IN early 2026 the Iranian cyber espionage group MuddyWater launched a campaign that masqueraded as a Chaos ransomware attack, using Microsoft Teams to trick victims into sharing screens and handing over credentials Rapid7 reported. The attackers contacted employees through chat messages that appeared to come from internal IT support, persuading them to join a screen‑sharing session under the pretence of troubleshooting a software issue. Once access was granted, the threat actors harvested usernames, passwords and session tokens, and they also manipulated multi‑factor authentication prompts to gain full account control. Although the gang later posted extortion notes and directed victims to a leak site, they never deployed any file‑encrypting ransomware, focusing instead on data theft and maintaining a foothold inside the network.
The initial foothold allowed the intruders to move laterally across the corporate environment, abusing legitimate admin tools and stolen credentials to hop between workstations and servers Infosecurity Magazine explained. They established persistence by creating scheduled tasks and registering new services that pointed to remote‑access binaries such as DWAgent and AnyDesk, which are commonly used for legitimate remote support but were repurposed for covert control. Credential dumping utilities were executed on domain controllers, enabling the attackers to pull password hashes and later crack them for broader access. Internal reconnaissance queries identified file shares containing intellectual property, employee data and email archives, which were then compressed and staged for exfiltration. Finally, the data was transferred out via encrypted channels to attacker‑controlled servers, after which extortion emails were sent threatening public release unless a payment in cryptocurrency was made.
Rapid7 attributed the activity to MuddyWater, also known as Seedworm or Mango Sandstorm, assigning moderate confidence to the link and noting the group’s historical ties to Iran’s Ministry of Intelligence and Security SecurityAffairs highlighted. The operation fits a broader pattern in which nation‑state actors blend espionage tactics with the outward appearance of financially motivated cybercrime to confuse attribution and delay defensive responses. By mimicking the rhetoric and extortion mechanics of ransomware gangs, the group sought to make defenders prioritize decryption efforts over hunting for data‑exfiltration artefacts. No CVE identifiers were tied to the intrusion because the abuse relied on the abuse of trusted applications and valid credentials rather than exploiting a specific software flaw.
Telemetry collected from February through June 2026 showed the campaign remained active, with victims spanning sectors such as energy, telecommunications and government agencies across Europe and the Middle East The Hacker News noted. Incident responders initially classified the events as conventional ransomware because of the ransom notes, the reference to a Chaos leak site and the demand for payment in Bitcoin. Further investigation revealed the absence of any encryption routines, the presence of long‑term remote‑access implants and the steady exfiltration of staged data bundles. Although the extortion demands were consistent across cases, there is no publicly verified instance of a victim satisfying the ransom demand, suggesting the primary goal remained intelligence gathering rather than financial gain.
Defenders should begin by tightening Microsoft Teams policies, disabling guest screen‑sharing by default and requiring administrator approval for any external participant to join a call SecurityWeek advises. Enforcing phishing‑resistant multi‑factor authentication, such as FIDO2 security keys, reduces the risk that stolen passwords can be abused even if credentials are harvested. Endpoint detection and response tools need to be tuned to alert on the execution of known remote‑access binaries like DWAgent and AnyDesk, especially when they appear in non‑standard locations or are launched by atypical user accounts. Network segmentation should isolate critical assets, preventing lateral movement from a compromised workstation to domain controllers or file servers holding sensitive data.
Threat hunters can query logs for unusual Teams call metadata, such as long‑duration screen‑sharing sessions initiated by external addresses, and correlate those events with processes that spawn DWAgent or AnyDesk executables. Regular credential rotation, combined with the use of privileged access workstations, limits the window during which stolen password hashes remain useful for attackers.
Organizations should also share the indicators of compromise released in the Rapid7 report, including file hashes, IP addresses and domain names, with their information‑sharing and analysis centres to enable community‑wide blocking. By adopting a behavioural‑focused approach that looks for deception in collaboration platforms rather than relying solely on malware signatures, defenders improve their chances of catching future false‑flag operations before they achieve their espionage objectives.