The "Ransomware" That Was Actually Iranian Spies

The "Ransomware" That Was Actually Iranian Spies

By David V. | Category News | 5/10/2026

Picture this: someone at your company gets a Teams message from what looks like internal IT. They hop on a quick screen-share to "fix something." A few hours later, ransomware fires off across the network. Big mess, big incident, classic ransomware playbook.

Except… it wasn't ransomware.

That's the gist of a new Rapid7 report on MuddyWater, an Iranian state-sponsored hacking crew also known as Mango Sandstorm, Seedworm, and Static Kitten. (Yes, the names are absurd. APT naming is its own little art form.) Rapid7 caught them earlier this year running an operation that looked like a run-of-the-mill ransomware hit using the Chaos malware family. Underneath it, though, was a targeted espionage campaign.

The ransomware was a costume.

This is what the security world calls a false-flag operation: dressing up your attack to look like someone else's, so investigators chase the wrong ghost. MuddyWater appears to have used Chaos specifically to make incident responders go, "ah, opportunistic ransomware, we know this script," while the actual goal of stealing data and keeping quiet access kept rolling underneath.

How they got in

It started on Microsoft Teams.

The attackers messaged employees directly, started chatting, asked to screen-share. Once the screen-share was up, they walked targets through "fixes" that were really credential harvesting in disguise. Sometimes they pointed people at fake Microsoft Quick Assist pages. In other cases, they convinced victims to type their passwords into a local text file "for verification." Once they had credentials, they manipulated MFA settings to plant a backdoor, and in some cases dropped AnyDesk for remote access.

No exotic exploits. No zero-days. Just confidence, a chat window, and a target who didn't think to question why "IT" was reaching out on Teams unprompted.

The attribution piece is its own little story. Researchers tied this campaign to MuddyWater partly through a code-signing certificate registered to "Donald Gay" — the same cert previously used to sign other MuddyWater tooling, including a downloader called Fakeset. Reusing infrastructure across operations is one of those mistakes that makes attribution possible. Pros for once.

What to take away if you don't run a SOC for a living

Anyone messaging you on Teams with urgency about your account, especially asking to screen-share or read out a code, is suspect by default. Even if their name and avatar look right. Verify out of band: a Slack ping, a quick phone call, a walk to their desk.

The whole attack here works because Teams feels like a closed, trusted environment. It isn't.

And if you ever find yourself being walked through "fixing" your account by someone you've never met, who suddenly wants you to type your password somewhere odd?

That's the whole movie right there.

🔑 Key Terms

  • APT (Advanced Persistent Threat) — a sustained, targeted hacking operation, usually run by nation-states or well-funded crews. They aim to stay hidden long-term, not smash-and-grab.
  • MuddyWater — Iranian state-sponsored hacking group. Also tracked as Mango Sandstorm, Seedworm, and Static Kitten depending on which security vendor named them.
  • Social engineering — manipulating a person (rather than hacking software) into giving up access. The Teams chat trick here is textbook social engineering.
  • MFA (Multi-Factor Authentication) — a second login factor beyond a password (a code, a tap on your phone, a hardware key).
  • False flag — making your attack look like someone else's so investigators chase the wrong attacker.
  • Chaos — a public ransomware family used in this attack as cover for the real espionage goal.
  • Quick Assist — a built-in Microsoft remote-help tool. Attackers like to fake it because the real one is genuinely used by IT.
  • AnyDesk — legitimate remote-access software often abused by attackers for hands-on-keyboard persistence after they get in.
  • Code-signing certificate — a cryptographic signature attached to software to prove who published it. When attackers reuse the same cert across campaigns, it can give them away.

📚 Sources