The attackers left a ransom demand. But the real objective was espionage by suspected Iranian state actors.
Researchers at Rapid7 Wednesday detailed the malicious social engineering campaign utilizing Microsoft Teams, a custom “Game.exe” Remote Access Trojan (RAT) and voice-based phishing (vishing) tactics impersonating IT support.
While the attack appeared be executed by the Ransomware as a Service (RaaS) threat group Chaos, Rapid7 said the likely adversary was MuddyWater, an Iranian advanced persistent threat group with close ties to the country’s Ministry of Intelligence and Security.
“Chaos relies heavily on social engineering and remote access abuse to gain initial access,” Rapid7 researchers wrote. But technical artifacts, including a specific code-signing certificate and Command-and-Control infrastructure, pointed to MuddyWater as the true threat group behind the campaign.
The campaign combined victims bombarded by spam-emails, and “floods” of voice phishing calls impersonating IT support staff to pressure victims into granting remote access through legitimate software tools. The goal of MuddWater was to use the Chaos group’s hallmark attack techniques to plant the RAT on targeted system.
“The observed use of Chaos ransomware does not indicate a shift in the group’s underlying objectives,” Rapid7 wrote, “but rather reflects a consistent effort to obscure operational intent and complicate attribution.”
Chaos is a newer big-game hunting and double-extortion crew. According to Rapid7’s analysis Chaos has claimed 36 victims as of late March 2026 – predominantly in the U.S. and with a focus on the construction, manufacturing and business sectors.
According to Rapid7, MuddyWater campaign tactics, techniques, and procedures mirrored those of Chaos. Victims would use Microsoft Teams chats and remote-access sessions to engage victims, harvest credentials and manipulate multifactor authentication. Once inside, the attackers deployed remote access tools including AnyDesk and DWAgent and focused on persistence and data collection rather than executing a ransomware payload that would encrypt the targeted system.
The operation, research said, fits a broader pattern of attribution evasion by state-sponsored threat groups.
“While attribution evasion is a common characteristic of state-affiliated actors,” the researchers wrote, “MuddyWater’s reported increase in operational activity as of early 2026 … has likely intensified its reliance on deceptive false-flag operations.”
Rapid7 said it was tipped off by what initially looked like a typical Chaos campaign when the RaaS paybook did not behave like a ordinary ransomware attack. There was no race to encrypt systems and no obvious attempt to cripple operations first. Instead, the attackers worked the human layer: Microsoft Teams chats, screen sharing, credential harvesting and multifactor authentication manipulation.
Traditional ransomware operators generally want leverage fast: encrypt systems, steal data, post a victim on a leak site and force the business into a payment decision.
Rapid7 said in the campaign it examined the attackers sent extortion messages that used Chaos branding. But on closer inspection, the technical activity looked more like espionage than a smash-and-grab ransomware job.
“The observed use of Chaos ransomware does not indicate a shift in the group’s underlying objectives, but rather reflects a consistent effort to obscure operational intent and complicate attribution,” Rapid7 wrote.
The cunning of the attack was triggering the defenses of the victim. Legal calls begin. Encryption checks start. Executives want exposure numbers. Communications teams prepare notifications. All the while they believe they were negotiating with a ransomware gang the attackers were already sitting quietly inside the network.
Rapid7 warned that “the observed use of Chaos ransomware does not indicate a shift in the group’s underlying objectives,” but instead reflects “a consistent effort to obscure operational intent and complicate attribution.”
A ransom demand without encryption should trigger more hunting, not less, researchers noted.
Investigators should look for remote management tooling, persistence mechanisms, newly created accounts, MFA manipulation, cloud-session abuse, data staging activity and command-and-control infrastructure that may survive long after the extortion email arrives.
Rapid7’s findings also line up with broader reporting on MuddyWater’s evolution. Trellix’s 2026 assessment of Iranian cyber operations described the group as moving beyond commodity malware toward custom implants, more disciplined infrastructure and broader targeting across government, telecom, energy, defense, maritime, diplomacy, higher education and fintech.
The targeting footprint has expanded as well. Trellix said recent activity stretched beyond traditional Middle Eastern operations into Israel, Egypt, Turkey, Azerbaijan, Jordan, Malaysia and European organizations.
Rapid7 also noted that “attribution evasion is a common characteristic of state-affiliated actors,” particularly as Iranian operations have increased their operational tempo in 2026.
Researchers point out the obvious: state-linked groups increasingly understand how predictable ransomware response has become. Panic buys time and confusion muddies attribution. A noisy extortion demand can keep defenders focused on recovery while a silent intruder quietly exfiltrates data in the background.
In this case, the ransom note may have been the loudest, just not the most important.
Shaun Nichols is an IT news journalist. He has spent nearly 20 years covering the industry with a specialty in the cybersecurity
Photo by Killian Cartignies on Unsplash
