Skip to content
View in the app

A better way to browse. Learn more.

hosang I.T.

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Iranian state-backed spies pose as ransomware slingers in false flag attacks

An Iranian state-sponsored espionage group is pretending to be a regular ransomware gang in a new wave of ransomware attacks targeting enterprises.

APT group MuddyWater (aka Seedworm) is masquerading as the Chaos ransomware-as-a-service group to confuse incident response and mask its spying and cyber-sabotage, according to research by security vendor Rapid7.

The attacks — geared toward stealing data rather than encrypting it — typically involve social engineering through messaging platforms such as Microsoft Teams. More specifically, the attackers utilized interactive screensharing to harvest credentials and manipulate multifactor authentication (MFA).

The attackers gained long-term persistence through remote management tools such as DWAgent. Attacks were followed with extortion messaging and leak site publication but focused on data exfiltration rather than encryption.

Organizations with strategic intelligence value, particularly in the United States, Western countries, APAC, and the Middle East, are being targeted through the ongoing campaign.

Technical artefacts, including a specific code-signing certificate and command-and-control (C2) infrastructure, allowed researchers at Rapid7 to link an incident under investigation to MuddyWater with “moderate confidence.” MuddyWater is a cyber-espionage group affiliated with Iran’s Ministry of Intelligence and Security (MOIS).

Adopting criminal tactics enables these state-aligned actors to introduce ambiguity and delay defensive response, according to Rapid7, which today published a technical blog post detailing the attack.

“If defenders see a ransom note, leak-site pressure, or a known ransomware brand, the initial response often focuses on business disruption, data theft, and negotiation,” said Christiaan Beek, VP of Cyber Intelligence at Rapid7. “That can distract from the deeper question of what access did the actor establish, what persistence remains, and what intelligence value did they gain.”

The incident highlights the increasing convergence between state-sponsored intrusion activity and cybercriminal tradecraft, according to Rapid7.

ChamelGang, a China-nexus espionage group, has been reported using ransomware to disguise espionage activity. North Korean state-linked groups have also used ransomware and cybercrime tactics, although often for revenue generation rather than pure deception.

View the full article

User Feedback

Recommended Comments

There are no comments to display.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Add a comment...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.