Signal
Iranian APT MuddyWater uses Chaos ransomware as a decoy in espionage attacks
Evidence first: scan the strongest sources, then decide whether to go deeper.
Published 2026-05-06 13:00 UTCUpdated 2026-05-06 16:45 UTC
rss
cveexploitsbreachesmalwarethreat_actorsincident_response
Trend in the last 24h
Source links open
Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.
No card needed for the free brief.
Evidence trail (top sources)
top sources (4 domains)domains are deduped. counts indicate coverage, not truth.4 top sources shown
Overview
In early 2026, the Iranian state-sponsored group MuddyWater (also known as Seedworm) conducted a sophisticated espionage campaign disguised as ransomware attacks attributed to the Chaos ransomware gang.
Score total
1.85
Momentum 24h
7
Posts
7
Origins
7
Source types
1
Duplicate ratio
0%
Why now
- The campaign was observed in early 2026, highlighting current threat actor tactics.
- Increasing use of ransomware disguises by state actors demands updated defense strategies.
- Microsoft Teams remains a vector for sophisticated social engineering attacks.
Why it matters
- False flag ransomware attacks complicate incident response and attribution efforts.
- Use of legitimate collaboration tools like Microsoft Teams for credential theft shows evolving social engineering tactics.
- Targeting strategic intelligence entities indicates ongoing geopolitical cyber espionage activity.
LLM analysis
Topic mix: lowPromo risk: lowSource quality: high
Recurring claims
- MuddyWater used Microsoft Teams social engineering and interactive screen sharing to harvest credentials and manipulate MFA.
- The campaign masqueraded as Chaos ransomware attacks but focused on data exfiltration rather than encryption.
- Technical artifacts and C2 infrastructure link the operation to the Iranian APT MuddyWater.
How sources frame it
- Rapid7 Researchers: neutral
All evidence
All evidence
Iranian state-backed spies pose as ransomware slingers in false flag attacks
CSO Online · csoonline.com · 2026-05-06 16:45 UTC
Iran cybersnoops still LARPing as ransomware crooks in espionage ops
The Register Security · theregister.com · 2026-05-06 16:03 UTC
MuddyWater hackers use Chaos ransomware as a decoy in attacks
bleepingcomputer_all · bleepingcomputer.com · 2026-05-06 13:02 UTC
Muddying the Tracks: The State-Sponsored Shadow Behind Chaos Ransomware
Rapid7 Blog · rapid7.com · 2026-05-06 13:00 UTC
Iran-Linked APT Posed as Chaos Ransomware Member in Espionage Campaign
Infosecurity Magazine · infosecurity-magazine.com · 2026-05-06 13:00 UTC
Iranian APT Intrusion Masquerades as Chaos Ransomware Attack
SecurityWeek · securityweek.com · 2026-05-06 13:00 UTC
Show filters & breakdown
Posts loaded: 0Publishers: 6Origin domains: 6Duplicates: -
Showing 6 / 0
Top publishers (this list)
- CSO Online (1)
- The Register Security (1)
- bleepingcomputer_all (1)
- Rapid7 Blog (1)
- Infosecurity Magazine (1)
- SecurityWeek (1)
Top origin domains (this list)
- csoonline.com (1)
- theregister.com (1)
- bleepingcomputer.com (1)
- rapid7.com (1)
- infosecurity-magazine.com (1)
- securityweek.com (1)