← All stories

Security Affairs

Iranian cyber espionage disguised as a Chaos Ransomware attack

Pierluigi Paganini · 8 hours ago · Read original ↗

ATT&CK techniques detected

18 predictions

T1486Data Encrypted for Impact

87%

“the chaos ransomware site, where the organization was indeed listed as a “ new victim. ” however, when the supposed ransom “ note ” could not be located, the threat actors released the stolen data publicly, revealing that the true objective was data theft, not financial gain. rap…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1078Valid Accounts

83%

“corporate desktops and systems. once connected, the hackers executed reconnaissance commands, accessed files related to vpn configurations, and tricked employees into writing their credentials into locally saved text files. in at least one case, they installed the anydesk remote …”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1219Remote Access Tools

82%

“corporate desktops and systems. once connected, the hackers executed reconnaissance commands, accessed files related to vpn configurations, and tricked employees into writing their credentials into locally saved text files. in at least one case, they installed the anydesk remote …”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1486Data Encrypted for Impact

81%

“a strategic shift toward ransomware operations, but rather an evolution in deception and misdirection techniques designed to complicate attribution and response. by masquerading as a financially motivated actor, the iranian apt hoped to divert attention and prolong access to comp…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1566.004Spearphishing Voice

81%

“theft — consistent with muddywater ’ s long - standing intelligence - gathering profile. “ in early 2026, a sophisticated intrusion initially appearing to be a standard chaos ransomware attack was assessed to be consistent with a targeted state - sponsored operation. while the th…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1657Financial Theft

73%

“the chaos ransomware site, where the organization was indeed listed as a “ new victim. ” however, when the supposed ransom “ note ” could not be located, the threat actors released the stolen data publicly, revealing that the true objective was data theft, not financial gain. rap…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1219Remote Access Tools

73%

“delaying the identification of underlying persistence mechanisms established via remote access tools such as dwagent or anydesk. ” the first muddywater campaign was observed in late 2017, when the apt group targeted entities in the middle east. experts named the campaign ‘ muddyw…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1566.004Spearphishing Voice

63%

“corporate desktops and systems. once connected, the hackers executed reconnaissance commands, accessed files related to vpn configurations, and tricked employees into writing their credentials into locally saved text files. in at least one case, they installed the anydesk remote …”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1078Valid Accounts

62%

“theft — consistent with muddywater ’ s long - standing intelligence - gathering profile. “ in early 2026, a sophisticated intrusion initially appearing to be a standard chaos ransomware attack was assessed to be consistent with a targeted state - sponsored operation. while the th…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1486Data Encrypted for Impact

52%

“corporate desktops and systems. once connected, the hackers executed reconnaissance commands, accessed files related to vpn configurations, and tricked employees into writing their credentials into locally saved text files. in at least one case, they installed the anydesk remote …”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1598Phishing for Information

52%

“spear - phishing attacks against academics, ngos, and government entities to gather intelligence. another group, marshtreader, scanned vulnerable cameras in israel for reconnaissance during regional tensions. in march, the iran - linked apt targeted u. s. organizations, deploying…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1585.002Email Accounts

51%

“a strategic shift toward ransomware operations, but rather an evolution in deception and misdirection techniques designed to complicate attribution and response. by masquerading as a financially motivated actor, the iranian apt hoped to divert attention and prolong access to comp…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1657Financial Theft

46%

“a strategic shift toward ransomware operations, but rather an evolution in deception and misdirection techniques designed to complicate attribution and response. by masquerading as a financially motivated actor, the iranian apt hoped to divert attention and prolong access to comp…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1195.001Compromise Software Dependencies and Development Tools

40%

“supplier to the defense and aerospace sectors with operations in israel. the previously unknown backdoor dindoor relies on the deno runtime to execute javascript and typescript code and was signed with a certificate issued to “ amy cherne. ” the researchers also observed an attem…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1491.001Internal Defacement

37%

“the chaos ransomware site, where the organization was indeed listed as a “ new victim. ” however, when the supposed ransom “ note ” could not be located, the threat actors released the stolen data publicly, revealing that the true objective was data theft, not financial gain. rap…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1598.004Spearphishing Voice

34%

“theft — consistent with muddywater ’ s long - standing intelligence - gathering profile. “ in early 2026, a sophisticated intrusion initially appearing to be a standard chaos ransomware attack was assessed to be consistent with a targeted state - sponsored operation. while the th…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1593Search Open Websites/Domains

33%

“spear - phishing attacks against academics, ngos, and government entities to gather intelligence. another group, marshtreader, scanned vulnerable cameras in israel for reconnaissance during regional tensions. in march, the iran - linked apt targeted u. s. organizations, deploying…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1588.003Code Signing Certificates

32%

“supplier to the defense and aerospace sectors with operations in israel. the previously unknown backdoor dindoor relies on the deno runtime to execute javascript and typescript code and was signed with a certificate issued to “ amy cherne. ” the researchers also observed an attem…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

Summary

Iran-linked APT MuddyWater used ransomware-style tactics to mask espionage, combining phishing, credential theft, data exfiltration, and extortion without encryption. A newly discovered cyber intrusion attributed to the Iran-linked APT MuddyWater (aka SeedWorm, TEMP.Zagros, Mango Sandstorm, TA450, and Static Kitten) reveals how state-sponsored attackers are increasingly leveraging ransomware tactics to disguise espionage operations. The campaign, uncovered by security researchers at Rapid7, blended […]