The Iranian cyber-espionage group MuddyWater, linked to Iran’s Ministry of Intelligence and Security (MOIS) and also tracked as Mango Sandstorm, Seedworm and Static Kitten, has been identified as the author of an attack that disguised itself as ransomware to conceal its true espionage objectives. The report, published by Rapid7 on 6 May 2026, reveals a “false flag” operation in which Microsoft Teams was the initial attack vector. There was no file encryption, no real financial extortion: the objective was access, credentials and long-term persistence. The ransomware was merely a smokescreen.

What do we know about MuddyWater’s Microsoft Teams attack?

The facts confirmed by Rapid7’s report, amplified by The Hacker News, BleepingComputer, SecurityWeek, SC Media and Infosecurity Magazine, are as follows:

  • Initial vector: attackers sent unsolicited external chat requests to employees via Microsoft Teams, impersonating an “IT Support” persona. Once contact was established, they initiated interactive screen-sharing sessions.
  • Credential theft through direct social engineering: during the screen-sharing sessions, victims were instructed to run discovery commands (ipconfig /all, whoami, net start), to type their passwords into locally created text files (credentials.txt, cred.txt) and, in some cases, to access phishing pages impersonating Microsoft Quick Assist.
  • MFA manipulation: attackers convinced employees to add attacker-controlled devices to their multi-factor authentication configurations, achieving persistence even if passwords were subsequently changed.
  • No file encryption: despite operating under the Chaos ransomware brand, no files were encrypted. This is the critical indicator: in a genuine ransomware attack, encryption is the central act. Its absence reveals that the objective was espionage, not extortion.
  • Post-exploitation: with access established, attackers installed DWAgent, AnyDesk and RDP to maintain remote presence. They deployed the dropper ms_upd.exe — signed with the “Donald Gay” certificate previously linked to MuddyWater — which installed the custom RAT Game.exe, a trojanised version of Microsoft WebView2 supporting command execution, file transfer and interactive shells, communicating with C2 domains moonzonet[.]com and uploadfiler[.]com.
  • Extortion as a façade: the group listed the victim on the Chaos data-leak site and sent extortion emails. The real objective was to focus the incident response team on ransomware recovery while MuddyWater maintained persistent access.
  • Attribution with moderate confidence: Rapid7 bases attribution on the “Donald Gay” certificate (previously linked to MuddyWater’s Stagecomp malware), the C2 domain moonzonet[.]com (used in prior attacks against Israeli and Western organisations in 2026), and the use of pythonw.exe to inject code into suspended processes — a characteristic signature of the group.

Why state-sponsored APTs have made Microsoft Teams their preferred attack vector

MuddyWater’s case is not isolated. The convergence of corporate productivity tools and cyber-espionage operations is a documented trend that has accelerated throughout 2025 and 2026. Four structural factors explain this shift:

  1. High implicit trust among users. Employees are trained to distrust emails from unknown senders, but not Teams messages from accounts claiming to be “IT Support”. The perception that Teams is an “internal and secure” tool lowers the alertness threshold significantly.
  2. Screen-sharing removes technical barriers in the initial phase. An interactive screen-sharing session gives the attacker direct visibility into the user’s environment without needing to deploy malware in the first phase. Initial access requires no exploits.
  3. Indistinguishable from legitimate technical support. The “IT Support” persona MuddyWater has refined on Teams closely mimics internal processes in many organisations. Distinguishing an attacker from a genuine technician requires active verification.
  4. Natural MFA bypass through social engineering. MFA solutions do not protect against an employee who voluntarily adds an attacker-controlled device to their configuration. Social engineering turns the user themselves into the bypass vector.

How this type of attack works: the technical chain step by step

The attack documented by Rapid7 follows a specific and replicable chain:

  1. External Teams chat request: attackers sent external chat invitations to employees using the name or visual profile of “IT Support” to generate trust.
  2. Screen-sharing and initial reconnaissance: during the shared session, the attacker ran discovery commands (ipconfig /all, whoami, net start) and accessed files related to the victim’s VPN configuration.
  3. Credential harvesting: victims were instructed to type passwords into local .txt files or enter them into Quick Assist phishing pages. MFA settings were manipulated to add attacker-controlled devices.
  4. Persistence installation: using compromised accounts, the attacker installed DWAgent, AnyDesk and established RDP sessions to maintain remote access independent of the original credentials.
  5. Implant deployment: a curl command installed ms_upd.exe, which contacted moonzonet[.]com and downloaded three components: WebView2Loader.dll, the configuration file visualwincomp.txt, and the RAT Game.exe.
  6. Operation under ransomware cover: the group listed the victim on the Chaos portal and sent extortion emails, generating a ransomware-focused incident response that concealed the underlying espionage activity.

While the security team managed the supposed extortion, MuddyWater maintained persistent access and gathered intelligence undetected.

Key lessons and IoCs for SOC teams and security leaders

Rapid7’s report provides concrete indicators of compromise and actionable recommendations for any organisation using Microsoft 365 and Teams:

Indicators of compromise (IoCs) to monitor right now:

  • External Teams chat requests from accounts claiming to be “IT Support”, followed by screen-sharing requests.
  • Creation of credentials.txt or cred.txt files in user-accessible directories.
  • Installation of DWAgent, AnyDesk or Game.exe (trojanised WebView2) on corporate systems.
  • Network communications to moonzonet[.]com and uploadfiler[.]com (port 443).
  • Binaries signed with the “Donald Gay” certificate.
  • Use of pythonw.exe to inject code into suspended processes.
  • Addition of new devices to MFA configurations not initiated by the user themselves.

Recommended actions:

  • Configure Teams to restrict or block unverified external chats and require explicit approval before allowing screen-sharing sessions with external parties.
  • Review all users’ active MFA configurations to identify recently added devices that users themselves do not recognise.
  • Search endpoints for credentials.txt, cred.txt, and the binaries Game.exe and ms_upd.exe.
  • Add moonzonet[.]com and uploadfiler[.]com to firewall and proxy block lists.
  • Communicate to all staff that IT Support never requests passwords via Teams or asks for screen access without a formally verified process.
  • Treat any extortion not accompanied by file encryption as a high-priority APT alert, not ordinary ransomware.

Cybersecurity as a strategic priority

The MuddyWater-Chaos case confirms a new normal that security teams must accept: state-sponsored cyber-espionage groups are adopting the aesthetics of financial cybercrime to conceal their operations. An attack that looks like ransomware may be an intelligence operation. An extortion that appears opportunistic may be prepositioning for future disruptive attacks.

For European and Spanish organisations, the message is direct: defence cannot be based on recognising attacks by their appearance. It requires behaviour-based detection, real-time identity and access monitoring, and incident response processes that account for the false-flag scenario from the outset.

Apolo Cybersecurity: detecting what is hidden

At Apolo Cybersecurity we help security teams identify and respond to sophisticated APT campaigns disguised as ordinary cybercrime. We work on identity and access behaviour analysis, detection of advanced social engineering techniques on corporate platforms such as Microsoft Teams, implementation of Microsoft 365-specific security controls, forensic investigation of APT incidents, and false-flag attack response simulations.

If your organisation uses Microsoft Teams and does not have specific controls against unsolicited external chat requests or verification policies for screen-sharing sessions with external parties, the vector MuddyWater used in this attack is currently open.

__wf_reserved_inherit
Prev Post
Next Post

Any questions?
We're happy to help!

CONTACT US TODAY!
info@apolocybersecurity.com
Responsable: Apolo Analytics S.L.
Finalidad: Responder a tu mensaje y almacenaje en base de datos para gestionar tu solicitud.
Legitimación: Consentimiento del interesado al enviar el formulario.
Destinatarios: No se cederán datos a terceros, salvo obligación legal.
Derechos: Puedes ejercer tus derechos de acceso, rectificación y supresión, entre otros, enviando un correo a secretaria@apolocybersecurity.Com.
Información adicional: Puedes consultar la información completa en nuestra Política de Privacidad.

¡Gracias !

Su mensaje a sido recibido correctamente.
Oops! Algo a ido mal a la jora de enviar el formulario.
te esperamos!
Schedule a call
Project photo
Send us an email
Project photo
+34 937948378
Project photo
Carrer de Sant Joan de la Salle 42, Barcelona, España
Project photo
FAQScontactTERMS AND CONDITIONSWork with Us
Accelerated by:
Certifications:
Light Eyes is part of Apolo Cybersecurity
LEGAL NOTICEPRIVACY POLICYCookiesinformation security policy
Privacy Settings
Copyright © 2025 Apollo Cybersecurity