Iranian APT MuddyWater Uses Chaos Ransomware as a False Flag for Espionage

An Iranian state-linked APT, MuddyWater, carried out a targeted espionage operation in early 2026 that impersonated the Chaos ransomware group to mask data exfiltration. Attackers used social engineering over Microsoft Teams to steal credentials and bypass MFA, deployed remote access tools (DWAgent, AnyDesk) for persistence, and left technical artifacts (including a unique code-signing certificate) that tied the campaign to MuddyWater — demonstrating a trend of nation-state actors adopting criminal tradecraft to frustrate attribution and detection.