“growing convergence of state - sponsored intrusion activity and cybercriminal tradecraft to obscure attribution and delay appropriate defensive response. " the use of a raas framework in this context may enable the actor to blur distinctions between state - sponsored activity and…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1486Data Encrypted for Impact
98%
“persistence via remote management tools like dwagent. " the findings indicate that muddywater is attempting to muddy attribution efforts by increasingly relying on off - the - shelf tools available in the cybercrime underground to conduct its attacks. this shift has also been doc…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1003.002Security Account Manager
60%
“sam and system registry hives. " an open directory on 172. 86. 76 [. ] 127, a routerhosting vps in the united arab emirates, surfaced an active intrusion campaign against the omani government, with the toolkit, c2 code, session logs, and exfiltrated data all sitting in plain sigh…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1588.001Malware
54%
“persistence via remote management tools like dwagent. " the findings indicate that muddywater is attempting to muddy attribution efforts by increasingly relying on off - the - shelf tools available in the cybercrime underground to conduct its attacks. this shift has also been doc…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1657Financial Theft
50%
“muddywater uses microsoft teams to steal credentials in false flag ransomware attack the iranian state - sponsored hacking group known as muddywater ( aka mango sandstorm, seedworm, and static kitten ) has been attributed to a ransomware attack in what has been described as a " f…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1586.002Email Accounts
49%
“was that the attackers were likely iranian - affiliated operators working through the cyber criminal ecosystem, using a criminal ransomware brand and methods associated with the broader extortion market, while serving a strategic iranian objective, " check point noted back in mar…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1219Remote Access Tools
49%
“files related to the victim ’ s vpn configuration, and instructed users to enter their credentials into locally created text files, " rapid7 explained. " in at least one instance, the ta also deployed a remote management tool ( anydesk ) to further facilitate access. " the threat…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1486Data Encrypted for Impact
49%
“muddywater uses microsoft teams to steal credentials in false flag ransomware attack the iranian state - sponsored hacking group known as muddywater ( aka mango sandstorm, seedworm, and static kitten ) has been attributed to a ransomware attack in what has been described as a " f…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1071.001Web Protocols
46%
“) that masquerades as a legitimate microsoft webview2 application. it ' s a trojanized version of the official microsoft webview2apisample project. - webview2loader. dll, a legitimate dll downloaded by ms _ upd. exe. it ' s required by microsoft edge webview2 to embed web content…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1080Taint Shared Content
38%
“growing convergence of state - sponsored intrusion activity and cybercriminal tradecraft to obscure attribution and delay appropriate defensive response. " the use of a raas framework in this context may enable the actor to blur distinctions between state - sponsored activity and…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.002Malicious File
37%
“files related to the victim ’ s vpn configuration, and instructed users to enter their credentials into locally created text files, " rapid7 explained. " in at least one instance, the ta also deployed a remote management tool ( anydesk ) to further facilitate access. " the threat…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1219Remote Access Tools
31%
“persistence via remote management tools like dwagent. " the findings indicate that muddywater is attempting to muddy attribution efforts by increasingly relying on off - the - shelf tools available in the cybercrime underground to conduct its attacks. this shift has also been doc…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1585.002Email Accounts
31%
“was that the attackers were likely iranian - affiliated operators working through the cyber criminal ecosystem, using a criminal ransomware brand and methods associated with the broader extortion market, while serving a strategic iranian objective, " check point noted back in mar…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
The Iranian state-sponsored hacking group known as MuddyWater (aka Mango Sandstorm, Seedworm, and Static Kitten) has been attributed to a ransomware attack in what has been described as a "false flag" operation.
The attack, observed by Rapid7 in early 2026, has been found to leverage social engineering techniques via Microsoft Teams to initiate the infection sequence. Although the incident