Full Report
In early 2026, a sophisticated intrusion initially appearing to be a standard Chaos ransomware attack was assessed to be consistent with a targeted state-sponsored operation. While the threat actor operated under the banner of the Chaos ransomware-as-a-service (RaaS) group, forensic analysis revealed the incident was a "false flag" masquerade. Technical artifacts, including a specific code-signing certificate and Command-and-Control (C2) infrastructure, suggest with moderate confidence that this activity is linked to MuddyWater (Seedworm), an Iranian Advanced Persistent Threat (APT) affiliated with the Ministry of Intelligence and Security (MOIS). The campaign was characterized by a high-touch social engineering phase conducted via Microsoft Teams, where the attackers utilized interactive screen-sharing to harvest credentials and manipulate Multi-Factor Authentication (MFA). Once inside, the group bypassed traditional ransomware workflows, forgoing file encryption in favor of data exfiltration and long-term persistence via remote management tools like DWAgent. This report deconstructs the infection chain and analyzes the custom "Game.exe" Remote Access Trojan (RAT). Additionally, this explores the process by which MuddyWater is increasingly leveraging the cybercriminal ecosystem to provide plausible deniability for geopolitical espionage and prepositioning, particularly in the US. The strategy highlights the convergence between state-sponsored intrusion activity and criminal tradecraft, where a big “tell” lies in the techniques that were deployed – and those that weren’t.
Analysis Summary
# Threat Actor: MuddyWater (Seedworm)
## Attribution & Identity
- **Name:** MuddyWater
- **Aliases:** Seedworm
- **Affiliation:** Iranian state-sponsored group affiliated with the Ministry of Intelligence and Security (MOIS).
- **Association:** In this campaign, the actor operated under the "false flag" masquerade of the **Chaos Ransomware-as-a-Service (RaaS)** group.
## Activity Summary
In early 2026, MuddyWater conducted a sophisticated intrusion campaign targeting United States organizations. While appearing to be a standard financial cybercrime incident by Chaos RaaS, forensic analysis revealed a state-sponsored espionage operation. The actor utilized interactive social engineering via Microsoft Teams to gain access, followed by the deployment of custom malware and legitimate remote management tools. Notably, the actor bypassed encryption (ransomware) in favor of long-term persistence and data exfiltration.
## Tactics, Techniques & Procedures
- **Initial Access:** High-touch social engineering using Microsoft Teams; interaction via external chat requests.
- **Credential Access:** Utilization of interactive screen-sharing to harvest credentials and manipulate/bypass Multi-Factor Authentication (MFA).
- **Execution:** Use of legitimate remote management tools (DWAgent) and custom RATs.
- **Persistence:** Establishment of long-term access via DWAgent; custom "Game.exe" RAT.
- **Evasion:** "False flag" operations masquerading as a known ransomware group (Chaos) to provide geopolitical deniability. Use of specific code-signing certificates to appear legitimate.
- **Impact (Non-Tactical):** Eschewed file encryption (standard for Chaos) to prioritize data exfiltration and prepositioning.
**MITRE ATT&CK IDs:**
- T1566: Phishing (Vishing/Social Engineering)
- T1219: Remote Access Software
- T1556: Modify Authentication Process (MFA Manipulation)
- T1036: Masquerading
## Targeting
- **Sectors:** Construction, Manufacturing, and Business Services.
- **Geography:** Predominantly the United States.
- **Victims:** High-profile organizations identified as "big-game hunting" targets.
## Tools & Infrastructure
- **Malware:**
- **Game.exe:** A custom Remote Access Trojan (RAT).
- **MuddyWaterDownloader:** A custom downloader used for retrieving secondary payloads.
- **Legitimate Tools:** DWAgent (Remote Management), Microsoft Teams (Social Engineering), Microsoft Quick Assist.
- **Infrastructure:**
- **C2:** Linked to known Seedworm infrastructure.
- **Code-Signing:** Specific certificates identified as belonging to MuddyWater operations.
## Implications
This campaign signals a deepening convergence between state-sponsored espionage and the cybercriminal ecosystem. By adopting the tradecraft, branding, and infrastructure of a RaaS group (Chaos), MuddyWater aims to achieve "plausible deniability." This strategy complicates attribution for defenders and allows the Iranian state to conduct prepositioning and intelligence gathering under the guise of financial crime, reducing the risk of direct geopolitical retaliation.
## Mitigations
- **Phishing Defense:** Train employees specifically on the risks of external Microsoft Teams chat requests and interactive screen-sharing sessions with unknown "support" entities.
- **Access Control:** Implement strict Conditional Access policies for Microsoft Teams and external collaboration.
- **Tool Monitoring:** Monitor and potentially block unauthorized remote management tools like DWAgent or Microsoft Quick Assist within the enterprise environment.
- **MFA Security:** Move toward phishing-resistant MFA (e.g., FIDO2/WebAuthn) to negate the effectiveness of interactive screen-sharing credential theft.
- **Forensic Scrutiny:** Do not assume a ransomware infection is purely criminal; analyze "missing" TTPs (e.g., lack of encryption) as potential indicators of state-sponsored activity.