MuddyWater Conducts False-Flag Ransomware Campaign via Microsoft Teams Social Engineering

TL;DR — Iranian state-sponsored group MuddyWater has been observed masquerading as the Chaos ransomware-as-a-service affiliate to conduct targeted attacks, leveraging Microsoft Teams for credential harvesting and MFA manipulation. Rather than encrypting files, the campaign prioritizes data exfiltration and persistence through remote access tools. Attribution relies on code-signing certificates previously linked to the threat actor.

What happened

Rapid7 detected a campaign in early 2026 attributed to MuddyWater that weaponizes the Chaos RaaS brand while pursuing objectives consistent with state-sponsored espionage rather than financial extortion. The attack chain begins with unsolicited Microsoft Teams contact requests directed at employee targets.

Attackers initiate external chat sessions posing as IT support or other trusted roles. During screen-sharing sessions, they harvest credentials and manipulate multi-factor authentication (MFA) controls. Once inside the victim environment, the threat actor uses compromised user accounts to conduct reconnaissance, establish persistence, and move laterally.

The infection payload is delivered via RDP through execution of ms_upd.exe (Stagecomp), downloaded from 172.86.126[.]208 using curl. This initial-stage binary collects system information and communicates with a command-and-control server to retrieve three additional components: game.exe (Darkcomp, a bespoke RAT masquerading as Microsoft WebView2), WebView2Loader.dll (a legitimate Microsoft library), and visualwincomp.txt (encrypted C2 configuration). The RAT polls its C2 server every 60 seconds for commands, supporting execution of arbitrary commands, PowerShell scripts, file operations, and shell spawning.

Persistence is established via remote access tools including DWAgent and AnyDesk. Data exfiltration proceeds, followed by ransom contact via email. Notably, file encryption does not occur despite the presence of Chaos ransomware artifacts, deviating from standard ransomware workflows and suggesting the ransomware component serves as cover rather than primary objective.

Attribution to MuddyWater stems from a code-signing certificate attributed to "Donald Gay" used to sign ms_upd.exe. This same certificate has previously signed the CastleLoader downloader Fakeset, establishing continuity with known MuddyWater infrastructure.

Why it matters

This campaign demonstrates a deliberate operational strategy to obscure attribution and complicate defensive response. By using a recognized RaaS brand (Chaos), the threat actor conflates state-sponsored objectives with financially motivated cybercrime, potentially misdirecting incident response and threat hunting efforts toward common ransomware defenses rather than persistent access indicators.

For defenders in the MENA region and beyond, the reliance on legitimate tools (Microsoft Teams, Quick Assist, AnyDesk, DWAgent) and trojanized samples of official libraries (WebView2) means detection signatures and behavioral analysis must account for legitimate software being repurposed as attack vectors. The social engineering phase targeting employees via Teams represents a human-centric attack surface that technical controls alone cannot address.

The apparent absence of encryption despite ransomware staging suggests the real objective is data exfiltration and long-term persistence rather than immediate disruption—a pattern that aligns with state-sponsored intelligence collection rather than opportunistic cybercrime.

Affected systems and CVEs

Microsoft Teams
Microsoft Quick Assist
Microsoft Edge WebView2
DWAgent
AnyDesk
Thanos ransomware
Qilin ransomware
Chaos RaaS (as cover mechanism)

No CVE assigned at the time of publication.

What to do

Monitor and restrict external Teams requests and screen-sharing sessions, particularly from unknown external accounts; enforce caller verification policies for support-related contact.
Implement and monitor MFA controls for anomalies, including suspicious manipulation attempts or unexpected re-authentication prompts during active sessions.
Block or restrict execution of remote access tools (DWAgent, AnyDesk, Microsoft Quick Assist) at the perimeter unless justified by business requirements; monitor for unauthorized installation.
Monitor for suspicious RDP connections and execution of utilities like curl downloading executables from external servers, particularly from 172.86.126[.]208 or related infrastructure.
Implement application whitelisting to prevent execution of unsigned or suspicious binaries; validate code-signing certificates against known abused identities (including those attributed to "Donald Gay").
Audit all user accounts for credential compromise; rotate credentials for any account that may have been exposed during Teams screen-sharing sessions or credential harvesting.
Monitor for lateral movement indicators and long-term persistence mechanisms; identify and contain instances of DWAgent or AnyDesk deployed without explicit authorization.
Conduct file integrity monitoring and network segmentation to detect and contain data exfiltration attempts.
Cross-reference internal logs against C2 polling patterns (60-second intervals to known hostile infrastructure) and the file paths/execution chains described above.

Open questions

The full scope and number of victims affected by this MuddyWater false-flag campaign is not disclosed.
Specific sectors or organizations targeted in this campaign are not identified in the available reporting.
Whether the Chaos RaaS group is aware it is being used as operational cover for MuddyWater activity, or whether this represents a deliberate false flag without Chaos knowledge, remains unclear.
The exact timeline and duration of the intrusion analyzed by Rapid7 is not specified.
Details of ransom demands or victim negotiations are not provided.
The full scope of Iranian-nexus operations and the complete list of threat actors and personas involved is incomplete.