{"id":209686,"date":"2026-05-06T11:48:00","date_gmt":"2026-05-06T15:48:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/06\/iran-sponsored-threat-group-behind-false-flag-social-engineering-campaign\/"},"modified":"2026-05-06T11:55:08","modified_gmt":"2026-05-06T15:55:08","slug":"iran-sponsored-threat-group-behind-false-flag-social-engineering-campaign","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/06\/iran-sponsored-threat-group-behind-false-flag-social-engineering-campaign\/","title":{"rendered":"Iran-sponsored threat group behind false flag social engineering campaign"},"content":{"rendered":"<p><a href=\"https:\/\/www.cybersecuritydive.com\/news\/iran-threat-group-false-flag-social-engineering\/819454\/\">Iran-sponsored threat group behind false flag social engineering campaign<\/a><\/p>\n<p><a href=\"https:\/\/www.cybersecuritydive.com\/news\/iran-threat-group-false-flag-social-engineering\/819454\/\">https:\/\/www.cybersecuritydive.com\/news\/iran-threat-group-false-flag-social-engineering\/819454\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-06 11:48:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.cybersecuritydive.com\">www.cybersecuritydive.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n<p>A threat group linked to Iranian intelligence has been running a months-long false-flag operation to hack organizations in the U.S. and other countries under the guise of a criminal ransomware group, according to a report released Wednesday by researchers at Rapid7.\u00a0<br \/>\nThe state-sponsored threat group, tracked as MuddyWater, operated a social engineering campaign since at least February that abused Microsoft Teams to harvest credentials and bypass multifactor authentication.\u00a0<br \/>\nThe attacks were made to look as if they were the work of Chaos, a ransomware-as-a-service group that has been active since 2025. Researchers said the false flag creates ambiguity that could affect how security teams investigate an intrusion.\u00a0<\/p>\n<p>\u201cIf an operation looks like ransomware, defenders may initially treat it as financially motivated cybercrime rather than a state-linked operation,\u201d Christiaan Beek, vice president of cyber intelligence at Rapid7, told Cybersecurity Dive. \u201cThat can slow attribution, complicate response, and give the actor plausible deniability.\u201d<br \/>\nThe Chaos group emerged after an international law enforcement operation, called Operation Checkmate, took down the infrastructure behind BlackSuit ransomware group. According to the Justice Department, BlackSuit, also known as Royal, was linked to about 450 attacks since 2022, with extortion proceeds of more than $370 million.\u00a0<br \/>\nChaos ransomware has used voice-phishing and IT impersonation to initiate attacks and the group advertises its RaaS services on underground forums, according to Rapid7. As of March, the group had claimed 36 victims, mostly in construction, manufacturing and business services, with the majority of attacks in the U.S.<br \/>\nThe recent MuddyWater attacks appear to be aimed at organizations of strategic value to Iran, including some government targets, according to Rapid7.<br \/>\nThe social engineering attacks by MuddyWater used Microsoft Teams to reach employees at a targeted organization with chat requests. Hackers launched screen sharing sessions with the victims, who were told to enter credentials into a locally created text file. Hackers used those credentials to bypass multifactor authentication.<br \/>\nA remote access tool called DWAgent was used to gain persistence before the use of malware. A custom remote access Trojan called Game.exe was also found.\u00a0<\/p>\n<p>Threat groups have engaged in similar diversionary tactics in the past. Researchers said despite the deceptive tactics to present the attacks as Chaos ransomware, the recent attacks have a digital signature affiliated with Iran\u2019s Ministry of Intelligence and Security.<br \/>\nBeyond the attacks against U.S. targets, telemetry shows targeting in other regions, including the Middle East and South Asia. Specific attacks were located against targets in Jordan and Australia<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Iran-sponsored threat group behind false flag social engineering campaign https:\/\/www.cybersecuritydive.com\/news\/iran-threat-group-false-flag-social-engineering\/819454\/ Publish Date: 2026-05-06 11:48:00 Source&#8230;<\/p>\n","protected":false},"author":1,"featured_media":209687,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/imgproxy.divecdn.com\/YKLOxIOmML8rKlHSAiIZjvrMKo_fohJqJVWO-edJb2k\/g:ce\/rs:fit:770:435\/Z3M6Ly9kaXZlc2l0ZS1zdG9yYWdlL2RpdmVpbWFnZS9pbWFnZTEyMDQyMDIwX21haW4uanBn.webp","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,32,25],"class_list":["post-209686","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-malware","tag-phishing"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/209686"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=209686"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/209686\/revisions"}],"predecessor-version":[{"id":209688,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/209686\/revisions\/209688"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/209687"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=209686"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=209686"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=209686"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}