What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

Muddying the Attribution Trail: How Iran's MuddyWater Is Weaponizing Ransomware-as-a-Service as an Espionage False Flag

← Threat Actor Profile

0 sources verified·11 min read

By Lyrie Cyber Research Division·5/12/2026

TL;DR

Iran's MuddyWater (MITRE G0069) — a Ministry of Intelligence and Security (MOIS)-affiliated APT active since at least 2017 — executed a sophisticated false-flag operation in early 2026, impersonating the Chaos ransomware-as-a-service group while conducting targeted espionage against US organizations. Rather than encrypting files for ransom, the group harvested credentials via Microsoft Teams social engineering, deployed a custom Remote Access Trojan ("Game.exe"), installed persistent remote management tools (DWAgent, AnyDesk), exfiltrated data, and then contacted victims claiming to be Chaos affiliates to extort payment. The ransomware persona was cover — the real goal was long-term intelligence collection and prepositioning inside US critical infrastructure sectors. This campaign marks a significant evolution in MuddyWater's doctrine: systematically blending into the cybercriminal ecosystem to defeat attribution and erode defenders' confidence in threat intelligence.

Background: Who Is MuddyWater?

MuddyWater is one of Iran's most prolific and enduring cyberespionage units. The group operates as a subordinate element of the Ministry of Intelligence and Security (MOIS), placing it firmly under the Iranian state's intelligence apparatus — distinct from IRGC-aligned groups like APT33 (Refined Kitten) or APT34 (OilRig). The actor has operated under an extensive list of aliases that itself illustrates how much effort intelligence vendors have spent tracking its fragmentation and evolution:

MuddyWater (FireEye, Mandiant)
Seedworm (Symantec/Broadcom)
Mango Sandstorm (Microsoft)
Static Kitten (CrowdStrike)
MERCURY (Microsoft, older designation)
TA450 (Proofpoint)
UNC3313 (Mandiant, tactical cluster)
Boggy Serpens (Palo Alto Unit 42, 2026 subset)

The multiplicity of tracking labels matters: different vendors observe different operational clusters, and because MuddyWater has been documented "subleasing" infrastructure and tools to affiliated operators, attribution at the tactical level remains contested even among well-resourced teams.

Geographic and sectoral targeting: MuddyWater has historically focused on government, defense, telecommunications, energy, and financial services organizations across the Middle East (Saudi Arabia, Israel, Turkey, UAE, Jordan), Central Asia, and Africa. In 2025–2026, Rapid7 and other vendors documented a marked shift toward US-based commercial targets — specifically construction, manufacturing, and business services — indicating either an expansion of MOIS collection requirements or preparation for future destructive operations.

Longevity signal: An actor active continuously since 2017 with no law enforcement disruption, no significant infrastructure takedown, and continuously evolving tooling is an actor operating from a protected jurisdiction with sustained state-level resourcing. This is not a criminal crew that can be taken offline via indictment pressure.

Technical Analysis: The 2026 Chaos False-Flag Campaign

Phase 1 — Initial Access via Microsoft Teams Social Engineering

MuddyWater's intrusion began not with a phishing email but with an unsolicited Microsoft Teams chat from an externally-controlled account. This tradecraft has appeared in multiple recent Iranian and other nation-state campaigns (notably UNC6692 and Scattered Spider's extended ecosystem), reflecting an industry-wide shift toward abusing collaboration platforms that receive less scrutiny than email.

The threat actor's Teams account initiated one-on-one conversations with target employees. Key techniques deployed during this phase:

Interactive screen-sharing sessions: Once a target accepted a screen-share, the operator gained real-time visibility into the victim's desktop, enabling live reconnaissance of file structures, VPN configuration details, and internal tooling.
Credential harvesting via social manipulation: Operators instructed victims to type credentials into locally-created text files (credentials.txt, cred.txt). This low-tech technique is devastatingly effective in social engineering contexts — it bypasses technical controls by turning the victim into the credential-extraction tool.
MFA manipulation: Operators persuaded victims to add attacker-controlled authenticator devices to their accounts, establishing persistent authenticated access that survives password resets unless MFA enrollments are also audited.
AnyDesk deployment during session: During screen-share sessions, operators instructed users to install AnyDesk, transitioning from passive screen-viewing to active interactive control of the victim endpoint.

Discovery commands executed immediately after foothold establishment:

ipconfig /all
nslookup
net start
whoami
ping

The simplicity is intentional — these are not sophisticated LOTL commands, they are baseline situational awareness queries that generate minimal EDR noise and look like routine IT activity when correlated with an "IT support" Teams persona.

Phase 2 — Credential Abuse and C2 Infrastructure

Post-initial-access, analysts identified browser artifacts showing access to hxxps[://]adm-pulse[.]com/verify.php — a phishing domain designed to mimic a Pulse Secure/Ivanti VPN authentication portal. This URL served as both a secondary credential harvesting point and potentially a C2 relay.

The domain naming convention (adm-pulse) is consistent with MuddyWater's longstanding practice of constructing phishing infrastructure that mimics enterprise remote-access products (VPN portals, security appliances, admin panels) — targeting the exact moment employees expect to enter credentials.

Phase 3 — Persistence via Remote Management Tools

With active credentials and MFA enrolled, the operators established layered persistence using legitimate remote management software:

DWAgent (SimpleHelp-derived RMM): A commercial remote management tool with a long history of abuse by both nation-state groups and ransomware affiliates. DWAgent provides persistent, authenticated remote access that blends into environments where legitimate RMM tools are present.
AnyDesk: Deployed during initial social engineering; maintained as a secondary access vector.
Custom "Game.exe" RAT: A bespoke Remote Access Trojan discovered by Rapid7 analysts during the incident. The binary bears code-signing certificate artifacts that, combined with C2 infrastructure patterns, provide the primary technical basis for moderate-confidence attribution to MuddyWater over the Chaos RaaS affiliate hypothesis.

The Game.exe RAT sample is the critical forensic artifact in this investigation. Its code-signing certificate was previously linked to MuddyWater infrastructure by TeamT5 (who assigned the cluster name CamoFei) — representing a concrete technical thread that survived the false-flag overlay.

Phase 4 — Data Exfiltration and the Ransomware Persona

After establishing persistence and conducting thorough network reconnaissance, operators exfiltrated sensitive data from the compromised environment. Only after completing the intelligence collection objective did the group reveal the Chaos persona — contacting the victim via email, claiming affiliation with Chaos ransomware, and initiating extortion negotiations.

This sequence is the tell. Genuine Chaos ransomware attacks use double extortion: encrypt first, exfiltrate as leverage. The MuddyWater-linked intrusion skipped encryption entirely — because encryption would destroy the access and data freshness that a persistent intelligence operation requires. The extortion demand was a tactic to rationalize the breach (making it look financially-motivated) while muddying forensic timelines.

This inversion — extort-without-encrypt — is the behavioral signature that separates state-sponsored false-flag ransomware operations from genuine RaaS attacks. Defenders who see it should immediately escalate attribution analysis rather than treating the incident as a criminal RaaS engagement.

The Broader Strategy: Nation-State + Criminal Ecosystem Convergence

The 2026 Chaos false-flag is not an isolated incident — it is a documented strategic shift documented by multiple independent research teams:

Ctrl-Alt-Intel, Broadcom, Check Point, JUMPSEC (early 2026): All documented MuddyWater's expanded use of off-the-shelf cybercrime tooling, including CastleRAT and Tsundere malware families. These tools originate in criminal markets but have been adapted by MuddyWater operators for persistent access in targeted environments.

Boggy Serpens (Unit 42, March 2026): Palo Alto's Unit 42 documented a related Iranian cluster with AI-enhanced malware capabilities and refined social engineering, suggesting MuddyWater's operational clusters are actively integrating AI-assisted capabilities into their toolchain.

The strategic logic: By operating under a RaaS banner, an Iranian MOIS operator achieves three objectives simultaneously:

1. Attribution confusion: Incident responders, insurance carriers, and law enforcement initially classify the breach as criminal ransomware — triggering different response playbooks and potentially less rigorous nation-state attribution.

2. Plausible deniability: Iran can credibly deny state involvement, pointing to the public Chaos affiliate program as an alternative hypothesis.

3. Intelligence on victim posture: The extortion interaction itself yields intelligence about the victim's insurance coverage, legal counsel, breach notification obligations, and internal decision-making hierarchy.

This convergence trend — nation-states renting criminal infrastructure and personas — represents a structural shift that is actively degrading the utility of simple "state vs. criminal" threat categorization models. Lyrie assesses this pattern will intensify as US-Iran tensions remain elevated and Iran seeks to maintain deniable access to US commercial and defense-adjacent infrastructure.

Indicators of Compromise (IOCs)

| Indicator | Type | Notes |

|---|---|---|

| adm-pulse[.]com | Domain | Phishing domain mimicking Pulse Secure VPN portal |

| adm-pulse[.]com/verify.php | URL | Secondary credential harvesting endpoint |

| Game.exe | Filename | Custom MuddyWater RAT; code-signing cert linked to CamoFei cluster |

| credentials.txt, cred.txt | Filename | Locally created files used in social engineering credential theft |

| DWAgent (SimpleHelp) | Tool | Legitimate RMM abused for persistent access |

| AnyDesk | Tool | Remote desktop tool deployed during initial access phase |

| Chaos DLS (blind countdown timer) | Infrastructure | Data leak site with victim-identity-withheld timer, 36 claimed victims as of March 2026 |

| Microsoft Teams external chat requests | Initial Access Vector | T1566.004-adjacent; external collaboration platform abuse |

MITRE ATT&CK Techniques (2026 Campaign):

| Technique | ID | Phase |

|---|---|---|

| Phishing via Service — Teams | T1566.003 | Initial Access |

| Remote Desktop Protocol / Tool Abuse | T1219 | Execution/Persistence |

| Screen Capture (live screen-share) | T1113 | Collection |

| Credentials in Files | T1552.001 | Credential Access |

| Modify Authentication Process (MFA) | T1556.006 | Credential Access / Persistence |

| Remote Management Tool Abuse | T1219 | Persistence / C2 |

| Data Exfiltration to C2 | T1041 | Exfiltration |

| Masquerading (RaaS false flag) | T1036 | Defense Evasion |

Attribution Confidence Assessment

Confidence: MODERATE (Rapid7 assessment, corroborated by Lyrie analysis)

Supporting pillars:

Code-signing certificate on Game.exe previously attributed to MuddyWater/CamoFei by TeamT5
C2 infrastructure overlaps with previously-documented MuddyWater command-and-control patterns
TTPs (Teams social engineering + RMM tool persistence) consistent with confirmed MuddyWater 2025–2026 campaigns
Behavioral anomaly: no file encryption despite Chaos RaaS persona — inconsistent with known Chaos affiliate operational doctrine
US targeting shift consistent with MOIS collection priorities documented in 2025 intelligence assessments

Degrading factors:

MuddyWater's deliberate adoption of commodity tooling reduces technical uniqueness of individual artifacts
Chaos affiliate program's public-facing recruiting creates credible alternative hypothesis for each individual indicator
No direct human-intelligence or government attribution statement has been issued as of publication

Lyrie Take

This campaign should alarm defenders not because MuddyWater invented new techniques, but because they executed an operational deception at the incident-response layer — engineering a scenario where the first responders' working hypothesis (criminal ransomware) would lead them to the wrong playbook, wrong escalation path, and wrong remediation timeline.

The practical implication: when you see a ransomware intrusion that collects but does not encrypt, that establishes persistent RMM tools before deploying ransom notes, or that conducts interactive social engineering via collaboration platforms rather than automated phishing, you are likely not looking at opportunistic criminal ransomware. You are looking at a targeted operation that borrowed a criminal costume.

For organizations with any exposure to US-Iran geopolitical tensions — defense contractors, energy sector, financial services, companies with Middle East operations — this campaign warrants a proactive hunt for DWAgent and AnyDesk instances that were not installed by your IT team, external Teams chat requests in your audit logs, and MFA device registrations that staff don't recognize.

MuddyWater has operated for nine years without a decisive takedown. Its 2026 pivot toward false-flag ransomware operations represents the group's most sophisticated attribution-evasion doctrine to date. Defenders who treat every extortion event as criminal activity will miss the state-sponsored needle in the ransomware haystack.

Defender Playbook

1. Microsoft Teams Hardening (Immediate)

Disable or restrict external Teams chats to allow-listed domains only (TeamsExternal policy in Microsoft 365 admin center)
Require admin approval for external meeting/chat initiation from non-federated tenants
Alert on any external Teams conversation that is followed within 30 minutes by a software installation event on the same endpoint

2. MFA Audit and Hardening

Audit all registered MFA devices weekly; alert on any new device registration not tied to a known helpdesk ticket
Require manager approval for MFA re-enrollment
Implement phishing-resistant MFA (FIDO2/passkeys) rather than TOTP-based factors that can be manipulated via social engineering

3. RMM Tool Inventory and Baseline

Enumerate all instances of AnyDesk, DWAgent, SimpleHelp, ConnectWise, TeamViewer, and other RMM tools in your environment
Build a software allowlist; alert immediately on any new RMM installation not triggered via patch management pipeline
Block unapproved RMM executables at EDR layer

4. Hunt for This Campaign

Search for credentials.txt and cred.txt file creation events across endpoints
Hunt for Teams external chat accept events followed by AnyDesk or DWAgent process spawn within the same session
Search for DNS queries to adm-pulse[.]com or HTTP access to /verify.php paths on any domain
Look for Game.exe process hashes in EDR telemetry (request current hashes from threat intel feeds)

5. Behavioral Anomaly Detection

Flag ransomware-presenting intrusions that lack file encryption activity — this is a high-confidence indicator of false-flag operations
Correlate ransom notes or extortion emails with the presence of RMM tools; the combination without encryption is a state-sponsored TTP signature
Require secondary attribution assessment before paying any ransom in cases where the intrusion shows this behavioral profile

6. Threat Intelligence Sharing

If you see indicators consistent with this campaign, share with CISA and your ISAC before notifying insurance — state-sponsored incidents have different reporting obligations
Cross-check any "Chaos ransomware" attribution with the behavioral indicators above before accepting criminal-actor framing at face value

Sources

1. Rapid7 Threat Research — "Muddying the Tracks: The State-Sponsored Shadow Behind Chaos Ransomware" (May 6, 2026) — https://www.rapid7.com/blog/post/tr-muddying-tracks-state-sponsored-shadow-behind-chaos-ransomware/

2. The Hacker News — "MuddyWater Uses Microsoft Teams to Steal Credentials in False Flag Ransomware Attack" (May 6, 2026) — https://thehackernews.com/2026/05/muddywater-uses-microsoft-teams-to.html

3. Industrial Cyber — "Rapid7 links Chaos ransomware campaign to Iranian state-sponsored MuddyWater espionage operation" (May 10, 2026) — https://industrialcyber.co/ransomware/rapid7-links-chaos-ransomware-campaign-to-iranian-state-sponsored-muddywater-espionage-operation/

4. SOC Prime — "MuddyWater Behind Chaos Ransomware False Flag" (May 7, 2026) — https://socprime.com/active-threats/muddywater-behind-chaos-ransomware-false-flag/

5. MITRE ATT&CK — MuddyWater Group Profile (G0069) — https://attack.mitre.org/groups/G0069/

6. InfoSec Write-ups / Andrey Pautov — "CTI Research: MuddyWater/Seedworm (Mango Sandstorm)" (March 9, 2026) — https://infosecwriteups.com/cti-research-muddywater-seedworm-mango-sandstorm-ebf6af5ba061

7. Palo Alto Unit 42 — "Boggy Serpens Threat Assessment" (March 16, 2026) — https://unit42.paloaltonetworks.com/boggy-serpens-threat-assessment/

Lyrie.ai Cyber Research Division — Senior Analyst Desk