MuddyWater APT Uses Microsoft Teams for False-Flag Ransomware Attacks

The landscape of state-sponsored cyber espionage is undergoing a profound transformation. Gone are the days of silent, back-door infiltrations that remain undetected for years. Today, the most sophisticated threat actors are hiding in plain sight, adopting the boisterous, chaotic personas of traditional cybercriminals to mask their geopolitical objectives. This trend reached a critical inflection point on May 6, 2026, when researchers from Rapid7 and Google’s Threat Intelligence Group unmasked a sprawling “false-flag” operation orchestrated by the MuddyWater APT.

Linked to Iran’s Ministry of Intelligence and Security (MOIS), the MuddyWater APT (also known as Seedworm, Mango Sandstorm, or Static Kitten) has long been a thorn in the side of Western defense, telecommunications, and government sectors. However, its latest campaign—leveraging Microsoft Teams and masquerading as a ransomware collective—reveals a tactical evolution designed to paralyze incident responders through ambiguity. By blurring the lines between a state-sponsored intrusion and a financially motivated ransomware attack, Iran has introduced a new era of hybrid warfare where attribution is the first casualty.

The Social Engineering Pivot: Exploiting the Collaborative Edge

The primary vector for this campaign represents a departure from the low-effort, high-volume email phishing of the past. Instead, the MuddyWater APT has embraced a “high-touch” social engineering strategy that exploits the inherent trust within modern collaboration platforms. The attack chain typically begins with a vishing (voice-phishing) call or a deceptive email from an individual impersonating corporate IT help desk personnel. Once the attacker establishes a rapport with a targeted employee, they transition the conversation to Microsoft Teams.

The use of external Microsoft Teams chat invitations is a masterstroke of psychological manipulation. Most employees are conditioned to view Teams as a “safe” internal environment, unlike email, which is notoriously saturated with spam. When a “technician” sends an invite to resolve a supposed technical issue, the victim is far more likely to accept. From there, the MuddyWater APT initiates interactive screen-sharing sessions using legitimate Remote Management and Monitoring (RMM) tools such as DWAgent and AnyDesk.

During these live sessions, the attackers don’t rely on complex exploits. Instead, they use “human-in-the-loop” techniques to harvest credentials:

• Credential Capture: Victims are instructed to type their administrative credentials into a locally created text file (e.g., “credentials.txt”) under the guise of “testing the system.” The attacker, who has full view of the screen, simply records the input.
• MFA Manipulation: Rather than attempting to bypass Multi-Factor Authentication (MFA) through technical vulnerabilities, the attackers manipulate the victim into approving MFA prompts on their mobile devices during the live session, effectively opening the door to the organization’s most sensitive enclaves.
• Persistence via Legitimate Software: By installing DWAgent or AnyDesk, the attackers ensure they have a permanent backdoor that blends in with legitimate administrative activity, making detection by traditional antivirus solutions nearly impossible.

Technical Deep Dive: The ms_upd.exe Loader and Game.exe RAT

While the initial access is human-centric, the post-exploitation phase is highly technical. Forensic analysis of the May 2026 campaign revealed a sophisticated deployment chain. Once the MuddyWater APT secures administrative control, they deploy a loader identified as ms_upd.exe. This loader is often disguised as a legitimate Microsoft WebView2 application to evade suspicion.

The ultimate payload is a custom Remote Access Trojan (RAT) known in the cybersecurity community as “Game.exe” (sometimes referred to as Darkcomp). This RAT is the primary tool for long-term espionage and data theft. Technical characteristics of Game.exe include:

1. Anti-Analysis Checks: The malware performs environment checks to determine if it is running in a virtual machine or a sandbox. If it detects a researcher’s environment, it terminates immediately.
2. Code Signing Deception: To further bypass security perimeters, the malware is signed with stolen or fraudulent code-signing certificates. Researchers have specifically linked the “Donald Gay” and “Amy Cherne” certificates to this cluster of activity, both of which are known resources within the MOIS toolkit.
3. Command and Control (C2) Resilience: The RAT communicates with a network of C2 domains, including moonzonet.com, uploadfiler.com, and adm-pulse.com. These domains are often hosted on commercial VPS providers or proxied through legitimate services like NordVPN to hide the true origin of the traffic.
4. Functional Versatility: Game.exe supports at least 12 distinct commands, allowing the MuddyWater APT to execute PowerShell scripts, upload and download files, and maintain a persistent shell for lateral movement across the network.

The False-Flag Strategy: Chaos Ransomware as a Smokescreen

Perhaps the most alarming aspect of this campaign is the group’s use of the “Chaos” ransomware-as-a-service (RaaS) brand as a “false flag.” After exfiltrating Gigabytes of sensitive intelligence, the MuddyWater APT issues a ransom demand that mirrors the branding and tone of the Chaos group—a criminal entity that emerged after the law enforcement takedown of the BlackSuit infrastructure in 2025.

By masquerading as Chaos, the MuddyWater APT achieves several strategic goals:
1. Attribution Delay: When an organization sees a ransomware note and its name on a data leak site (DLS), the immediate assumption is that they are the victim of a financially motivated criminal group. This leads incident responders down a different path than if they knew they were being targeted by a nation-state.
2. Geopolitical Deniability: If the attack is successfully attributed to a criminal group, the Iranian government can maintain plausible deniability, avoiding the severe diplomatic and economic sanctions that follow state-sponsored cyberattacks.
3. Tactical Distraction: While the victim organization is focused on the immediate crisis of data extortion and negotiation, the attackers are quietly embedding their persistence mechanisms (like DWAgent) to ensure they can return months or even years later for further intelligence gathering.

Forensic experts have noted a key “tell” in this operation: the MuddyWater APT almost never actually encrypts the victim’s files. Unlike true ransomware groups whose primary leverage is the disruption of business operations through encryption, MuddyWater’s goal is the data itself. They exfiltrate the data, list the victim on the Chaos leak site to maintain the ruse, and then release the data publicly if their demands (which are often secondary to their intelligence goals) are not met.

Why the MuddyWater APT Targets Strategic U.S. Infrastructure

The targets identified in the May 2026 report are not chosen at random. They include U.S. banks, major international airports, non-profit organizations with ties to Middle Eastern policy, and defense contractors. For the Iranian MOIS, these targets represent a goldmine of strategic intelligence.

Targeting a U.S. bank, for instance, provides insights into financial flows and sanctions-evasion monitoring. Targeting a defense supplier with operations in Israel allows the MuddyWater APT to gather technical specifications on military hardware. The “ransomware” cover allows them to hit these high-value targets with a lower risk of immediate escalatory retaliation from the U.S. government, as the attack is initially classified as “cybercrime” rather than “cyber-warfare.”

Defending the Modern Workspace: Hardening Microsoft Teams

The success of the MuddyWater APT in this campaign highlights a critical vulnerability in the modern enterprise: the over-reliance on the perceived security of collaboration platforms. Organizations must move beyond the “walled garden” mentality of Microsoft Teams and treat it with the same level of scrutiny as their external email gateways.

To defend against this specific threat, cybersecurity experts recommend the following:

• Restrict External Access: Disable or strictly limit the ability for external users to initiate chat requests or send invitations to internal employees. If external collaboration is necessary, implement a “whitelist only” policy.
• MFA Hardening: Move away from push-based MFA notifications, which are vulnerable to “MFA fatigue” and interactive manipulation. Implement FIDO2-compliant hardware security keys (like Yubico) or number-matching MFA.
• RMM Tool Monitoring: Audit the use of DWAgent, AnyDesk, and ScreenConnect. Any unauthorized installation of these tools should be treated as a high-severity Indicator of Compromise (IoC), regardless of whether ransomware activity is detected.
• Help Desk Protocols: Standardize the process for IT support. Legitimate IT personnel should never ask an employee to type passwords into a text file or share their screen via an unapproved external platform.
• Threat Hunting: Security teams should actively hunt for the presence of pythonw.exe injecting code into suspended processes and the use of the “Donald Gay” or “Amy Cherne” code-signing certificates.

Conclusion: The Convergence of Espionage and Extortion

The exposure of the MuddyWater APT‘s latest campaign is a wake-up call for the global cybersecurity community. We are no longer dealing with two distinct worlds of cyber threats—criminal and state-sponsored. Instead, we are witnessing a convergence where nation-states adopt the tradecraft, tools, and branding of the criminal underground to achieve geopolitical ends.

The “Chaos” ransomware masquerade is a sophisticated attempt to exploit the psychological and operational biases of incident responders. As long as defenders prioritize the “how” (the ransom note) over the “why” (the underlying data theft and persistence), groups like the MuddyWater APT will continue to operate with impunity. Vigilance, cross-industry intelligence sharing, and a healthy dose of skepticism regarding “standard” ransomware attacks are now the only viable paths forward in this increasingly ambiguous digital battlefield.