Iran-linked hackers have used the appearance of a ransomware attack to conceal a targeted espionage operation, signalling a sharper convergence between state-backed intelligence activity and criminal cyber extortion.
The campaign, linked with moderate confidence to MuddyWater, an advanced persistent threat group associated with Iran’s Ministry of Intelligence and Security, unfolded in early 2026 and initially resembled an intrusion by the Chaos ransomware ecosystem. Investigators found no evidence that file-encrypting malware had been deployed. Instead, the attackers used social engineering, credential theft, lateral movement and data exfiltration before attempting to pressure the victim through ransom-style communications.
The operation highlights a growing challenge for corporate security teams: not every ransom demand is driven by financial crime. By adopting the language, infrastructure and pressure tactics of ransomware groups, state-linked operators can misdirect defenders, complicate attribution and buy time to preserve access inside compromised networks.
MuddyWater, also tracked as Seedworm, Mango Sandstorm, Static Kitten and TA450, has been active for years against government, telecommunications, defence, energy, aviation, finance and technology targets across the Middle East, Asia, Europe and North America. Its core mission has long centred on intelligence collection, but its latest activity shows greater willingness to borrow from the cybercrime playbook.
The attackers gained access by contacting employees through Microsoft Teams while posing as trusted IT personnel or business associates. Victims were persuaded to share screens, giving the intruders visibility into internal systems and documents. The hackers then guided users into actions that exposed credentials, including the creation of locally stored text files containing login details.
Once inside, the operators deployed legitimate remote access tools such as AnyDesk and DWAgent to maintain persistence. They used remote desktop sessions, carried out reconnaissance, accessed files linked to VPN configurations and expanded their reach across the environment. Data was later removed from the compromised network and the victim was contacted by email with claims of theft and threats of public exposure.
The ransom demand pointed the victim towards the Chaos leak site, where the organisation appeared as a named target. That listing was designed to reinforce the impression of a conventional ransomware incident. The absence of an encryptor, however, changed the assessment. The operation appeared less concerned with locking systems than with stealing information and disguising the purpose of the breach.
Security specialists view the incident as part of a wider shift in Iranian cyber activity, where espionage, disruption, information operations and financially motivated tactics increasingly overlap. The model gives state-linked actors plausible deniability while forcing victims to respond under the pressure of public leak threats. It also diverts attention from the more dangerous question of whether remote access tools, backdoors or stolen credentials remain active inside the network.
The tactic is not without precedent. Iran-linked groups have previously used ransomware-like methods in destructive campaigns, including attacks that appeared to seek payment but were assessed to be designed for disruption or political impact. Other groups tied to Tehran have collaborated with ransomware affiliates, sold access to compromised networks or used cybercriminal infrastructure to obscure their role.
That blurring carries legal and operational risks for victims. A payment made to what appears to be an ordinary criminal gang could create exposure if the recipient is later found to be linked to a sanctioned state-backed network. It also complicates incident response, because teams focused on negotiation and data-leak containment may miss persistence mechanisms placed for long-term surveillance.
The latest case also underscores the continued effectiveness of social engineering inside collaboration platforms. Microsoft Teams and similar workplace tools have become attractive channels for attackers because they carry an assumption of trust and urgency. Employees who might ignore suspicious email attachments may respond differently to a live message from someone posing as technical support.
MuddyWater’s use of commercially available remote management tools reflects another hardening problem for defenders. AnyDesk, DWAgent and similar platforms are widely used for legitimate administration, making malicious use harder to detect when controls are weak. The same tools can allow attackers to move quietly, avoid triggering malware defences and preserve access after initial compromise.
The campaign, linked with moderate confidence to MuddyWater, an advanced persistent threat group associated with Iran’s Ministry of Intelligence and Security, unfolded in early 2026 and initially resembled an intrusion by the Chaos ransomware ecosystem. Investigators found no evidence that file-encrypting malware had been deployed. Instead, the attackers used social engineering, credential theft, lateral movement and data exfiltration before attempting to pressure the victim through ransom-style communications.
The operation highlights a growing challenge for corporate security teams: not every ransom demand is driven by financial crime. By adopting the language, infrastructure and pressure tactics of ransomware groups, state-linked operators can misdirect defenders, complicate attribution and buy time to preserve access inside compromised networks.
MuddyWater, also tracked as Seedworm, Mango Sandstorm, Static Kitten and TA450, has been active for years against government, telecommunications, defence, energy, aviation, finance and technology targets across the Middle East, Asia, Europe and North America. Its core mission has long centred on intelligence collection, but its latest activity shows greater willingness to borrow from the cybercrime playbook.
The attackers gained access by contacting employees through Microsoft Teams while posing as trusted IT personnel or business associates. Victims were persuaded to share screens, giving the intruders visibility into internal systems and documents. The hackers then guided users into actions that exposed credentials, including the creation of locally stored text files containing login details.
Once inside, the operators deployed legitimate remote access tools such as AnyDesk and DWAgent to maintain persistence. They used remote desktop sessions, carried out reconnaissance, accessed files linked to VPN configurations and expanded their reach across the environment. Data was later removed from the compromised network and the victim was contacted by email with claims of theft and threats of public exposure.
The ransom demand pointed the victim towards the Chaos leak site, where the organisation appeared as a named target. That listing was designed to reinforce the impression of a conventional ransomware incident. The absence of an encryptor, however, changed the assessment. The operation appeared less concerned with locking systems than with stealing information and disguising the purpose of the breach.
Security specialists view the incident as part of a wider shift in Iranian cyber activity, where espionage, disruption, information operations and financially motivated tactics increasingly overlap. The model gives state-linked actors plausible deniability while forcing victims to respond under the pressure of public leak threats. It also diverts attention from the more dangerous question of whether remote access tools, backdoors or stolen credentials remain active inside the network.
The tactic is not without precedent. Iran-linked groups have previously used ransomware-like methods in destructive campaigns, including attacks that appeared to seek payment but were assessed to be designed for disruption or political impact. Other groups tied to Tehran have collaborated with ransomware affiliates, sold access to compromised networks or used cybercriminal infrastructure to obscure their role.
That blurring carries legal and operational risks for victims. A payment made to what appears to be an ordinary criminal gang could create exposure if the recipient is later found to be linked to a sanctioned state-backed network. It also complicates incident response, because teams focused on negotiation and data-leak containment may miss persistence mechanisms placed for long-term surveillance.
The latest case also underscores the continued effectiveness of social engineering inside collaboration platforms. Microsoft Teams and similar workplace tools have become attractive channels for attackers because they carry an assumption of trust and urgency. Employees who might ignore suspicious email attachments may respond differently to a live message from someone posing as technical support.
MuddyWater’s use of commercially available remote management tools reflects another hardening problem for defenders. AnyDesk, DWAgent and similar platforms are widely used for legitimate administration, making malicious use harder to detect when controls are weak. The same tools can allow attackers to move quietly, avoid triggering malware defences and preserve access after initial compromise.
Topics
Technology