Chaos Ransomware Used As Diversion By MuddyWaters
The lines between cybercrime and state-sponsored espionage continue to blur. Iranian threat actors now adopt ransomware tradecraft to conceal intelligence-gathering operations. Recent investigations into attacks by the Iranian-linked MuddyWater group show a sophisticated evolution in tactics.
Here, ransomware acts less as a profit engine and more as a strategic distraction. Security researchers believe that, in several intrusions, the Chaos ransomware mainly served as a false-flag operation. Its goal was to obscure long-term espionage objectives and complicate attribution efforts.
Researchers from Rapid7 uncovered evidence that Chaos ransomware attackers showed behaviors typical of advanced persistent threat groups, not financially motivated cybercriminals. The investigation found the intrusions relied heavily on social engineering via Microsoft Teams. Attackers posed as IT support and tricked victims into granting remote access.
Instead of directly exploiting software vulnerabilities, attackers focused on manipulating human trust through interactive engagement. Victims received external Teams chat requests. These evolved into screen-sharing sessions and credential-harvesting operations. After gaining credentials and bypassing multifactor authentication, attackers quickly moved into persistence and lateral movement phases.
Rapid7 researchers determined with moderate confidence that the campaign matched MuddyWater operations. MuddyWater is also known as Seedworm, Static Kitten, and Mango Sandstorm. Attribution relied on shared command-and-control infrastructure, code-signing certificates, operational methods, and tooling previously linked to the Iranian Ministry of Intelligence and Security. In the past, this publication covered Iranian state-sponsored threat actors who deployed pseudo-ransomware to serve geopolitical goals.
The campaign was notable for the disconnect between ransomware deployment and attackers' true objectives. Traditional ransomware groups prioritize rapid encryption, financial extortion, and public pressure. In contrast, this activity focused on credential theft, stealthy persistence, remote access deployment, and data exfiltration before any ransomware surfaced. Chaos ransomware likely existed to muddy attribution rather than maximize profit.
This deceptive approach shows a convergence between state-sponsored espionage and ransomware ecosystems. Threat actors now see ransomware as a plausible means of achieving plausible deniability. A destructive or extortion-focused incident can distract from the intelligence objectives behind it. By mimicking ransomware-as-a-service, state-backed groups blend into the cybercrime landscape.
Unmasking Chaos and Phoenix
Chaos emerged in early 2025 as a ransomware-as-a-service operation. It is believed to include former members of the BlackSuit and Royal ransomware groups. Talos researchers say Chaos targeted Windows, Linux, ESXi, and NAS environments. It used double-extortion tactics with encryption and threats to leak stolen data. The group also tried triple and quadruple extortion, such as distributed denial-of-service threats and direct pressure campaigns against customers and partners.
Researchers stressed that Chaos in the MuddyWater campaign differed from regular ransomware. Attackers used branding and listed victims on the Chaos leak portal, but their methods matched intelligence-collection activities. They focused on maintaining long-term access with AnyDesk and DWAgent, not just on encryption or ransom negotiation.
The campaign also highlights how state-linked actors rely on legitimate enterprise software to evade detection. Attackers avoid using obviously malicious malware at every stage. Instead, they abuse the trusted administration and collaboration tools already in place. This approach, called "living off the land," reduces security alerts and lets attackers blend into normal activity.
The MuddyWater operation is part of a wider trend in Iranian cyber activity. In 2025, researchers found another MuddyWater campaign targeting over 100 government organizations in the Middle East and North Africa. This campaign used the Phoenix backdoor and relied on phishing emails sent from a compromised diplomatic account. The attackers accessed it through NordVPN.
The phishing emails contained malicious Word documents with macros. These macros deployed malware loaders and then installed version 4 of the Phoenix backdoor. The malware collected system information, established persistence in the Windows Registry, and enabled long-term remote access. Researchers noted that this version introduced new persistence approaches and more robust command tools.
The Phoenix campaign showed MuddyWater's ongoing focus on government, diplomatic, and strategic targets. Organizations in the UAE, Saudi Arabia, Qatar, and other Middle Eastern nations were affected. Attackers used geopolitical themes related to Iran-Israel tensions to lure targets into opening malicious attachments and enabling macros.
The Phoenix and Chaos operations reveal the increasing skill of Iranian cyber campaigns. Attackers no longer just use custom malware or simple phishing. Now, they mix social engineering, enterprise tools, ransomware branding, and stealthy persistence. This creates flexible frameworks for both espionage and disruption.
Researchers warn that false-flag ransomware operations make incident response and attribution more difficult. Organizations may focus on containment and recovery, missing signs of deeper espionage. If attackers maintain persistence after the ransomware event, they may keep collecting intelligence even after defenders consider the incident resolved.
The evolution of MuddyWater's tactics reflects a wider transformation occurring across the cyber threat landscape. State-sponsored groups increasingly borrow techniques from cybercriminal operations because those methods provide effective concealment and operational flexibility.
Criminal groups, meanwhile, continue professionalizing through ransomware-as-a-service ecosystems that lower technical barriers for affiliates and provide scalable attack infrastructure. The overlap between these two worlds creates a threat environment where attribution becomes significantly more difficult.
Defenders face attacks that mimic criminal activity but hide intelligence objectives. Traditional ransomware response procedures may not work for advanced state-linked actors. These attackers can blend espionage and extortion. Security teams must investigate ransomware incidents not only as financial crimes but also as potential long-term compromises involving persistent access and intelligence collection.
Share:
Facebook
X.com
LinkedIn
Copy Link
Karolis Liucveikis
Experienced software engineer, passionate about behavioral analysis of malicious apps
Author and general operator of PCrisk's News and Removal Guides section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over 8 years working in this branch. He attended Kaunas University of Technology and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications.
PCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
DonatePCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
Donate
▼ Show Discussion