06.05.2026
4 min
153
The Iranian group MuddyWater has begun using Microsoft Teams as a channel to distribute malware. Attacks are disguised as regular corporate communications and are becoming much harder to detect.
The Iranian hacking group Muddy Water (also referred to by names like Mango Sandstorm, Seedworm and Static Kitten) has been found to be involved in what looked like a normal ransomware incident but was really something more complex.
A report from Rapid7 states that the campaign took place in January 2026. In the beginning, the actions taken by the hackers seemed similar to those of the Chaos hacking group; however, after some time elapsed, it was clear that this was no ordinary extortion campaign. It was likely sponsored by a nation-state but very good at hiding its true identity.
To begin with, hackers communicated with the employees of companies through Microsoft Teams. They claimed to represent either the technical department or a colleague who needed assistance. The hackers then requested permission to share screens during a demonstration. While they were engaged in sharing the screens, they obtained login information and bypassed multi-factor authentication.
As described in the Rapid7 report:
“This campaign included a high touch social engineering component via Microsoft Teams where attackers would use screen sharing sessions to collect credentials and manipulate MFA.”
After gaining access to the system, the behavior was unusual for a ransomware attack. No files were encrypted. Instead, the hackers installed themselves into the system’s network architecture. Afterward, they jumped between systems collecting data. To accomplish this task, the hackers employed many commonly available remote access tools including DWAgent and AnyDesk.
One of the cases documented showed the hacker asking the user to manually type in their credentials in a text document. Additionally, while working within the system, the hackers reviewed VPN settings and ran simple commands to understand the overall layout of the network.
Following these steps were ms_upd.exe and mstsc.exe files. These two files were both remotely accessed using RDP from an outside server. Upon launch, each file created multiple components; A Trojan that masqueraded as WebView2 along with legitimate DLLs and an encrypted configuration file to allow communication between the malware and C2 server. As a result, the Trojan was able to constantly connect back to C2 and execute various commands such as running PowerShell or managing files.
Furthermore, Rapid7 noted the digital signatures of both files. Both files contained certificates that had been previously identified as belonging to Muddy Water. Therefore, this represented yet another indirect indication of their involvement.
While the method of extorting money appears to follow Chaos’ methodology; specifically, their way of approaching extortion, there is no real evidence of any encryption occurring. It appears that the intent here is to make confusion about whether this was a state sponsored attack or simply another cybercrime attack.
Muddy Water has historically employed similar tactics. Examples include previous attacks against Israeli organizations, campaigns that have disguised themselves as the methods of other groups and campaigns utilizing third party applications.
Additionally, experts report an increased amount of activity among pro-Iranian groups. An example includes Handala Hack’s claims to leaking U.S. Military Data and attacking a port in Fujairah resulting in stealing thousands of documents.
Experts further indicate that current trends in cyberattacks are increasing difficulty in analyzing them. State-sponsored attackers are now combining methodologies typically utilized by cybercrime attackers to complicate attribution and create additional delays prior to being detected.
What stands out most about this story is not how the attackers used their tools; it is how they approached their objectives. Rather than utilize loud encryption and demanding large sums of money for decryption keys, Muddy Water instead used stealthy entry points, quietly gathering sensitive data and extended dwell times in compromised environments.
