A threat group linked to Iranian intelligence has been running a months-long false-flag operation to hack organizations in the U.S. and other countries under the guise of a criminal ransomware group, according to a report released Wednesday by researchers at Rapid7.
The state-sponsored threat group, tracked as MuddyWater, operated a social engineering campaign beginning in early 2026 that abused Microsoft Teams to harvest credentials and bypass multifactor authentication.
The attacks were made to look as if they were the work of Chaos, a ransomware-as-a-service group that has been active since 2025. Researchers said the false flag creates ambiguity that could affect how security teams investigate an intrusion.
“If an operation looks like ransomware, defenders may initially treat it as financially motivated cybercrime rather than a state-linked operation,” Christiaan Beek, vice president of cyber intelligence at Rapid7, told Cybersecurity Dive. “That can slow attribution, complicate response, and give the actor plausible deniability.”
The Chaos group emerged after an international law enforcement operation, called Operation Checkmate, took down the infrastructure behind BlackSuit ransomware group. According to the Justice Department, BlackSuit, also known as Royal, was linked to about 450 attacks since 2022, with extortion proceeds of more than $370 million.
Chaos ransomware has used voice-phishing and IT impersonation to initiate attacks and the group advertises its RaaS services on underground forums, according to Rapid7. As of March, the group had claimed 36 victims, mostly in construction, manufacturing and business services, with the majority of attacks in the U.S.
The recent MuddyWater attacks appear to be aimed at organizations of strategic value to Iran, including some government targets, according to Rapid7.
The social engineering attacks by MuddyWater used Microsoft Teams to reach employees at a targeted organization with chat requests. Hackers launched screen sharing sessions with the victims, who were told to enter credentials into a locally created text file. Hackers used those credentials to bypass multifactor authentication.
A remote access tool called DWAgent was used to gain persistence before the use of malware. A custom remote access Trojan called Game.exe was also found.
Threat groups have engaged in similar diversionary tactics in the past. Researchers said despite the deceptive tactics to present the attacks as Chaos ransomware, the recent attacks have a digital signature affiliated with Iran’s Ministry of Intelligence and Security.
Beyond the attacks against U.S. targets, telemetry shows targeting in other regions, including the Middle East and South Asia. Specific attacks were located against targets in Jordan and Australia
