Microsoft Teams Flaw Lets Attackers Steal Credentials, Manipulate MFA
Key Takeaways Iranian APT group MuddyWater (also known as Mango Sandstorm, Seedworm, and Static Kitten) utilized Chaos ransomware as a false flag in a sophisticated espionage campaign. The primary...
Key Takeaways
- Iranian APT group MuddyWater (also known as Mango Sandstorm, Seedworm, and Static Kitten) utilized Chaos ransomware as a false flag in a sophisticated espionage campaign.
- The primary objective was data theft and establishing long-term persistence, not financial gain through ransomware.
- Initial access was gained via social engineering on Microsoft Teams, tricking users into revealing credentials and adding attacker-controlled devices to MFA.
- The campaign deployed custom malware, including a RAT named
Game.exe, alongside legitimate remote access tools like DWAgent and AnyDesk. - Attribution to MuddyWater was confirmed through shared code-signing certificates, C2 infrastructure, and consistent tactics, techniques, and procedures (TTPs).
The Iranian advanced persistent threat (APT) group MuddyWater has strategically deployed Chaos ransomware as a “false flag” in a complex hybrid espionage operation. This campaign, while mimicking financially motivated extortion, primarily targeted Western organizations for data exfiltration and to establish persistent network access, rather than for encryption and ransom payment.
Table Of Content
Incident responders at Rapid7 were engaged in early 2026 to investigate what initially appeared to be a standard Chaos ransomware breach. However, a deeper forensic analysis quickly unveiled a more intricate and calculated state-sponsored operation beneath the surface.
Despite exhibiting all the visual characteristics of a criminal extortion scheme, the attack was assessed with moderate confidence to be linked to MuddyWater. This group, also tracked as Mango Sandstorm, Seedworm, and Static Kitten, is an Iranian APT affiliated with the Ministry of Intelligence and Security (MOIS).
Instead of encrypting files for financial gain, the threat actor meticulously focused on credential harvesting, data exfiltration, and maintaining long-term persistence—hallmarks of intelligence gathering rather than cybercrime.
According to the Rapid7 report, this campaign represents a deliberate “false flag” strategy. The operators adopted the Chaos ransomware-as-a-service (RaaS) brand to project a criminal persona while concurrently conducting covert espionage activities against organizations in the United States and the MENA region.
Microsoft Teams as the Attack Vector
The intrusion commenced with unsolicited external chat requests sent to employees via Microsoft Teams. Once a connection was established, the threat actor initiated interactive screen-sharing sessions, leveraging direct visibility into user desktops to execute discovery commands such as ipconfig /all, whoami, and net start.
Victims were then explicitly instructed to type their credentials into locally created text files, specifically named credentials.txt and cred.txt. Additionally, they were manipulated into adding attacker-controlled devices to their multi-factor authentication (MFA) configurations.
This specific technique aligns with a broader surge in Teams-based social engineering observed throughout 2026. Microsoft Defender Research, for instance, documented a large-scale credential theft campaign in March 2026 that similarly exploited Teams’ trusted environment to circumvent traditional security controls.
Mandiant researchers independently confirmed similar tactics as recently as April 2026, where attackers impersonated Microsoft Teams help desk personnel to trick victims into installing data-stealing malware.
Following the successful credential compromise, the threat actor authenticated to internal systems, including Domain Controllers, using the stolen accounts. They subsequently deployed the remote management tool DWAgent alongside AnyDesk to establish persistent access.
A custom downloader, ms_upd.exe, was then delivered via curl from the command-and-control (C2) infrastructure located at 172.86.126[.]208:443.
The downloader gathered host information, generated a unique client identifier, and registered the compromised system with the C2 domain moonzonet[.]com. It then retrieved a three-component payload: a legitimate WebView2Loader.dll, an encrypted configuration file named visualwincomp.txt, and the primary backdoor, Game.exe.
Game.exe is a custom Remote Access Trojan (RAT) that cunningly masquerades as a legitimate Microsoft WebView2 application by trojanizing the official WebView2APISample project.
This RAT possesses 12 core capabilities, including arbitrary command execution via hidden cmd.exe or encoded PowerShell sessions, chunked file uploads, interactive shell establishment, and file deletion. All actions are reported back to the C2 server uploadfiler[.]com on port 443.
The malware also incorporates sandbox and virtual machine detection mechanisms through CPU analysis, and it stores its configuration using AES-256-GCM encryption. However, its inconsistent use of obfuscation, leaving critical strings like RAT commands and JSON registration formats in plaintext, suggests the involvement of a less experienced developer.
The critical technical detail that unraveled the false flag was a code-signing certificate issued under the name “Donald Gay” by Microsoft ID Verified CS AOC CA 02, with the thumbprint B674578D4BDB24CD58BF2DC884EAA658B7AA250C.
This certificate is a known shared resource within MuddyWater’s toolkit, directly linked by multiple threat intelligence vendors to “Operation Olalampo,” a 2026 campaign targeting U.S. and MENA organizations.
Additional technical artifacts further reinforced the attribution. The C2 domain moonzonet[.]com was linked to MuddyWater activity in early 2026 during a wave of attacks targeting Israeli and Western organizations, as detailed in the Rapid7 report.
The group’s signature use of pythonw.exe to inject code into suspended processes was also observed, serving as a consistent hallmark within their deployment chain.
Furthermore, the interactive Teams-based MFA harvesting technique closely aligns with the “IT Support” persona MuddyWater has refined throughout 2026, consistent with previously documented social engineering patterns exploiting enterprise communication platforms.
Chaos ransomware itself emerged in early 2025 as a successor to the disrupted BlackSuit infrastructure, believed to be composed of former BlackSuit and Royal members.
It is known for employing double- and triple-extortion tactics, threatening data publication, DDoS attacks, and even contacting victims’ customers. Its data-leak site features a distinctive “blind” countdown timer that conceals victims’ identities until negotiations conclude.
As of late March 2026, the group had claimed 36 victims, predominantly across the U.S. construction, manufacturing, and business services sectors.
MuddyWater’s adoption of this criminal brand is not coincidental. In late 2025, the group was linked to similar activity involving the Qilin RaaS ecosystem in an operation targeting an Israeli organization.
By cloaking espionage activities within a ransomware narrative, the group successfully diverts defenders’ attention towards immediate-impact triage, shifting focus away from identifying the true objective: establishing persistent access channels through DWAgent, AnyDesk, and the Game.exe RAT.
What You Should Do
- Educate users about the risks of unsolicited external chat requests, especially those involving screen-sharing or requests for credentials and MFA changes.
- Implement strict policies and technical controls to prevent external users from initiating screen-sharing sessions with internal employees unless explicitly approved.
- Monitor for the creation of suspicious files like
credentials.txtorcred.txtin user-accessible directories. - Audit and monitor MFA configurations for unauthorized changes or additions of unknown devices.
- Implement robust endpoint detection and response (EDR) solutions to detect the deployment of unauthorized remote access tools like DWAgent and AnyDesk.
- Block outbound connections to known C2 domains and IP addresses associated with this campaign, including
moonzonet[.]com,uploadfiler[.]com, andadm-pulse[.]com. - Utilize threat intelligence to identify and block artifacts, such as the specific code-signing certificate thumbprint (
B674578D4BDB24CD58BF2DC884EAA658B7AA250C), known to be associated with MuddyWater.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.