Rapid7 published incident response findings this week on a sophisticated intrusion that initially presented as a routine Chaos ransomware affiliate operation. It was not. The attacker, assessed with moderate confidence as MuddyWater, an APT group affiliated with Iran’s Ministry of Intelligence and Security (MOIS), used Chaos ransomware branding as deliberate misdirection while the actual operation focused on credential theft, data exfiltration, and long-term persistent access.
This is a false flag operation, and it changes the attribution calculus for any "ransomware" incident involving Microsoft Teams-based social engineering.
The attack chain
The intrusion began with unsolicited external chat requests sent to employees via Microsoft Teams. The attackers posed as IT help-desk staff. Once a target engaged, the attacker initiated an interactive screen-sharing session.
During the screen-sharing session, the attacker coached victims to type their credentials into a locally-created text file, visible to the attacker in real time. The attacker then guided victims through adding attacker-controlled devices to their MFA configurations. This is not a technical MFA bypass. It is social engineering that eliminates MFA as a protective control entirely by convincing the user to register the attacker’s device as a trusted factor.
Once the attacker had legitimate session access via the stolen credentials and registered MFA device, they conducted initial discovery using commands typed interactively through compromised user sessions. They then deployed DWAgent, a legitimate remote management tool, to establish persistent access under the cover of a legitimate process. The file encryption phase of a typical ransomware deployment never happened. Chaos ransomware artifacts were present, but the operational objective was exfiltration and dwell time, not payment.
The false flag
The Chaos ransomware brand was chosen deliberately. A Chaos affiliate-branded intrusion triggers an incident response process focused on recovering from encryption and identifying the affiliate cluster, not on investigating long-term network access by a state actor. Incident responders looking for a financially motivated RaaS crew are not running the same playbook as responders investigating an espionage operation.
Rapid7 pierced the false flag through forensic analysis of technical artifacts: a specific code-signing certificate and C2 infrastructure that overlap with known MuddyWater infrastructure. The attribution confidence is moderate, meaning the overlaps are consistent with MuddyWater but are not definitively unique to that actor. That qualifier matters. Carry it in any downstream reporting.
As of Rapid7’s writeup, Chaos has claimed 36 victims on its data leak site year to date, most located in the US. The question of how many of those claims represent genuine Chaos affiliate operations versus state-sponsored false-flag operations is now open.
What MuddyWater wants
MuddyWater is an operational cluster attributed to Iran’s Ministry of Intelligence and Security. Their documented objectives are cyber espionage, intelligence collection, and pre-positioning for potential disruptive operations across Western and Middle Eastern networks. They are not financially motivated. The use of a ransomware brand as cover is consistent with their known 2025-2026 operational shift toward operations that obscure attribution and complicate response.
The operational value of a false flag ransomware play is time. Every hour that incident responders spend investigating a ransomware scenario is an hour MuddyWater maintains dwell time. The attacker does not need to encrypt files to extract value from the operation. The value is the data exfiltrated before the incident is discovered and the persistent access that survives the "ransomware response."
What to do
Three immediate actions for any organization that uses Microsoft Teams with external messaging enabled.
First, audit your Teams external access settings now. If your organization does not have a documented operational requirement for external Teams message requests from arbitrary accounts, disable the feature. The attack chain starts with an unsolicited external chat request. Eliminating that initial access point removes the attack surface entirely.
Second, review your MFA device registration process. If the current process allows users to add devices via phone number or email without an IT-controlled approval step, any user can be socially engineered into adding an attacker’s device. Require IT approval or conditional access policies that validate device state before allowing new device enrollment.
Third, brief your help-desk and SOC teams on this TTP. Screen-sharing-based credential theft via Teams is now a documented, attributed attack chain. Any internal report of an unexpected Teams call from a supposed IT contact asking for credentials or screen sharing access should be treated as a high-severity incident, not a user training issue.
Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if your organization needs to evaluate Microsoft Teams security posture or MFA device registration controls.