- Iranian APT MuddyWater impersonated IT staff via Microsoft Teams and tricked victims into providing remote access
- They deployed infostealers, altered MFA, exfiltrated data and staged a Chaos ransomware infection as cover
- Researchers concluded that the true motive was espionage, not profit, highlighting state-sponsored craft overlaps with criminal tactics
Iranian state-sponsored hackers ran a cyberespionage campaign and then tried to throw investigators off the trail with a ransomware infection, experts have warned.
An investigation into a recent attack by security researchers Rapid7 showed how an unnamed victim was recently contacted via Microsoft Teams by someone outside their organization. Posing as IT technicians, they discussed solving a technical problem with the victim and managed to get them to install and run an AnyDesk session.
After gaining remote access, they deployed various malware and infostealer variants, harvested credentials and changed multi-factor authentication (MFA) settings, established persistence, and exfiltrated sensitive information from the now compromised endpoints.
MuddyWater behind the attacks
The final step was to implement Chaos ransomware encryption. Kaos is a relatively new RaaS operation, first observed in 2025 and known for targeting large entities, double extortion tactics and social engineering.
The majority of their victims are located in the United States. The victim of this attack was even added to Chaos’ data leak page, making it all look like this was actually a ransomware attack.
However, Rapid7 cannot be cheated. After analyzing techniques, code signing certificates, and other operational artifacts, the researchers determined—with moderate confidence—that this was indeed the work of MuddyWater, a threat actor also known as Static Kitten, Mango Sandstorm, and Seedworm.
“The strategy highlights the convergence between state-sponsored intrusion activity and criminal craft, where a major ‘tell’ lies in the techniques that were implemented – and those that were not. This strategy suggests that the primary goal was not financial gain,” Rapid7 said in its report.
MuddyWater is apparently on the payroll of Iran’s Ministry of Intelligence and Security (MOIS). The Iranian government has several hacking collectives that do their bidding, which is mostly cyber espionage and data collection. These include CyberAv3ngers, APT35 (AKA Charming Kitten) and APT 34 (AKA OilRig or Helix Kitten).
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
