyWater conducts long-term network intrusions that align with Iran’s Ministry of Intelligence and Security (MOIS).
Microsoft Teams social engineering launched the intrusion
The intrusion chain began with Microsoft Teams social engineering. Attackers initiated chats with employees, persuaded victims to establish screen-sharing sessions, harvested credentials, and manipulated multi-factor authentication settings. In some cases the intruders deployed AnyDesk for remote access. Credential theft was accomplished by phishing pages that masqueraded as Microsoft Quick Assist and by tricking victims into typing passwords into local text files.
Persistence, lateral access, and a bespoke backdoor
After compromising accounts, the attackers authenticated to internal systems — including a domain controller — and established persistence using Remote Desktop Protocol (RDP), DWAgent, and AnyDesk. Rapid7 describes a malware loader named ms_upd.exe that dropped a custom backdoor called Game.exe, disguised as a Microsoft WebView2 application. The backdoor implements anti-analysis and anti-virtual-machine checks and supports 12 commands, including PowerShell and CMD command execution, file upload and deletion, and persistent shell access.
Chaos ransomware served as a decoy; evidence of double-extortion theatrics
Although the incident included credential theft, persistence, remote access, data exfiltration, extortion emails, and an entry on the Chaos leak portal, Rapid7 found that the infrastructure and techniques matched MuddyWater activity. Chaos is a ransomware-as-a-service operation that emerged in 2025 and is known for big-game hunting attacks, double-extortion tactics, and social engineering campaigns, primarily against organizations in the United States. Rapid7’s assessment is that the Chaos-branded ransomware component was likely used to conceal the true cyber-espionage objectives and to complicate attribution.
Operational pattern: ransomware branding and prior activity
Rapid7 observes that MuddyWater has previously used ransomware to mask espionage activity. In late 2025 the group deployed Qilin ransomware in an attack against an Israeli organization. The researchers suggest MuddyWater may have pivoted to a different ransomware branding — in this case Chaos — following public attribution of the late 2025 activity to MOIS operatives. The mix of extortion emails and an entry on a public leak portal provided the outward appearance of a criminal ransom operation even as intrusions, tooling, and code-signing evidence tied the operation to the state-backed group.
What this means for technologists, policymakers, and affected enterprises
- Technologists and security teams will be watching for Microsoft Teams social engineering, phishing pages posing as Microsoft Quick Assist, manipulation of MFA settings, and the use of remote-access tools such as AnyDesk and DWAgent — all techniques documented in this intrusion.
- Policymakers and regulators will note Rapid7’s observation of convergence between state-sponsored intrusion and criminal tradecraft, and that the use of ransomware branding can be intended to obscure intent rather than to generate profit.
- Affected enterprises and procurement leaders will confront the dual risk that double-extortion messaging and leak portals can mask espionage activity, and that attribution may rely on artifacts such as infrastructure overlap and code-signing certificates tied to prior malware like Stagecomp and Darkcomp.
The MuddyWater case underscores a shifting playbook in which ransomware branding can be tactical theater rather than a primary objective. Rapid7’s combination of infrastructure analysis and code-signing linkage produced moderate confidence in attribution, but the deployment of Chaos as a decoy raises a pointed question: if state-aligned actors continue to rebrand or borrow criminal tradecraft, how will defenders separate theatrical extortion from persistent espionage? The record here — from Teams-based social engineering to ms_upd.exe and the Game.exe backdoor — provides concrete artifacts to trace, even as the masquerade complicates the picture.
