False Flag Operations: How MuddyWater Leveraged Chaos Ransomware for Stealthy Espionage
In a sophisticated display of digital deception, Iranian state-sponsored threat actors—widely identified as MuddyWater (Seedworm)—have been observed utilizing the Chaos ransomware brand as a tactical “false flag.”
Rather than pursuing the typical financial windfall associated with ransomware, these actors leveraged the chaos of a simulated extortion event to conduct high-stakes espionage. This calculated maneuver was designed to mislead incident responders into treating a targeted intelligence operation as a routine “big-game hunting” ransomware attack.
Recent investigations by Rapid7 researchers, uncovered in early 2026, reveal that this intrusion was a highly disciplined attempt to mask state-sponsored objectives behind the noise of cybercrime. Chaos, a Ransomware-as-a-Service (RaaS) model that emerged in early 2025, is typically associated with former members of the BlackSuit and Royal ransomware groups. While Chaos is known for demanding ransoms upwards of $300,000, this specific campaign prioritized long-term persistence over immediate encryption.
The Human Element: Exploiting Microsoft Teams as a Vector
The attack lifecycle began not with a technical exploit, but through highly effective social engineering via Microsoft Teams. Attackers utilized external chat requests to initiate contact with employees, adopting a deceptive “IT Support” persona. By escalating the conversation to screen-sharing sessions, the threat actors gained real-time visibility into the victims’ workstations.
During these sessions, attackers employed psychological manipulation to guide users through several critical security breaches:
- Credential Harvesting: Victims were coerced into typing plain-text credentials into local files (e.g.,
credentials.txt). - MFA Manipulation: Attackers directed users to register attacker-controlled devices within their Multi-Factor Authentication (MFA) configurations, effectively bypassing future identity protections.
- Phishing Proxies: A deceptive phishing domain,
hxxps[://]adm-pulse[.]com/verify.php, was used to mimic the Microsoft Quick Assist interface to capture additional login data.

Once inside, the actors moved laterally with surgical precision. They successfully compromised Domain Controllers and established persistent access using legitimate remote management tools, including AnyDesk and DWAgent. Notably, they deliberately avoided triggering the encryption phase of the Chaos ransomware, a behavior that serves as a primary indicator of a non-financial motive.
Deep Dive: The Game.exe RAT and Malware Chain
The technical sophistication of the intrusion is best exemplified by its multi-stage malware deployment. The chain begins with a downloader, ms_upd.exe, which is pulled via curl from a remote IP address. This dropper facilitates the retrieval of three distinct components:
- WebView2Loader.dll: A legitimate Microsoft library used to blend into standard system processes.
- Game.exe: A custom-built Remote Access Trojan (RAT) that masquerades as a Microsoft WebView2 application.
- visualwincomp.txt: An encrypted configuration file used to dictate C2 instructions.
Game.exe is a highly resilient piece of malware. It incorporates advanced evasion techniques, including sandbox and VM detection, XOR-encoded strings to hinder static analysis, and dynamic API resolution to evade EDR (Endpoint Detection and Response) signatures. The RAT provides the attackers with 12 distinct commands, allowing for arbitrary command execution, file exfiltration, and interactive control of PowerShell or cmd.exe shells via the C2 server uploadfiler[.]com.

Attribution: Connecting the Dots to MuddyWater
Identifying the true actor required looking past the “Chaos” branding. Several forensic “smoking guns” pointed directly to MuddyWater:
- Code-Signing Artifacts: The presence of a certificate under the name “Donald Gay,” a known shared resource in MuddyWater’s toolkit previously linked to “Operation Olalampo.”
- C2 Infrastructure: The domain
moonzonet[.]com, used by the initial downloader, has been previously documented in MuddyWater operations. - Tactical Patterns: The use of
pythonw.exefor code injection and the “IT Support” social engineering persona are hallmark behaviors of this APT group.
Rapid7’s assessment concludes that the ransomware components were essentially a smoke screen. By generating extortion emails and listing data on leak sites, the attackers ensured that security teams would focus on data recovery and ransom negotiations, while the actual espionage—facilitated through persistent remote access—continued undetected.
Defensive Recommendations
To mitigate the risk of similar state-sponsored false flag operations, organizations should adopt the following defensive postures:
- Zero Trust Communication: Implement strict policies regarding external users in Microsoft Teams. Treat any request for screen sharing or credential input from an external entity as a high-severity incident.
- MFA Integrity Monitoring: Set up real-time alerts for any changes to MFA device configurations, especially those performed by non-administrative accounts.
- Behavioral Analytics: Monitor for the “living off the land” deployment of remote management tools like AnyDesk or DWAgent, and audit RDP traffic moving toward critical infrastructure like Domain Controllers.
- Holistic Investigation: When a ransomware event occurs, do not assume the scope is limited to encryption. Investigating the full intrusion lifecycle is essential to determine if the attack is a mask for deeper espionage.