{"id":16182,"date":"2026-05-06T16:51:58","date_gmt":"2026-05-06T16:51:58","guid":{"rendered":"https:\/\/newestek.com\/?p=16182"},"modified":"2026-05-06T16:51:58","modified_gmt":"2026-05-06T16:51:58","slug":"iranian-state-backed-spies-pose-as-ransomware-slingers-in-false-flag-attacks","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=16182","title":{"rendered":"Iranian state-backed spies pose as ransomware slingers in false flag attacks"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>An Iranian state-sponsored espionage group is pretending to be a regular ransomware gang in a new wave of ransomware attacks targeting enterprises.<\/p>\n<p>APT group <a href=\"https:\/\/www.csoonline.com\/article\/4115379\/iran-linked-muddywater-apt-deploys-rust-based-implant-in-latest-campaign.html\">MuddyWater<\/a> (aka Seedworm) is masquerading as the Chaos ransomware-as-a-service group to confuse incident response and mask its spying and cyber-sabotage, according to research by security vendor Rapid7.<\/p>\n<p>The attacks \u2014 geared toward stealing data rather than encrypting it \u2014 typically involve social engineering through messaging platforms such as Microsoft Teams. More specifically, the attackers utilized interactive screensharing to harvest credentials and manipulate multifactor authentication (MFA).<\/p>\n<p>The attackers gained long-term persistence through remote management tools such as DWAgent. Attacks were followed with extortion messaging and leak site publication but focused on data exfiltration rather than encryption.<\/p>\n<p>Organizations with strategic intelligence value, particularly in the United States, Western countries, APAC, and the Middle East, are being targeted through the ongoing campaign.<\/p>\n<p>Technical artefacts, including a specific code-signing certificate and command-and-control (C2) infrastructure, allowed researchers at Rapid7 to link an incident under investigation to MuddyWater with \u201cmoderate confidence.\u201d MuddyWater is a cyber-espionage group affiliated with Iran\u2019s Ministry of Intelligence and Security (MOIS).<\/p>\n<p>Adopting criminal tactics enables these state-aligned actors to introduce ambiguity and delay defensive response, according to Rapid7, which today published a <a href=\"https:\/\/www.rapid7.com\/blog\/post\/tr-muddying-tracks-state-sponsored-shadow-behind-chaos-ransomware\/\">technical blog post<\/a> detailing the attack.<\/p>\n<p>\u201cIf defenders see a ransom note, leak-site pressure, or a known ransomware brand, the initial response often focuses on business disruption, data theft, and negotiation,\u201d said Christiaan Beek, VP of Cyber Intelligence at Rapid7. \u201cThat can distract from the deeper question of what access did the actor establish, what persistence remains, and what intelligence value did they gain.\u201d<\/p>\n<p>The incident highlights the increasing convergence between state-sponsored intrusion activity and cybercriminal tradecraft, according to Rapid7.<\/p>\n<p>ChamelGang, a China-nexus espionage group, has been reported using ransomware to disguise espionage activity. North Korean state-linked groups have also used ransomware and cybercrime tactics, although often for revenue generation rather than pure deception.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>An Iranian state-sponsored espionage group is pretending to be a regular ransomware gang in a new wave of ransomware attacks targeting enterprises. APT group MuddyWater (aka Seedworm) is masquerading as the Chaos ransomware-as-a-service group to confuse incident response and mask its spying and cyber-sabotage, according to research by security vendor Rapid7. The attacks \u2014 geared toward stealing data rather than encrypting it \u2014 typically involve&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=16182\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-16182","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16182","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=16182"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16182\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=16182"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=16182"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=16182"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}