Iran-linked threat group MuddyWater executed a sophisticated corporate intrusion in early 2026, disguising state-sponsored espionage as a ransomware attack while stealing credentials and data without deploying file encryption, according to Rapid7 research.
The attackers used Microsoft Teams to establish screen-sharing sessions with employees, enabling credential theft and multi-factor authentication bypass. They deployed remote management tools including AnyDesk and DWAgent for persistent access, then sent extortion emails directing victims to the Chaos ransomware leak site despite never encrypting files.
Social Engineering Attack Vector
MuddyWater operatives engaged directly with victim organization employees through Microsoft Teams, establishing screen-sharing sessions to gain access to user systems. During these sessions, the threat actors executed basic discovery commands and accessed VPN configuration files.
The attackers instructed users to enter credentials into locally created text files, effectively harvesting authentication data through direct manipulation. This social engineering approach allowed the group to bypass traditional security controls by leveraging trusted communication channels.
Once initial access was established, the threat actors deployed AnyDesk remote management software to maintain persistent access to compromised systems.
Persistent Access and Lateral Movement
After establishing initial foothold, the attackers created persistent access through Remote Desktop Protocol (RDP) sessions and the DWAgent remote access tool. Using these access points, they deployed additional payloads and moved laterally through the corporate environment.
The group conducted reconnaissance activities typical of espionage campaigns, including credential harvesting and systematic data theft. However, unlike traditional ransomware operations, no file-encrypting malware was deployed on compromised machines.
This approach suggests the primary objective was intelligence gathering rather than financial gain through ransom payments.
False Flag Ransomware Campaign
The threat actors sent extortion emails to multiple users claiming to have stolen sensitive information and threatening public disclosure unless ransom demands were met. Victims were directed to the Chaos ransomware leak site, which listed the targeted organization as a new victim.
A subsequent email instructed recipients to locate credentials for secure chat negotiations, but the promised note was never found. The stolen data was eventually leaked online without any ransom payment.
Rapid7 analysis indicates Chaos artifacts were planted as false flags to disguise state-sponsored activity behind apparent criminal ransomware operations.
Widespread cPanel Exploitation Campaign
Separately, over 40,000 servers have been compromised in an ongoing campaign exploiting CVE-2026-41940, a critical authentication bypass vulnerability in cPanel & WebHost Manager. The Shadowserver Foundation reported the vulnerability provides unauthenticated attackers with administrative access to cPanel systems.
The security defect allows attackers to use special characters in authorization headers to write parameters to session files, then trigger session reloads to authenticate using injected administrative credentials. CVE-2026-41940 was likely exploited as a zero-day since late February, with activity spiking after public disclosure on April 28.
https://x.com/Shadowserver/status/2050208472386396568
Most affected systems are located in the United States, with France and the Netherlands representing significant secondary targets. All cPanel versions after 11.40 remain vulnerable until patched.
Ransomware Prosecutions Accelerate
US authorities sentenced Latvian national Deniss Zolotarjovs to 8.5 years in prison for his role as a Karakurt ransomware negotiator. Court documents show Zolotarjovs participated in attacks against 53 entities between June 2021 and March 2023, causing $56 million in losses.
Zolotarjovs received 10% of negotiated ransom payments in cryptocurrency, which he converted to Russian rubles through multiple wallet transfers. In one case involving a pediatric healthcare company, he recommended publishing patient data online to pressure victims into payment.
Additionally, two US cybersecurity experts received 4-year prison sentences for conducting ransomware attacks using BlackCat and Alphv malware. Ryan Goldberg and Kevin Martin received roughly $1.2 million from one victim while working as ransomware negotiators at legitimate cybersecurity firms.
What This Means
The MuddyWater campaign demonstrates how nation-state actors increasingly adopt ransomware tactics as cover for espionage operations. By mimicking criminal ransomware groups, state-sponsored threats can complicate attribution while achieving intelligence objectives.
The massive cPanel exploitation highlights the continued vulnerability of internet-facing management platforms. With 1.5 million cPanel instances accessible online, the attack surface remains substantial for both criminal and state-sponsored actors.
Recent prosecutions of ransomware operators and corrupt security professionals signal intensified law enforcement focus on the ransomware ecosystem. However, the technical sophistication and false flag tactics employed by groups like MuddyWater suggest traditional criminal justice approaches may prove insufficient against state-sponsored threats.
FAQ
How did MuddyWater bypass multi-factor authentication?
The attackers used Microsoft Teams screen-sharing sessions to directly observe users entering MFA codes, then manipulated authentication flows in real-time during active user sessions.
What makes CVE-2026-41940 particularly dangerous?
The vulnerability provides complete administrative access to cPanel systems without authentication, allowing attackers to compromise all hosted websites, databases, and configurations managed by the platform.
Why are cybersecurity professionals turning to ransomware?
The cases involving US security experts highlight how insider knowledge of defensive techniques and victim negotiation processes can be exploited for criminal gain, with perpetrators leveraging their professional access and expertise.
Sources
- Iranian APT Intrusion Masquerades as Chaos Ransomware Attack – SecurityWeek
