Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Introducing KittySploit: An AI-Powered Penetration Testing Framework
July 13, 2026
Critical Linux and Ubiquiti Flaws, Accenture Breach, Android Exploit
July 12, 2026
Microsoft Teams macOS Bug Exposes Screen Sharing Content
July 12, 2026
Home/CyberSecurity News/Microsoft Teams Flaw Lets Attackers Steal Credentials, Manipulate MFA
CyberSecurity News

Microsoft Teams Flaw Lets Attackers Steal Credentials, Manipulate MFA

Key Takeaways Iranian APT group MuddyWater (also known as Mango Sandstorm, Seedworm, and Static Kitten) utilized Chaos ransomware as a false flag in a sophisticated espionage campaign. The primary...

Jennifer sherman
Jennifer sherman
May 6, 2026 5 Min Read
57 0

Key Takeaways

  • Iranian APT group MuddyWater (also known as Mango Sandstorm, Seedworm, and Static Kitten) utilized Chaos ransomware as a false flag in a sophisticated espionage campaign.
  • The primary objective was data theft and establishing long-term persistence, not financial gain through ransomware.
  • Initial access was gained via social engineering on Microsoft Teams, tricking users into revealing credentials and adding attacker-controlled devices to MFA.
  • The campaign deployed custom malware, including a RAT named Game.exe, alongside legitimate remote access tools like DWAgent and AnyDesk.
  • Attribution to MuddyWater was confirmed through shared code-signing certificates, C2 infrastructure, and consistent tactics, techniques, and procedures (TTPs).

The Iranian advanced persistent threat (APT) group MuddyWater has strategically deployed Chaos ransomware as a “false flag” in a complex hybrid espionage operation. This campaign, while mimicking financially motivated extortion, primarily targeted Western organizations for data exfiltration and to establish persistent network access, rather than for encryption and ransom payment.

Table Of Content

  • Key Takeaways
  • Microsoft Teams as the Attack Vector
  • What You Should Do

Incident responders at Rapid7 were engaged in early 2026 to investigate what initially appeared to be a standard Chaos ransomware breach. However, a deeper forensic analysis quickly unveiled a more intricate and calculated state-sponsored operation beneath the surface.

Despite exhibiting all the visual characteristics of a criminal extortion scheme, the attack was assessed with moderate confidence to be linked to MuddyWater. This group, also tracked as Mango Sandstorm, Seedworm, and Static Kitten, is an Iranian APT affiliated with the Ministry of Intelligence and Security (MOIS).

Instead of encrypting files for financial gain, the threat actor meticulously focused on credential harvesting, data exfiltration, and maintaining long-term persistence—hallmarks of intelligence gathering rather than cybercrime.

According to the Rapid7 report, this campaign represents a deliberate “false flag” strategy. The operators adopted the Chaos ransomware-as-a-service (RaaS) brand to project a criminal persona while concurrently conducting covert espionage activities against organizations in the United States and the MENA region.

Microsoft Teams as the Attack Vector

The intrusion commenced with unsolicited external chat requests sent to employees via Microsoft Teams. Once a connection was established, the threat actor initiated interactive screen-sharing sessions, leveraging direct visibility into user desktops to execute discovery commands such as ipconfig /all, whoami, and net start.

Victims were then explicitly instructed to type their credentials into locally created text files, specifically named credentials.txt and cred.txt. Additionally, they were manipulated into adding attacker-controlled devices to their multi-factor authentication (MFA) configurations.

This specific technique aligns with a broader surge in Teams-based social engineering observed throughout 2026. Microsoft Defender Research, for instance, documented a large-scale credential theft campaign in March 2026 that similarly exploited Teams’ trusted environment to circumvent traditional security controls.

Mandiant researchers independently confirmed similar tactics as recently as April 2026, where attackers impersonated Microsoft Teams help desk personnel to trick victims into installing data-stealing malware.

Following the successful credential compromise, the threat actor authenticated to internal systems, including Domain Controllers, using the stolen accounts. They subsequently deployed the remote management tool DWAgent alongside AnyDesk to establish persistent access.

A custom downloader, ms_upd.exe, was then delivered via curl from the command-and-control (C2) infrastructure located at 172.86.126[.]208:443.

The downloader gathered host information, generated a unique client identifier, and registered the compromised system with the C2 domain moonzonet[.]com. It then retrieved a three-component payload: a legitimate WebView2Loader.dll, an encrypted configuration file named visualwincomp.txt, and the primary backdoor, Game.exe.

Game.exe is a custom Remote Access Trojan (RAT) that cunningly masquerades as a legitimate Microsoft WebView2 application by trojanizing the official WebView2APISample project.

This RAT possesses 12 core capabilities, including arbitrary command execution via hidden cmd.exe or encoded PowerShell sessions, chunked file uploads, interactive shell establishment, and file deletion. All actions are reported back to the C2 server uploadfiler[.]com on port 443.

The malware also incorporates sandbox and virtual machine detection mechanisms through CPU analysis, and it stores its configuration using AES-256-GCM encryption. However, its inconsistent use of obfuscation, leaving critical strings like RAT commands and JSON registration formats in plaintext, suggests the involvement of a less experienced developer.

The critical technical detail that unraveled the false flag was a code-signing certificate issued under the name “Donald Gay” by Microsoft ID Verified CS AOC CA 02, with the thumbprint B674578D4BDB24CD58BF2DC884EAA658B7AA250C.

This certificate is a known shared resource within MuddyWater’s toolkit, directly linked by multiple threat intelligence vendors to “Operation Olalampo,” a 2026 campaign targeting U.S. and MENA organizations.

Additional technical artifacts further reinforced the attribution. The C2 domain moonzonet[.]com was linked to MuddyWater activity in early 2026 during a wave of attacks targeting Israeli and Western organizations, as detailed in the Rapid7 report.

The group’s signature use of pythonw.exe to inject code into suspended processes was also observed, serving as a consistent hallmark within their deployment chain.

Furthermore, the interactive Teams-based MFA harvesting technique closely aligns with the “IT Support” persona MuddyWater has refined throughout 2026, consistent with previously documented social engineering patterns exploiting enterprise communication platforms.

Chaos ransomware itself emerged in early 2025 as a successor to the disrupted BlackSuit infrastructure, believed to be composed of former BlackSuit and Royal members.

It is known for employing double- and triple-extortion tactics, threatening data publication, DDoS attacks, and even contacting victims’ customers. Its data-leak site features a distinctive “blind” countdown timer that conceals victims’ identities until negotiations conclude.

As of late March 2026, the group had claimed 36 victims, predominantly across the U.S. construction, manufacturing, and business services sectors.

MuddyWater’s adoption of this criminal brand is not coincidental. In late 2025, the group was linked to similar activity involving the Qilin RaaS ecosystem in an operation targeting an Israeli organization.

By cloaking espionage activities within a ransomware narrative, the group successfully diverts defenders’ attention towards immediate-impact triage, shifting focus away from identifying the true objective: establishing persistent access channels through DWAgent, AnyDesk, and the Game.exe RAT.

What You Should Do

  • Educate users about the risks of unsolicited external chat requests, especially those involving screen-sharing or requests for credentials and MFA changes.
  • Implement strict policies and technical controls to prevent external users from initiating screen-sharing sessions with internal employees unless explicitly approved.
  • Monitor for the creation of suspicious files like credentials.txt or cred.txt in user-accessible directories.
  • Audit and monitor MFA configurations for unauthorized changes or additions of unknown devices.
  • Implement robust endpoint detection and response (EDR) solutions to detect the deployment of unauthorized remote access tools like DWAgent and AnyDesk.
  • Block outbound connections to known C2 domains and IP addresses associated with this campaign, including moonzonet[.]com, uploadfiler[.]com, and adm-pulse[.]com.
  • Utilize threat intelligence to identify and block artifacts, such as the specific code-signing certificate thumbprint (B674578D4BDB24CD58BF2DC884EAA658B7AA250C), known to be associated with MuddyWater.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitHackerMalwarephishingransomwareSecurityThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Critical Fanwei E-cology10 Vulnerability Exposes Credentials, Allows Session Hijacks

Next Post

Phishing Attacks Exploit RMM Software for Trusted-Tool Abuse

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
AI-powered Forg365 Phishing Platform Targets Microsoft 365 Accounts
July 11, 2026
Dell BIOS Critical Flaw Exposes Admin Passwords From SPI Flash
July 11, 2026
CISA Report Details Lessons Learned From AWS GovCloud Credential Leak
July 11, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us