- Iranian APT MuddyWater impersonates IT staff via Microsoft Teams, tricking victims into granting remote access
- They deployed information stealers, modified multi-factor authentication, exfiltrated data, and staged a Chaos ransomware infection as a cover.
- The researchers concluded that the real motive was espionage, not profit, highlighting the overlap between state-sponsored commerce and criminal tactics.
Iranian state-sponsored hackers carried out a cyberespionage campaign, then tried to confuse investigators with a ransomware infection, experts have warned.
An investigation into a recent attack by security researchers Rapid7 has revealed how an anonymous victim was recently approached via Microsoft Teams, by someone outside their organisation. They posed as computer technicians, discussed resolving a technical issue with the victim, and managed to get them to install and run an AnyDesk session.
After gaining remote access, they deployed different malware and infostealer variants, harvesting credentials and modifying multi-factor authentication (MFA) settings, establishing persistence and exfiltrating sensitive information from the now-compromised endpoints.
MuddyWater behind the attacks
The final step was to deploy the Chaos ransomware encryptor. Chaos is a relatively new RaaS operation, first observed in 2025 and known for targeting large entities, its double extortion tactics, and its social engineering.
The majority of their victims are in the United States. The victim of this attack was even added to the Chaos data leak site, making it appear to be a ransomware attack.
However, Rapid7 cannot be fooled. After analyzing the techniques, code signing certificates, and other operational tools, the researchers determined — with moderate confidence — that this was in fact the work of MuddyWater, a threat actor also known as Static Kitten, Mango Sandstorm, and Seedworm.
“The strategy highlights the convergence between state-sponsored intrusion activities and criminal commerce, where an important element lies in which techniques were deployed – and which were not. This strategy suggests that the primary objective was not financial gain,” Rapid7 said in its report.
MuddyWater is reportedly in the pay of the Iranian Ministry of Intelligence and Security (MOIS). The Iranian government has several hacker collectives carrying out its orders, which are mainly cyberespionage and data collection. These include CyberAv3ngers, APT35 (AKA Charming Kitten), and APT 34 (AKA OilRig or Helix Kitten).
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
