ctipilot.chSwitzerland · Europe · Public sector

MuddyWater (Iran/MOIS) Chaos ransomware false-flag + Teams credential harvesting — Europe/Middle East

campaign · campaign:muddywater-chaos-2026

Coverage timeline
1
first 2026-05-08 → last 2026-05-08
Briefs
1
1 distinct
Sources cited
1
1 hosts
Sections touched
1
active-threats
Co-occurring entities
0
no co-occurrence

Story timeline

  1. 2026-05-08CTI Daily Brief — 2026-05-08
    active-threatsFirst coverage. Chaos ransomware as attribution false-flag; Teams social engineering for credential harvesting (T1566.004); targeting government contractors and defence-adjacent orgs in Europe and Middle East. [SINGLE-SOURCE-OTHER]

Where this entity is cited

  • active-threats1

Source distribution

  • deepinstinct.com1 (100%)

All cited sources (1)

Items in briefs about MuddyWater (Iran/MOIS) Chaos ransomware false-flag + Teams credential harvesting — Europe/Middle East (1)

MuddyWater (Iran/MOIS) deploys Chaos ransomware as false flag; harvests credentials via Teams

From CTI Daily Brief — 2026-05-08 · published 2026-05-10 · view item permalink →

Security researchers documented a refreshed campaign by MuddyWater (attributed to Iran's Ministry of Intelligence and Security, MOIS), targeting government contractors and defence-adjacent organisations in Europe and the Middle East. The campaign deploys Chaos ransomware payloads with branding designed to mimic criminal ransomware groups — a deliberate false-flag technique intended to complicate attribution and delay incident response triage. A parallel social-engineering vector uses Microsoft Teams external-access invitations to gain remote-assistance sessions under a helpdesk pretext, after which credentials are harvested and used for further access via legitimate cloud services. Observed ATT&CK techniques: T1566.004 (Spearphishing via Teams), T1649 (Steal or Forge Authentication Certificates), T1486 (Data Encrypted for Impact). This is a single-source threat-intelligence vendor disclosure.