The Iran-linked APT group MuddyWater conducted an elaborate espionage operation disguised as a ransomware attack in early 2026, using social engineering and fake Chaos ransomware artifacts to hide state-sponsored activity. According to Rapid7’s report, the attackers performed reconnaissance, credential harvesting, and data theft without deploying actual file-encrypting malware.
The threat actors initiated contact through Microsoft Teams, establishing screen-sharing sessions to gain direct access to employee workstations. During these sessions, they executed discovery commands, accessed VPN configuration files, and instructed users to save credentials in locally created text files.
Social Engineering Tactics Drive Initial Access
MuddyWater’s approach relied heavily on human manipulation rather than technical exploits. The attackers engaged directly with employees through legitimate Microsoft Teams sessions, creating a false sense of security while harvesting sensitive information.
“While connected, the TA executed basic discovery commands, accessed files related to the victim’s VPN configuration, and instructed users to enter their credentials into locally created text files,” Rapid7 reported. In at least one instance, the group deployed AnyDesk remote management software to maintain persistent access.
The attackers also established RDP sessions and deployed the DWAgent remote access tool for additional persistence. This multi-layered approach ensured continued access even if individual entry points were discovered and closed.
Extortion Campaign Mimics Ransomware Operations
After establishing persistent access and exfiltrating data, MuddyWater launched an extortion campaign designed to appear like a traditional ransomware attack. The group sent emails to multiple users claiming to have stolen information and threatening public disclosure unless ransom demands were met.
Victims were directed to the Chaos ransomware leak site, where the targeted organization appeared as a newly listed victim. A follow-up email instructed recipients to locate a ‘note’ containing credentials for secure chat negotiations, though this note was never found.
The stolen data was eventually leaked online when negotiations failed. Notably, throughout the entire operation, no file-encrypting ransomware was deployed on compromised systems, indicating the Chaos ransomware artifacts served as false flags to conceal the state-sponsored nature of the attack.
Broader Ransomware Landscape Shows Mixed Enforcement
While MuddyWater used fake ransomware tactics for espionage, legitimate ransomware operations continue facing law enforcement pressure. Deniss Zolotarjovs, a 35-year-old Latvian member of the Karakurt ransomware gang, was sentenced to 8.5 years in prison for his role in extorting victims.
Zolotarjovs served as a negotiator for Karakurt between June 2021 and March 2023, during which the group targeted at least 53 entities and caused $56 million in losses. Court documents show he analyzed stolen data, conducted ransom negotiations, and received 10% of ransom payments in cryptocurrency.
The Karakurt group, also known as TommyLeaks and associated with the Conti ransomware operation, specialized in stealing personally identifiable information including Social Security numbers and healthcare data. In one case, Zolotarjovs recommended publishing pediatric patient data when a healthcare company delayed payment.
High-Profile Targets Face Continued Pressure
The RansomHouse group claimed responsibility for attacking cybersecurity firm Trellix, adding the company to their leak site with screenshots showing access to internal services and management dashboards. Trellix confirmed that part of its source code repository was breached but stated no evidence suggested the source code release process was compromised.
This attack potentially connects to a broader supply chain campaign linked to TeamPCP and Lapsus$ groups, which has impacted multiple cybersecurity firms including Checkmarx, Aqua Security, and Bitwarden. RansomHouse operates as a ransomware-as-a-service provider and currently lists more than 170 victims on its Tor-based leak website.
Meanwhile, the Canvas learning platform breach by ShinyHunters affected over 8,800 schools according to the attackers’ claims. The breach impacted names, email addresses, student ID numbers, and platform messages, causing widespread disruption during finals season at universities including Harvard, Columbia, and Georgetown.
cPanel Zero-Day Exploitation Reaches Massive Scale
A critical authentication-bypass vulnerability in cPanel (CVE-2026-41940) has been exploited to compromise over 40,000 servers in an ongoing campaign. The Shadowserver Foundation reported that threat actors are actively exploiting the flaw, which provides unauthenticated administrative access to cPanel & WebHost Manager platforms.
The vulnerability allows attackers to inject special characters in authorization headers, write parameters to session files, and trigger reloads to authenticate with administrative credentials. CVE-2026-41940 was likely exploited as a zero-day since late February, with activity spiking after public disclosure and technical details publication.
With approximately 1.5 million cPanel instances accessible from the internet according to Rapid7’s assessment, the potential scope of compromise remains significant. Most affected systems are located in the United States, France, and the Netherlands.
https://x.com/Shadowserver/status/2050208472386396568
What This Means
The MuddyWater campaign represents an evolution in state-sponsored cyber operations, where traditional espionage activities are masked behind ransomware facades to complicate attribution and response efforts. This approach allows nation-state actors to conduct intelligence gathering while maintaining plausible deniability through false flag operations.
The simultaneous occurrence of legitimate ransomware prosecutions, high-profile breaches, and widespread vulnerability exploitation demonstrates the multi-faceted nature of current cyber threats. Organizations face pressure from both criminal groups seeking financial gain and state-sponsored actors pursuing strategic intelligence objectives.
The scale of the cPanel exploitation particularly highlights the cascade effect of supply chain vulnerabilities, where a single platform compromise can impact tens of thousands of downstream systems and organizations.
FAQ
How can organizations distinguish between real ransomware and fake campaigns like MuddyWater’s? Real ransomware operations typically deploy file-encrypting malware immediately after gaining access, while fake campaigns focus on data exfiltration and reconnaissance activities. Organizations should look for actual encrypted files and ransom notes deployed on systems rather than just extortion emails.
What immediate steps should cPanel users take to protect against CVE-2026-41940? Update to the latest patched versions immediately (11.86.0.41, 11.110.0.97, 11.118.0.63, 11.124.0.35, 11.126.0.54, 11.130.0.19, or newer), follow cPanel’s compromise identification procedures, and monitor for unauthorized administrative access or configuration changes.
Why are educational institutions particularly vulnerable to ransomware attacks? Educational institutions often have limited cybersecurity budgets, numerous user accounts with varying access levels, and critical operational dependencies on digital platforms. The Canvas breach demonstrates how attacking a single widely-used platform can disrupt thousands of schools simultaneously, making education technology providers attractive targets.
Sources
- Iranian APT Intrusion Masquerades as Chaos Ransomware Attack – SecurityWeek
- Karakurt Ransomware Negotiator Sentenced to Prison – SecurityWeek
- Ransomware Group Takes Credit for Trellix Hack – SecurityWeek
- Over 40,000 Servers Compromised in Ongoing cPanel Exploitation – SecurityWeek
- The Canvas Hack Is a New Kind of Ransomware Debacle – Wired
