New findings reveal how Tehran-linked hackers disguise state espionage as ransomware attacks
Recent disclosures by cybersecurity researchers have exposed a sophisticated Iranian cyber-espionage campaign that demonstrates how Tehran continues to blend traditional intelligence operations with modern digital warfare. The operation, attributed to the Iranian advanced persistent threat (APT) group known as MuddyWater — also tracked as Mango Sandstorm and Seedworm — reveals a calculated strategy designed not for financial extortion, but for long-term surveillance, credential theft, and covert infiltration.
Security analysts say the group has attempted to disguise its activities behind the façade of a ransomware campaign operating under the name “Chaos.” Yet forensic investigations indicate that the true objective was never profit. Instead, the attacks appear carefully engineered to establish persistent intelligence access inside targeted organizations.
Cyber Espionage Hidden Behind Fake Ransomware
Digital forensic investigations conducted by incident response teams at Rapid7 concluded that the attackers deliberately used the Chaos ransomware label as a false flag operation. The tactic appears intended to mislead defenders and cybersecurity teams into believing the incidents were ordinary criminal ransomware attacks rather than state-sponsored espionage.
Unlike conventional ransomware groups that prioritize encrypting files and demanding payment, the operators behind these attacks focused primarily on harvesting credentials, extracting sensitive information, and maintaining long-term access to compromised systems.
The campaign reportedly targeted organizations in the United States, the Middle East, and North Africa, regions that remain strategically important for Tehran’s intelligence and geopolitical ambitions.
This form of deception reflects a growing trend among state-backed cyber actors: masking espionage campaigns as financially motivated cybercrime in order to reduce political consequences and complicate attribution efforts.
Microsoft Teams Exploited as a Social Engineering Weapon
One of the most notable aspects of the operation was the use of Microsoft Teams as an entry point for infiltration. Rather than relying solely on malicious links or phishing emails, the attackers reportedly initiated unsolicited external chat requests through Teams to establish communication with victims.
Once contact was established, the attackers persuaded victims to participate in screen-sharing sessions, granting the hackers direct visual and operational access to internal systems.
Researchers described the manipulation of multi-factor authentication (MFA) procedures as particularly alarming. In several cases, victims were reportedly convinced to enter credentials into text files and even register attacker-controlled devices within their MFA settings.
The tactic demonstrates how human manipulation continues to bypass even advanced cybersecurity protections. While MFA is widely considered one of the strongest defenses against account compromise, it becomes ineffective when users themselves are socially engineered into authorizing malicious access.
Use of Legitimate Tools to Maintain Persistent Access
Following successful credential theft, the attackers deployed a combination of legitimate remote administration tools and custom malware to solidify their foothold inside compromised networks.
Investigators observed the use of widely available software such as DWAgent and AnyDesk to maintain remote access to domain controllers and other critical systems. By relying on legitimate software, the attackers reduced the likelihood of triggering security alarms.
The group also installed a custom backdoor disguised as Microsoft WebView2, a legitimate Microsoft component commonly present in enterprise environments. The malware reportedly enabled attackers to execute PowerShell commands, upload or delete files, and maintain flexible control over infected machines.
Although the malware employed AES-256-GCM encryption — a strong modern encryption standard — researchers noted that parts of the code still contained unencrypted text strings and other indicators of inconsistent development practices. This suggests that while the operation was strategically sophisticated, portions of the malware infrastructure may have been developed with uneven technical discipline.
Direct Links to Iran’s Intelligence Apparatus
Rapid7 researchers stated that evidence including code-signing certificates and command-and-control infrastructure strongly connects the campaign to MuddyWater, a hacking group widely believed to operate under the direction of Iran’s Ministry of Intelligence and Security (MOIS).
For years, MuddyWater has been associated with cyber espionage campaigns targeting governments, telecommunications providers, defense contractors, and critical infrastructure across multiple regions. The latest operation reinforces concerns that Iranian cyber units are increasingly prioritizing stealth, persistence, and psychological manipulation over overt disruption.
The campaign also illustrates the broader evolution of Iranian cyber strategy. Rather than relying solely on destructive attacks or visible ransomware operations, Tehran-linked actors are now investing heavily in covert infiltration techniques capable of delivering long-term intelligence advantages.
As geopolitical tensions continue to intensify across the Middle East and beyond, cybersecurity experts warn that state-backed cyber operations will likely become even more deceptive, blending espionage, criminal tactics, and social engineering into increasingly difficult-to-detect campaigns.
