MuddyWater (Iran/MOIS) deploys Chaos ransomware as false flag; harvests credentials via Teams

Security researchers documented a refreshed campaign by MuddyWater (attributed to Iran's Ministry of Intelligence and Security, MOIS), targeting government contractors and defence-adjacent organisations in Europe and the Middle East. The campaign deploys Chaos ransomware payloads with branding designed to mimic criminal ransomware groups — a deliberate false-flag technique intended to complicate attribution and delay incident response triage. A parallel social-engineering vector uses Microsoft Teams external-access invitations to gain remote-assistance sessions under a helpdesk pretext, after which credentials are harvested and used for further access via legitimate cloud services. Observed ATT&CK techniques: T1566.004 (Spearphishing via Teams), T1649 (Steal or Forge Authentication Certificates), T1486 (Data Encrypted for Impact). This is a single-source threat-intelligence vendor disclosure.