MuddyWater (Iran / MOIS) Chaos ransomware false-flag + Teams BEC

Current state: refreshed 2026 campaign documented by Rapid7 ("Muddying the Tracks") and corroborated this week by BleepingComputer and SecurityWeek. Per Rapid7 ("Operation Olalampo"), the campaign's observed victimology is construction, manufacturing, and business-services organisations in the U.S. and MENA regions; deploys Chaos ransomware with criminal-group branding to complicate attribution and delay IR triage; uses Microsoft Teams external-chat requests for an interactive screen-sharing helpdesk pretext to harvest credentials and manipulate MFA. Attribution evidence per Rapid7: a "Donald Gay" code-signing certificate, the moonzonet[.]com C2 domain, pythonw.exe process injection of suspended processes, and the Teams MFA-harvest tradecraft — all consistent with prior MuddyWater (Seedworm) operations attributed to Iran's Ministry of Intelligence and Security (Rapid7 — Muddying the Tracks: The State-Sponsored Shadow Behind Chaos Ransomware · BleepingComputer — MuddyWater hackers use Chaos ransomware as a decoy · SecurityWeek — Iranian APT intrusion masquerades as Chaos ransomware attack). M-Trends 2026 (§ 6) notes voice phishing surged to the second most prevalent initial-access vector at 11% with IT help-desk impersonation as a primary modality — MuddyWater's Teams variant of that pattern is operationally similar. Outstanding defender question: whether the same false-flag tradecraft expands across additional Chaos-branded incidents now that the attribution is public.