TL;DR
In early 2026, Iran-linked APT MuddyWater executed an intrusion against an undisclosed organization by wearing the mask of the Chaos ransomware-as-a-service (RaaS) group — complete with a fake victim listing on Chaos's data-leak site, extortion emails, and "negotiation" theatrics. But no file-encrypting ransomware was ever deployed. The entire ransomware persona was a deliberate false flag designed to bury state-sponsored espionage tradecraft under the noise of a financially motivated criminal incident. Forensic analysis by Rapid7 untangled the deception through a specific code-signing certificate, C2 domain overlap with historical MuddyWater infrastructure, and a custom RAT named Darkcomp (Game.exe) that had no business appearing in any ransomware affiliate toolkit. The takeaway: the line between nation-state espionage and criminal ransomware is no longer blurred — it has been deliberately weaponized as an attribution shield.
Background: Who Is MuddyWater?
MuddyWater is one of Iran's most active and persistent cyber-espionage crews. Operating under a constellation of aliases — Seedworm, TEMP.Zagros, Mercury, TA450, Static Kitten, Mango Sandstorm — the group has been formally attributed by the United States Cyber Command to Iran's Ministry of Intelligence and Security (MOIS), the civilian foreign intelligence arm of the Islamic Republic.
Active since at least 2017, MuddyWater's operational focus is classic MOIS: geopolitical intelligence collection, credential harvesting against government agencies, defense contractors, telcos, and critical infrastructure operators across the Middle East, Europe, Central Asia, and, increasingly, the United States. Unlike IRGC-affiliated groups (APT33/42/35) that tend toward destructive payloads, MuddyWater has historically preferred quiet long-duration access — maintaining footholds for months, sometimes years, before exfiltrating targeted intelligence.
The group's toolkit has evolved considerably since its early days of PowerShell-heavy intrusions. In recent years, MuddyWater adopted a living-off-the-land (LotL) philosophy supplemented by commercially available remote management tools (RMM) — ScreenConnect, AnyDesk, Atera, DWAgent — abusing the same software that corporate IT teams legitimately use every day. The shift accomplishes two things: it reduces tooling development overhead and makes malicious traffic indistinguishable from normal enterprise noise.
The 2026 Chaos false-flag operation represents a further evolution: borrowing criminal infrastructure and branding as cover for espionage, and represents perhaps the most sophisticated attribution-confusion operation MuddyWater has executed to date.
The Chaos Ransomware Backdrop
To understand the false flag, you need to understand Chaos. Active since February 2025, Chaos RaaS is a post-law-enforcement consolidation play — its affiliate roster is believed to include veterans of BlackSuit and Royal ransomware, which were disrupted by Operation Checkmate in July 2025. Chaos targets large enterprises in construction, manufacturing, and business services, demands ransoms up to $300,000, and employs quadruple extortion: data encryption + leak threat + DDoS threat + third-party notification (customers, competitors, regulators).
A distinctive Chaos signature is its "blind countdown" DLS tactic — victim identities are withheld on the leak site until a timer expires, designed to maximize negotiation pressure. By mid-March 2026, Chaos had claimed 36 victims. When MuddyWater operators needed cover for their own operation, Chaos was an ideal rental: credible, actively used by real criminals, and with enough structural complexity to confuse any IR team's early triage.
Technical Analysis: Dissecting the False Flag Chain
Phase 1 — Initial Access via Microsoft Teams Social Engineering
MuddyWater's 2026 playbook opens with a high-touch Teams-based social engineering campaign — a technique the group has been refining since at least 2024. Operators establish external chat sessions with target employees, impersonating IT support staff or trusted business contacts.
Once a conversation is established, the attacker escalates to interactive screen-sharing sessions. This is not passive observation — operators actively issued commands, guided users through credential-entry workflows, and accessed sensitive files in real time (specifically, VPN configuration files that would enable them to establish independent remote access later). In at least one confirmed instance, employees were instructed to type their credentials into locally created plaintext files on their own desktops.
This technique exploits a well-documented reality in enterprise security: most employees extend automatic trust to anyone who appears in the corporate Teams tenant with a convincing IT persona. External guest accounts in Teams require only minimal onboarding friction; once inside, the attacker has the same UI affordances as a legitimate internal user.
MFA manipulation was also observed. Rapid7 notes that the attackers used their screen-sharing access to manipulate MFA protections directly — either coaching victims through approving push notifications or accessing MFA configuration settings visible during sessions.
Phase 2 — Persistence via Dual-RAT Architecture
Following initial credential harvesting, the operators transitioned to persistence establishment through two commercial RMM tools deployed in parallel:
- AnyDesk — a widely-deployed remote desktop tool that generates minimal EDR alerting in most enterprise environments. MuddyWater has used AnyDesk as an access tool since at least 2022.
- DWAgent — a lesser-known but increasingly prevalent RMM tool. Its inclusion is tactically significant: because DWAgent is less commonly seen in enterprise environments than AnyDesk, it may survive EDR policy exclusions more reliably.
RDP sessions were also established using legitimately harvested credentials, creating a triple-layer persistence architecture — each redundant path providing failover if defenders caught one of the others.
Phase 3 — Custom Malware Delivery: The Stagecomp/Darkcomp Chain
With persistence secured, MuddyWater deployed a staged malware chain that reveals the true operational intent:
Stage 1 — ms_upd.exe (Stagecomp): A dropper that masquerades as a Windows update executable. Stagecomp performs host reconnaissance, beacons out to the primary C2 — moonzonet[.]com — and downloads a three-component payload bundle.
Stage 2 — Three-component bundle:
1. WebView2Loader.dll — a legitimate, unmodified Microsoft DLL used to establish visual cover (and likely sideloading context)
2. Game.exe — the Darkcomp RAT, disguised as a Microsoft WebView2APISample application
3. Additional configuration/tasking files
Darkcomp (Game.exe): This is the most forensically significant artifact. Darkcomp is a bespoke MuddyWater-developed RAT with the following capabilities:
- Remote command execution
- File manipulation (read/write/delete)
- Persistent shell execution
- C2 communication with secondary domain
uploadfiler[.]com
Critically, Game.exe is signed with a code-signing certificate that had been previously documented in prior MuddyWater intrusions. This certificate linkage — combined with C2 domain infrastructure overlap — is what allowed Rapid7 to pierce the Chaos false flag and attribute with moderate confidence to MuddyWater. No genuine Chaos affiliate would use a signed RAT bearing Iranian state-actor signatures.
Phase 4 — The False Flag Performance
Once data was exfiltrated, MuddyWater executed the theatrical layer of the operation:
1. Extortion emails were sent to multiple victim employees claiming data theft and demanding ransom
2. The victim organization was listed on the Chaos DLS as a new victim
3. A follow-up email instructed recipients to find a "note" containing credentials for a "secure negotiation chat"
The note was never found — because it didn't exist. The data was eventually leaked publicly on the Chaos DLS. Rapid7's assessment is clear: the entire ransomware scenario was designed to misdirect incident responders, forcing IR effort toward ransom negotiation workflows while the actual implants (DWAgent, AnyDesk, Darkcomp) remained silently active in the environment.
As Rapid7 notes: "The inclusion of extortion and negotiation elements likely aimed to focus response teams on the immediate impact, delaying detection of persistence mechanisms implanted through remote access tools."
IOCs
| Type | Value | Notes |
|---|---|---|
| Dropper | ms_upd.exe | Stagecomp — masquerades as Windows Update |
| RAT | Game.exe / Darkcomp | Disguised as WebView2APISample app |
| DLL | WebView2Loader.dll | Legitimate MS DLL, used for sideload cover |
| C2 Domain | moonzonet[.]com | Primary C2 for Stagecomp |
| C2 Domain | uploadfiler[.]com | Secondary C2 for Darkcomp |
| Tool | DWAgent | RMM persistence tool |
| Tool | AnyDesk | RMM persistence tool |
| Signing Cert | MuddyWater-linked certificate | Previously documented in prior ops |
| Platform | Microsoft Teams (external guest) | Initial access vector |
| Technique | Screen-sharing credential theft | Novel MFA bypass method |
Attribution Confidence: Moderate (Rapid7) — code-signing cert + C2 overlap + TTPs consistent with historical MuddyWater activity.
The Lyrie Take: The False Flag Doctrine and What It Signals
This operation is important not because it represents a new class of vulnerability, but because it represents a doctrinal evolution in state-sponsored tradecraft with profound implications for enterprise defense.
False flags are not new in espionage. Russia's Sandworm infamously deployed "Olympic Destroyer" malware at the 2018 Pyeongchang Winter Olympics with deliberately planted false attribution artifacts pointing to North Korea and China. But MuddyWater's Chaos operation goes further — it doesn't just plant misleading code artifacts. It operationalizes the entire social architecture of a ransomware attack: victim listing, ransom demand emails, negotiation prompts, and a credible criminal brand. The false flag isn't a forensic artifact to confuse malware analysts. It's a full incident response misdirection operation.
The implications for defenders are substantial:
1. Triage categories are weaponized. The moment an IR team classifies an incident as "ransomware," the playbook activates: isolate systems, assess backups, contact legal/insurance, possibly engage ransom negotiators. Meanwhile, state-actor persistence tools sit untouched because they don't fit the ransomware narrative. MuddyWater exploited this categorization gap deliberately.
2. Criminal infrastructure is cheap foreign policy. Posting a victim to an established RaaS DLS costs operationally almost nothing but generates outsized confusion. As RaaS ecosystems have grown, state actors now have a rich menu of criminal brands, tools, and infrastructure to rent or mimic. The Chaos DLS wasn't hacked — it was used with apparent affiliate-level access, raising questions about how deeply Iranian state actors have infiltrated (or simply paid into) the criminal affiliate ecosystem.
3. RMM tools are the new implant. MuddyWater's consistent use of AnyDesk, DWAgent, and similar commercial tools reflects a broader strategic calculation: these tools are excluded from most corporate EDR policies, have legitimate business justification, and generate no meaningful alerting. Until enterprises treat unsanctioned RMM installations with the same severity as classic malware drops, this avenue will remain highly effective.
4. Teams is the new phishing email. The initial access vector — external Teams chat escalated to screen-sharing — exploits the exact trust model that Microsoft built. Because Teams chat from external tenants feels "official" and displays corporate branding, employees are significantly more susceptible to social engineering through it than through email, where spam training has raised baseline skepticism.
Defender Playbook
Immediate — Microsoft Teams Hardening
- Restrict external Teams access: disable external chat from unknown tenants (
External Accesssettings in Teams admin center) - Enforce policy that blocks screen-sharing initiation from external guest accounts
- Audit
ExternalAccessPolicyandFederationConfigurationsettings in M365 tenant
Immediate — RMM Visibility
- Inventory ALL RMM tools present in your environment (authorized and shadow)
- Alert on AnyDesk, DWAgent, ScreenConnect, Atera, TeamViewer process creation events outside approved change windows
- Block untrusted RMM binary hashes via application control policy
Detection — Stagecomp/Darkcomp
- Hunt for
ms_upd.exeexecuting from user-writable directories - Flag
WebView2Loader.dllloaded outside of expected browser/app contexts - Block C2 domains:
moonzonet[.]com,uploadfiler[.]com - Alert on
Game.exeprocess execution — particularly paired withWebView2Loader.dllside-load pattern
Detection — False Flag Awareness
- When a ransomware-presenting incident shows NO file encryption but DOES show data exfiltration + extortion email: treat as espionage/APT until proven otherwise
- Hunt for persistence via DWAgent and AnyDesk installed BEFORE any encryption activity is observed — this sequencing is diagnostic
Process — IR Triage Reform
- Add "false flag check" to initial ransomware triage checklist: was any file encryption actually observed? Are installed RMM tools signed by known-good vendors or shadow-installed?
- Don't let the ransomware narrative close the forensic aperture prematurely
Detection Rules
# SIGMA-style rule concept for Stagecomp dropper
title: Suspected Stagecomp Dropper Execution
logsource: windows_process_creation
detection:
- Image|endswith: '\ms_upd.exe'
- AND NOT ParentImage|contains: 'WindowsUpdate'
action: alert HIGH
# SIGMA-style rule concept for Darkcomp RAT
title: Darkcomp RAT Execution (Game.exe WebView2 Masquerade)
logsource: windows_process_creation
detection:
- Image|endswith: '\Game.exe'
- AND loaded_dll|endswith: 'WebView2Loader.dll'
- AND NOT ParentImage|contains: ['msedge.exe', 'chrome.exe', 'WebView2']
action: alert CRITICALSources
1. Rapid7 Threat Research — "Muddying the Tracks: The State-Sponsored Shadow Behind Chaos Ransomware" (May 2026) — https://www.rapid7.com/blog/post/tr-muddying-tracks-state-sponsored-shadow-behind-chaos-ransomware/
2. SecurityWeek — "Iranian APT Intrusion Masquerades as Chaos Ransomware Attack" (May 7, 2026) — https://www.securityweek.com/iranian-apt-intrusion-masquerades-as-chaos-ransomware-attack/
3. SecurityAffairs — "Iranian cyber espionage disguised as a Chaos Ransomware attack" (May 7, 2026) — https://securityaffairs.com/191765/breaking-news/iranian-cyber-espionage-disguised-as-a-chaos-ransomware-attack.html
4. Infosecurity Magazine — "Iran-Linked APT Posed as Chaos Ransomware Member in Espionage Campaign" (May 7, 2026) — https://www.infosecurity-magazine.com/news/iran-linked-apt-chaos-ransomware/
5. SOCPrime — "MuddyWater Behind Chaos Ransomware False Flag" (May 8, 2026) — https://socprime.com/active-threats/muddywater-behind-chaos-ransomware-false-flag/
6. US Cyber Command — MuddyWater attribution to Iranian MOIS (historical anchor)
Lyrie.ai Cyber Research Division — Senior Analyst Desk
Lyrie Verdict
Lyrie's autonomous defense layer flags this class of exposure the moment it surfaces — no signature update required.