DMZ//THREAT INTEL
FEED ACTIVELAST SYNC: 06:05:39ZSOURCES: 14CRITICAL: 26
⚠ ACTIVE ALERTS
@GossiTheDog CRITICAL — Confirmed: FortiBleed (CVE campaign + brute force) has produced ~86,644 verified… /// @MandiantThreats CRITICAL — FortiBleed is an active, industrialized credential-harvesting campaign, not a single CVE… /// @TalosSecurity CRITICAL — DragonForce ransomware (tracked as Hackledorb) deployed novel Go-based Backdoor.Turn… /// @vxunderground CRITICAL — The Gentlemen RaaS (admin: hastalamuerte/zeta88, ex-Qilin ArmCorp affiliate) has claimed… /// @MalwareHunterTeam CRITICAL — 24 billion record infostealer credential cluster discovered June 12 by Cybernews — 8.3TB…
26Critical Threats
20Active CVEs
13IOCs Tracked
6New Advisories
INTEL FEED/THREAT ACTORS/MuddyWater (Operation Olalampo — Chaos Ransomware False Flag)
TLP:WHITETHREAT ACTOR DOSSIER // MUDDYWATER-CHAOS-FALSEFLAGFIRST SEEN: 2017 (Operation Olalampo variant: JAN 2026)

MuddyWater (Operation Olalampo — Chaos Ransomware False Flag)

ALSO KNOWN AS: Seedworm, MERCURY, Static Kitten, TEMP.Zagros, ITG17
FROM:DMZ INTELLIGENCE DESK
ORIGIN:Iran (Ministry of Intelligence and Security — MOIS)
ATTRIBUTION:STATE-SPONSORED
STATUS:ACTIVE
FIRST OBSERVED:2017 (Operation Olalampo variant: JAN 2026)
TECHNICALRESOURCESPERSISTENCESTEALTHIMPACT
TECHNICAL79/100
RESOURCES87/100
PERSISTENCE87/100
STEALTH87/100
IMPACT79/100

SUBJECT PROFILE

Rapid7 disclosed in May 2026 that MuddyWater (Seedworm) conducted a sophisticated false-flag ransomware operation in early 2026, operating under the Chaos RaaS banner while forensic analysis revealed MOIS-linked code-signing certificates ('Donald Gay' + 'Amy Cherne' cert cluster) tying the intrusion to Operation Olalampo. The group used interactive Microsoft Teams sessions to harvest MFA credentials under an 'IT Support' social engineering persona. This marks a significant evolution: MuddyWater adopting a commercially available RaaS brand to project a cybercriminal identity while conducting intelligence-driven targeted operations, blurring the line between espionage and ransomware.

Espionage and pre-positioning for disruptive operations; use of ransomware as false flag to complicate attribution and obscure MOIS operational intent

OPERATIONAL HISTORY

Chaos RaaS false-flag deployment, MOIS code-signing certificate reuse ('Donald Gay'/'Amy Cherne' certs), Microsoft Teams interactive screen-sharing MFA harvesting, pythonw.exe process injection into suspended processes, triple/quadruple extortion threats (DDoS, customer notification), 'blind' countdown timer DLS technique to accelerate negotiation, social engineering IT support persona

GOVERNMENT
DEFENSE
TECHNOLOGY
FINANCIAL SERVICES
CRITICAL INFRASTRUCTURE

KNOWN INFRASTRUCTURE

Chaos RaaS infrastructure (DLS with blind countdown timers); MOIS-linked code-signing certs cross-referenced in Operation Olalampo attribution; pythonw.exe injection chain; C2 consistent with prior MuddyWater MOIS infrastructure clusters

ATTRIBUTED CAMPAIGNS

FILE DATE: JAN 2026
Operation Olalampo — Chaos Ransomware False Flag
MuddyWater operated under the Chaos RaaS banner in targeted intrusions against US and Western organizations, using Teams-based MFA harvesting and MOIS code-signing certificates, publicly disclosed by Rapid7 in May 2026 with moderate-confidence attribution.
SHARE BRIEF:✕ Post on Xin Share on LinkedIn