Iranian Spies Turn Microsoft Teams Into a Credential Trap in Masquerade as Chaos Ransomware

Iran-linked MuddyWater has turned Microsoft Teams screen-sharing into a high-touch credential harvesting vector. By masquerading as Chaos ransomware while skipping encryption, the group conceals long-term espionage and persistence. Rapid7 analysis reveals the sophisticated false flag and its implications for defenders.
Iranian Spies Turn Microsoft Teams Into a Credential Trap in Masquerade as Chaos Ransomware
Written by Lucas Greene

Iranian operatives linked to the Ministry of Intelligence and Security have added a new twist to their playbook. They now initiate intrusions by chatting up employees directly in Microsoft Teams. The goal? Harvest credentials, bypass multi-factor authentication, and slip away with data while leaving behind the fingerprints of a known ransomware gang.

Rapid7 researchers uncovered the operation during an investigation of what first looked like a standard Chaos ransomware attack. But something didn’t add up. No files were encrypted. The focus stayed on reconnaissance, persistence, and exfiltration. The evidence pointed squarely at MuddyWater, the Iranian group also known as Mango Sandstorm, Seedworm, and Static Kitten.

“The campaign was characterized by a high-touch social engineering phase conducted via Microsoft Teams, where the attackers utilized interactive screen-sharing to harvest credentials and manipulate multi-factor authentication (MFA),” Rapid7 said in its report.

The intrusion began with external chat requests in Teams. Attackers posed as helpful contacts. They quickly moved to screen-sharing sessions. Once connected, they ran basic commands. Ipconfig. Whoami. They peeked at VPN files. Then they told victims to type passwords into plain text files saved locally. In some cases they walked targets through adding attacker-controlled devices to MFA settings. Simple. Effective. And hard to flag as malicious in the moment.

But. The screen-sharing wasn’t just for show. It gave real-time visibility into the victim’s desktop. It let the operators guide actions without triggering alarms that might come from remote desktop protocol alone. And it built enough trust for the victim to follow instructions that, in hindsight, screamed red flags.

Once they held valid credentials, the attackers authenticated to internal systems, including domain controllers. They established persistence through RDP sessions and by installing remote management tools. DWAgent appeared repeatedly. AnyDesk showed up in at least one case. These legitimate utilities let them maintain access long after the initial conversation ended.

From there the operation escalated. Using curl, they pulled down an executable called ms_upd.exe from 172.86.126.208. This downloader, signed with a code-signing certificate previously tied to MuddyWater, kicked off a multi-stage chain. It fetched game.exe, a custom remote access trojan disguised as a Microsoft WebView2 application. A legitimate WebView2Loader.dll supported it. An encrypted configuration file told the RAT where to call home.

The RAT polled its command-and-control server every 60 seconds. It could run commands, execute PowerShell, manipulate files, or spawn interactive shells. Anti-analysis checks and anti-VM techniques protected it. All of it served espionage aims. Data left the network. Extortion emails followed, complete with a link to a Chaos leak site. Yet the absence of encryption told the real story.

“The apparent absence of file encryption, despite the presence of Chaos ransomware artifacts, represents a deviation from typical ransomware behavior,” Rapid7 noted. “This inconsistency may indicate that the ransomware component functioned primarily as a facilitating or obfuscation mechanism, rather than as the primary objective of the intrusion.”

The false flag served multiple purposes. It directed incident responders toward financially motivated crime instead of state-sponsored intelligence collection. It bought time. Defenders chasing ransom notes might overlook the DWAgent service running quietly or the persistent RDP accounts. And it let the operators blend into the noisy world of ransomware-as-a-service groups.

Chaos itself surfaced in 2025. The gang built a reputation for double and triple extortion, sometimes threatening distributed denial-of-service attacks. It advertised on criminal forums and claimed dozens of victims, many in the United States. Its tactics often included mail flooding and vishing that impersonated IT support. The overlap with Teams-based social engineering made the masquerade believable.

MuddyWater has a long history. MITRE ATT&CK tracks the group as G0069 and assesses it as a subordinate element within Iran’s Ministry of Intelligence and Security. Since at least 2017 it has struck government agencies, telecommunications firms, financial institutions, and energy companies across the Middle East, Asia, Europe, and North America. It favors living-off-the-land tools and legitimate remote access software. It has reused domains registered through NameCheap and shown interest in commercial satellite internet for command and control.

This latest campaign fits the pattern while evolving it. Previous MuddyWater operations relied on spear-phishing emails with macro-laden documents or exploits against SharePoint and Exchange servers. The shift to Teams reflects how collaboration platforms have become prime real estate for initial access. Employees expect messages from external partners. They accept screen-sharing requests during supposed technical troubles. The barrier to entry drops.

Other researchers have documented similar activity. CyberProof described Seedworm campaigns that used Teams to deliver a backdoor called Dindoor. The social engineering followed the same script. And reports from Huntress and Group-IB show the group’s continued experimentation with custom malware, DLL side-loading, and Rust-based implants in parallel operations.

The code-signing certificate provided one of the strongest links in the Rapid7 case. Thumbprint B674578D4BDB24CD58BF2DC884EAA658B7AA250C, issued to “Donald Gay.” The same certificate had signed earlier MuddyWater tools, including variants of CastleLoader. Infrastructure overlaps reinforced the connection. The domain moonzonet.com, used as command and control for the downloader, tied back to known MuddyWater resources.

Attribution carried moderate confidence. Yet the combination of certificate reuse, specific malware artifacts, operational tempo, and the complete lack of encryption left little room for doubt. This was espionage dressed in ransomware clothing.

The implications stretch beyond one victim. Organizations now face threats that cross traditional boundaries. A message in Teams might launch a chain that ends in long-term footholds inside critical networks. Defenders cannot treat collaboration tools as safe simply because they sit inside Microsoft 365. Monitoring external chat requests, screen-sharing sessions, and unusual MFA changes has become essential.

Rapid7 urged teams to look past the obvious ransomware indicators. Focus instead on the full intrusion lifecycle. Credential harvesting through text files. Manipulation of authentication processes. Abuse of remote access tools for persistence rather than quick encryption. These telltales point to state actors seeking sustained access.

The convergence worries analysts. State groups borrow criminal brands and methods for cover. Ransomware affiliates gain plausible deniability when governments pull their strings. The result complicates response. Teams that race to negotiate with supposed extortionists may miss the quieter implants left behind.

MuddyWater shows no sign of slowing. Recent months brought reports of its activity against U.S. banks, airports, and nonprofits. New backdoors written in Deno and Rust have appeared. The group adapts. It incorporates legitimate software. It experiments with social engineering vectors that feel routine to busy employees.

So the next suspicious Teams message arrives. The sender claims to be from IT. They offer to walk through a quick fix via screen share. The temptation exists to click and cooperate. But. That interaction could hand over the keys not to a ransomware gang but to a nation-state intelligence operation with far different objectives.

Security teams must adjust. Train staff to verify external requests through separate channels. Log and alert on screen-sharing from unknown accounts. Monitor for DWAgent and AnyDesk deployments outside approved lists. Hunt for the specific malware families and certificate hashes tied to this cluster.

The waters are muddy by design. MuddyWater chose the name well. Its operators count on confusion. They count on responders seeing Chaos and stopping there. The latest campaign proves they can hide in plain sight inside the very tools companies use to collaborate every day.

Subscribe for Updates

AppSecurityUpdate Newsletter

Critical application security news and insights developers and security teams need—covering real-world vulnerabilities, emerging risks, and practical remediation without the noise.

By signing up for our newsletter you agree to receive content related to ientry.com / webpronews.com and our affiliate partners. For additional information refer to our terms of service.

Notice an error?

Help us improve our content by reporting any issues you find.

Get the WebProNews newsletter delivered to your inbox

Get the free daily newsletter read by decision makers

Subscribe
Advertise with Us

Ready to get started?

Get our media kit

Advertise with Us