--- type: "attack-path" title: "CHAOS-MUDDYWATER-FALSEFLAG-2026" description: "MuddyWater (Seedworm / Iranian MOIS) intrusion campaign branded as 'Chaos ransomware' but operationally a state-sponsored exfiltration operation — the Chaos RaaS skin is a false flag for plausible deniability." resource: "tlctc:attack-path:chaos-muddywater-falseflag-2026" tags: - "attack-path" - "cluster-9" - "cluster-4" - "cluster-1" - "cluster-7" - "confidence-high" timestamp: "2026-05-08T00:00:00Z" tlctc_version: "2.1" --- # CHAOS-MUDDYWATER-FALSEFLAG-2026 ## Attack path ``` ||[human][@MSTeams⇒@Attacker→@Org]|| #9 →[Δt=?] #4 →[Δt=?] #1 →[Δt=?] #4 →[Δt=?] #1 →[Δt=~5s] #7 (FEC) →[Δt=?] #7 (FEC) + [DRE: C] ``` # Schema | Step | Cluster | Boundary | Δt→next | DRE | |---|---|---|---|---| | s1-teams-vishing-screenshare | [#9](/clusters/cluster-9.md) | \|\|[human][@MSTeams⇒@Attacker→@Org]\|\| | ? | | | s2-first-credential-auth | [#4](/clusters/cluster-4.md) | | ? | | | s3-mfa-self-enrollment-hijack | [#1](/clusters/cluster-1.md) | | ? | | | s4-mfa-completed-reauth | [#4](/clusters/cluster-4.md) | | ? | | | s5-lolbas-curl-installers | [#1](/clusters/cluster-1.md) | | ~5s | | | s6-first-fec-wave | [#7](/clusters/cluster-7.md) (FEC) | | ? | | | s7-game-exe-rat-c2-exfil | [#7](/clusters/cluster-7.md) (FEC) | | | C | ## Step notes - **s1-teams-vishing-screenshare:** Attacker-controlled Microsoft Teams account opens a 1:1 chat impersonating IT support, often paired with email-bombing for urgency, then initiates a screen-share session. During the call the user is directed to a Quick-Assist look-alike phishing page (adm-pulse[.]com/verify.php) and/or instructed to type credentials into a local text file (credentials.txt, cred.txt) where the attacker reads them off the screen. The attacker also walks the user through MFA-related prompts to position for the enrollment hijack in s3. R-HUMAN: psychological manipulation (authority bias, urgency, IT-support impersonation) is the operative mechanism. R-CRED: credential ACQUISITION here maps to the enabling cluster (#9); credential APPLICATION is a separate later step (s2 / s4) — Axiom X duality preserved. R-TRANSIT-3: Microsoft Teams behaves as transit (relay), not attack surface — no Teams CVE is involved; Teams forwards the deceptive content to the human target without itself being exploited. This is analogous to the @SMSProvider exemplar in the v2.1 specification. Teams ingress observed from 77.110.107.235 and 93.123.39.127. - **s2-first-credential-auth:** Attacker presents the harvested username/password to corporate VPN or SSO endpoint and authenticates as the victim user. R-CRED: credential application is ALWAYS #4, regardless of acquisition method. Axiom X is preserved as a clean two-step structure: s1 was acquisition (via #9), s2 is application (#4). At this point the attacker holds a single-factor session — necessary but not yet sufficient for MFA-protected resources, which is what motivates the s3 pivot. - **s3-mfa-self-enrollment-hijack:** Inside the now-authenticated session the attacker enters the IAM self-service MFA enrollment workflow and registers their own device as a second factor for the victim account. Generic vulnerability: the inherent trust and scope of a self-service IAM feature — the endpoint works exactly as designed. R-ABUSE / 'Perfect-Implementation Test': a flawlessly coded MFA enrollment endpoint that allows self-service enrollment after primary auth still permits this attack — no implementation flaw is exploited. By Axiom VI this step has its own generic vulnerability and must be its own cluster step; folding it into the surrounding #4 chain would collapse two distinct generic vulnerabilities and erase the highest-leverage detection point in the entire incident (most MFA enrollments are normal — but enrollment seconds after a first-ever auth from an unfamiliar geo is not). This step is the load-bearing #1 that the v2.1 'one step, one cluster' rule exists to expose. Why not #4 here: the attacker is no longer presenting credentials to authenticate; they are operating an existing legitimate feature of the IAM system. - **s4-mfa-completed-reauth:** Attacker re-authenticates to MFA-protected resources — Domain Controller, RDP into internal hosts, privileged consoles — using the victim's primary credential plus the now attacker-controlled second factor from s3. R-CRED: every fresh credential application is its own #4. Axiom X separation is preserved: s3 (#1) materially changed the attacker's credential possession (single-factor → MFA-complete), so a new #4 step is recorded for the new authentication events. Treating s2 and s4 as one step would erase the MFA pivot in between. The structural pair s3→s4 is connected by a sub-second Δt — purely human SOC review is structurally insufficient; automation at s3 (block on new-device-enrollment from unfamiliar geo immediately after first auth) is the only reliable break point for this transition. - **s5-lolbas-curl-installers:** Logged in as a privileged user (per s4) the attacker invokes legitimate Windows facilities: curl to fetch ms_upd.exe from 172.86.126[.]208:443; standard installer flows to deploy DWAgent (dwagent.exe, dwagsvc.exe, dwaglnc.exe, pythonw.exe) and AnyDesk; manual RDP between hosts. Generic vulnerability: designed administrative capability of an authenticated session — installer execution, outbound HTTPS fetch, and service registration are all intended functions. R-EXEC LOLBAS clarification: invocation of legitimate binaries by an authorized identity is #1; execution of attacker-controlled content is the next step (s6 / s7). Cleanly separating these is what lets a SOC alert on 'user X installed RMM software on a DC' without needing to wait for malware behavior to fire later. Why not #4 here: no fresh credential is being presented; the attacker is operating tools as the already-authenticated identity. - **s6-first-fec-wave:** First wave of Foreign Executable Content executes on @Org systems: DWAgent components (dwagent.exe, dwagsvc.exe), AnyDesk.exe, and the stage-1 downloader ms_upd.exe. R-EXEC fires for each — every distinct FEC execution is a #7 instance. The v2.1 #7 definition explicitly includes 'dual-use tooling when it executes attacker-controlled FEC' — so DWAgent and AnyDesk are #7, not #1, even though the binaries themselves are signed legitimate tools. What matters is foreign content executing under attacker direction. ms_upd.exe stages itself in C:\Users\Public\Downloads\GameFiles\ and registers with C2 uploadfiler[.]com via POST /register, sending a JSON payload {client_id, computer_name, username, domain}. It then enters a while(1) polling loop on POST /check awaiting an operator-set approval flag (MWF_CheckIfApproved + MWF_CheckIfRetry in the decompiled main routine). Game.exe is NOT yet downloaded at this step — the operator gate is what separates s6 from s7. The MWF_ function-name prefix throughout the binary is a tradecraft signature plausibly tied to MuddyWater; per Axiom IV this does not affect cluster classification but strengthens attribution. delta_t_to_next='?' reflects operator-paced staging — VC-2 to VC-1 — and is the only structural slack in the entire chain. - **s7-game-exe-rat-c2-exfil:** After the operator approves the victim, ms_upd.exe downloads three files from the C2: /download/Game.exe (saved as Game.exe), /download/Game.dll (saved on disk as WebView2Loader.dll — a filename masquerade; the file is attacker-built FEC, not a legitimate Microsoft DLL), and /download/Game.config (saved as visualwincomp.txt, encrypted configuration). Game.exe executes — second R-EXEC firing — and self-installs in C:\ProgramData\visualwincomp-\, taking the ATTRIBUTES_ObjectKernel mutex for single-instance enforcement. It registers with uploadfiler[.]com/home and polls /index.php every 60 seconds for commands (VC-3 operational beacon — purely human SOC response is structurally insufficient against this cadence). Defense evasion characteristics of the FEC (NOT separate cluster steps — these are properties of the malware per the FEC features rule): dynamic API resolution via LoadLibraryA/GetProcAddress, XOR-0xAB string obfuscation, sandbox-DLL probes (sbiedll.dll, dbghelp.dll, api_log.dll, vmcheck.dll, wpespy.dll), VM CPU-name detection (Virtual/VMWare/KVM/Hyper-V), GetTickCount + Sleep timing checks, removable-drive enumeration. Code-signing certificate 'Donald Gay' (B674578D4BDB24CD58BF2DC884EAA658B7AA250C, Microsoft ID Verified CS AOC CA 02 — known MuddyWater resource) signs the binaries; this is treated as an evasion characteristic of the #7, NOT promoted to a separate #10 step — Rapid7 does not establish a specific control bypass that hinges on the signature, and #10 is reserved for trust links specific to the target's supply chain rather than the global OS code-signing CA where TAE attribution is too diffuse to be operationally meaningful. A defensible low-confidence #10 alternative reading exists per R-SUPPLY's falsifiability test but is not adopted as primary. Outcomes: [C] — confirmed loss of confidentiality. Game.exe exfiltrates data via chunked upload_chunk commands over the C2 channel. The victim publicly confirmed the data published on the Chaos DLS (.onion: hptqq2o2qjva7lcaaq67w36jihzivkaitkexorauw7b2yul2z6zozpqd) is legitimate; one DLS entry shows 999 GB leaked. NO encryption event occurred — the path closes on [DRE: C] only. Recording [DRE: Ac] because the report uses the word 'ransomware' would be a direct violation of Axiom III: the 'Chaos ransomware' brand is psychological extortion pressure built on top of confirmed exfiltration, but extortion is not a DRE. # Citations MuddyWater (Seedworm / Iranian MOIS) intrusion campaign branded as 'Chaos ransomware' but operationally a state-sponsored exfiltration operation — the Chaos RaaS skin is a false flag for plausible deniability. No file encryption was performed; the path closes on confidentiality loss only. Initial access via Microsoft Teams 1:1 chat from an attacker-controlled tenant impersonating IT support, with screen-share, credential harvesting (credentials.txt / cred.txt typed during the call), and MFA self-enrollment hijack to register an attacker device. Post-foothold the attacker installed RMM tools (DWAgent, AnyDesk) and a custom RAT chain (ms_upd.exe → Game.exe) via LOLBAS curl + installer invocation. Decompilation of ms_upd.exe shows an operator-gated /register + /check polling protocol — Game.exe is staged only after a human operator on the C2 side approves the victim. This produces a structural VC-2/VC-1 detection window in an otherwise VC-3/VC-4 chain. Compact path: #9 ||[human][@Attacker⇒@MSTeams→@Org]|| →[Δt=?] #4 →[Δt=?] #1 →[Δt=?] #4 →[Δt=?] #1 →[Δt=~5s] #7 →[Δt=?] #7 + [DRE: C]. Source: Rapid7 Threat Research, 'Muddying Tracks: State-Sponsored Shadow Behind Chaos Ransomware' (2026), https://www.rapid7.com/blog/post/tr-muddying-tracks-state-sponsored-shadow-behind-chaos-ransomware/ . IOCs: ms_upd.exe SHA-256 24857fe82f454719cd18bcbe19b0cfa5387bee1022008b7f5f3a8be9f05e4d14; Game.exe 1319d474d19eb386841732c728acf0c5fe64aa135101c6ceee1bd0369ecf97b6; dwagent.exe cd098eddb23f2d2f6c42271ca82803b0d5ac950cb82a9b8ae0928e83945a53df; AnyDesk.exe bfc1675ee1e358db8356f515aaded7962923e426aa0a0a1c0eddfc4dab053f89; C2 uploadfiler[.]com (endpoints /home, /index.php 60s poll, /register, /check, /download/Game.{exe,dll,config}); MuddyWater-linked C2 moonzonet[.]com; ms_upd.exe hosting 172.86.126[.]208:443; Teams ingress 77.110.107.235, 93.123.39.127; phishing page adm-pulse[.]com/verify.php (Quick Assist mimic); code-signing cert 'Donald Gay' B674578D4BDB24CD58BF2DC884EAA658B7AA250C (Microsoft ID Verified CS AOC CA 02 — known MuddyWater resource); persistence dir C:\ProgramData\visualwincomp-\; ms_upd staging dir C:\Users\Public\Downloads\GameFiles\; mutex ATTRIBUTES_ObjectKernel; DLL-sideload masquerade Game.dll → WebView2Loader.dll. Attribution: MuddyWater (Seedworm) / Iranian MOIS, moderate confidence per Rapid7. Per Axiom IV, attribution does not drive cluster classification.