MuddyWater uses Microsoft Teams false flag to steal credentials and bypass MFA
Updated
Updated · Cybersecurity Dive · May 6
MuddyWater uses Microsoft Teams false flag to steal credentials and bypass MFA
12 articles · Updated · Cybersecurity Dive · May 6
Rapid7 said the Iran-linked group targeted US organisations and victims in Jordan and Australia, with telemetry also showing activity across the Middle East and South Asia.
Attackers posed as Chaos ransomware operators, used Teams screen-sharing to trick staff into entering credentials, then deployed DWAgent and a custom trojan, Game.exe, for persistence and follow-on malware.
Researchers said the campaign sought strategically valuable, including some government, targets and could delay attribution by making espionage look like financially motivated cybercrime.
Is Iran's 'ransomware' campaign a direct cyber retaliation for recent US-led military operations?
When a ransom note is a smokescreen for espionage, how can organizations identify the true attacker's motive?
As state hackers use AI to build malware, are current cyber defenses becoming obsolete?
The 2026 MuddyWater Operation: Blurring Lines Between Ransomware and State Espionage
Overview
In early 2026, the Iranian state-sponsored group MuddyWater launched a sophisticated cyber espionage campaign targeting Israeli, Western, and U.S. financial and defense organizations. The attack began with a social engineering scheme via Microsoft Teams, tricking employees into revealing credentials, which enabled unauthorized network access. Using advanced techniques like code injection with pythonw.exe, the attackers harvested credentials and moved laterally, deploying custom malware and a backdoor. They staged a fake Chaos ransomware attack, deploying ransomware artifacts without actual encryption to mislead defenders. The attackers claimed data exfiltration and set a fake ransom timer but ultimately publicly released stolen data, exposing the operation’s true espionage intent amid geopolitical tensions following Israel-U.S. strikes on Iran.