The Iranian state-sponsored hacking group MuddyWater has been identified exploiting Microsoft Teams in a sophisticated "false flag" operation. The attackers disguised their espionage activities as a ransomware attack, using the Chaos ransomware brand to mislead victims and security researchers while focusing on credential theft and long-term system persistence.

Key Takeaways

• MuddyWater, an Iranian APT group, is behind a recent cyberattack.

• Microsoft Teams was used as the primary vector for social engineering and initial access.

• The attack mimicked a ransomware operation but focused on data exfiltration and persistence, not encryption.

• Attackers manipulated Multi-Factor Authentication (MFA) to gain persistent access.

• Custom malware, including a RAT named Game.exe, was deployed.

Deceptive Tactics: The Chaos Ransomware Facade

The campaign, observed in early 2026, initially appeared to be a ransomware-as-a-service (RaaS) attack by the Chaos group. However, security researchers from Rapid7 discovered that the ransomware elements were a deliberate misdirection. Instead of encrypting files, MuddyWater focused on reconnaissance, credential harvesting, and establishing persistent access using tools like DWAgent and AnyDesk.

Exploiting Microsoft Teams for Initial Access

MuddyWater initiated the attack by sending unsolicited external chat requests via Microsoft Teams. Once a connection was established, attackers engaged victims in screen-sharing sessions. During these sessions, they instructed users to enter their credentials into local text files and to add attacker-controlled devices to their Multi-Factor Authentication (MFA) configurations. This allowed the attackers to bypass traditional security measures and gain authenticated access.

Custom Malware and Persistence

Following initial access, the threat actors deployed a custom downloader, , which fetched a multi-stage payload. This included a legitimate Microsoft DLL () and a custom Remote Access Trojan (RAT) named (also known as Darkcomp). This RAT masqueraded as a legitimate Microsoft application and was capable of executing commands, manipulating files, and establishing interactive shells. The attackers also leveraged RDP sessions and legitimate remote management tools to ensure long-term persistence within the victim's network.

Attribution and Obfuscation

Several technical indicators pointed to MuddyWater's involvement. A code-signing certificate associated with the name "Donald Gay," previously used by the group, was found embedded in the malware. Additionally, command-and-control (C2) domains used in the attack were previously linked to MuddyWater's activities. The use of the Chaos ransomware brand and the focus on data exfiltration rather than encryption are seen as deliberate attempts by MuddyWater to obscure attribution and complicate defensive responses, blurring the lines between state-sponsored espionage and financially motivated cybercrime.

Sources

• MuddyWater Uses Microsoft Teams to Steal Credentials in False Flag Ransomware Attack, The Hacker News.

• Hackers Exploit Microsoft Teams to Steal Credentials and Bypass MFA, Cyber Press.

• Hackers Use Microsoft Teams to Steal Credentials and Manipulate MFA, CyberSecurityNews.

• Iranian APT Intrusion Masquerades as Chaos Ransomware Attack, SecurityWeek.

• Cybercriminals Exploit Microsoft Teams to Phish Login Credentials and Bypass MFA, GBHackers News.