MuddyWater Social Engineering: Teams and MFA Manipulation Tactics

The cybersecurity landscape of 2026 has witnessed a profound shift in the operational philosophy of advanced persistent threats (APTs). Gone are the days when nation-state actors relied solely on zero-day vulnerabilities and complex buffer overflows to achieve their goals. Today, the human element has become the primary exploit. On May 6, 2026, a landmark analysis released by cybersecurity researchers revealed a sophisticated MuddyWater social engineering campaign that redefines the concept of “high-touch” intrusion. This operation, attributed to the Iranian Ministry of Intelligence and Security (MOIS), demonstrates how a state-sponsored group can bypass the world’s most robust multi-factor authentication (MFA) protocols not through code, but through conversation.

The group, also tracked as Mango Sandstorm, Seedworm, and Static Kitten, has moved beyond the “spray and pray” tactics of traditional phishing. Their latest campaign leverages trusted communication platforms like Microsoft Teams to engage in real-time psychological manipulation. By masquerading as internal IT support or corporate administrative personnel, MuddyWater agents initiate live interactions that conclude with the total compromise of enterprise SaaS environments. This editorial explores the technical nuances of this evolution, the “false flag” strategies used to obscure attribution, and the terrifying efficiency of MFA manipulation in the modern era.

The Anatomy of MuddyWater Social Engineering on Microsoft Teams

The pivot to Microsoft Teams represents a calculated strategic move. Unlike email, which is heavily scrutinized by Secure Email Gateways (SEGs) and automated sandboxes, Teams is often viewed as an “internal” and inherently trusted ecosystem. MuddyWater social engineering exploits this implicit trust by initiating external chat requests or utilizing compromised guest accounts to target employees. These are not automated bots; they are trained operators who engage in “high-touch” dialogue designed to build rapport and urgency.

According to the May 2026 report, the infection sequence typically follows a standardized but highly effective kill chain:

• Initial Engagement: The attacker contacts the victim via a Teams message, often using a “technical assistance” lure. They may claim that the user’s account has a security anomaly or that a mandatory software update is required.
• The Screen-Sharing Pivot: The attacker lures the victim into an interactive screen-sharing session. In several documented cases, they utilized Microsoft Quick Assist or legitimate remote monitoring and management (RMM) tools like AnyDesk.
• Real-Time Credential Harvesting: During the session, the attacker visually monitors the user. In a startling display of audacity, researchers noted instances where attackers instructed victims to manually type their passwords into a local text file for “verification” or directed them to a pixel-perfect phishing page hosted on legitimate services like azurewebsites.net.

By staying “hands-on-keyboard” alongside the victim, MuddyWater eliminates the delays associated with traditional phishing, allowing them to act on stolen data within seconds.

Bypassing the Gold Standard: MFA Manipulation

The most alarming aspect of this campaign is its surgical precision in defeating Multi-Factor Authentication (MFA). While many organizations rely on MFA as a silver bullet against credential theft, MuddyWater has turned the user into the very tool that dismantles this defense. Because the attackers are in a live session with the victim, they can synchronize their login attempts with the user’s psychological state.

When the attacker attempts to log into an SSO-integrated SaaS application using harvested credentials, an MFA prompt is triggered on the victim’s device. The MuddyWater social engineering operator, still on the call or chat, instructs the victim to approve the prompt as part of the “repair process.” Alternatively, if a One-Time Password (OTP) is required, the attacker simply asks the victim to read it aloud or paste it into the chat. This “human-in-the-loop” interaction renders hardware tokens and push notifications moot, as the legitimate user is the one providing the final authorization. This method effectively grants the threat actor authenticated access without the need to steal persistent session tokens or break complex encryption.

The “False Flag” Strategy: Masquerading as Chaos Ransomware

To complicate incident response and delay geopolitical attribution, MuddyWater has adopted a sophisticated “false flag” persona. Throughout early 2026, the group has operated under the branding of the Chaos ransomware-as-a-service (RaaS) group. Chaos, a financially motivated cybercriminal entity that emerged in early 2025, is known for its aggressive double-extortion tactics and public data leak sites (DLS).

By mimicking the TTPs (Tactics, Techniques, and Procedures) of a criminal gang, MuddyWater achieves several objectives:

1. Attribution Confusion: Incident responders may initially classify the breach as a standard ransomware event. This leads to a focus on recovery and negotiation rather than the long-term, stealthy data exfiltration typical of an espionage group.
2. Psychological Pressure: By threatening to leak data on the Chaos DLS, the group forces the victim organization to focus on immediate damage control, providing a smokescreen for the group to establish deep persistence elsewhere in the network.
3. Plausible Deniability: For the Iranian state, using the “Chaos” brand provides a layer of deniability. If the attack is traced back to a known RaaS portal, it is harder for international bodies to definitively link the activity to a specific government ministry.

Crucially, the researchers found that while MuddyWater claimed to have encrypted files and even listed victims on the Chaos leak site, they often forwent the actual encryption phase. The primary goal was the silent exfiltration of sensitive intelligence, with the “ransomware” threat serving as a loud, distracting decoy.

Technical Evolution: Off-the-Shelf Tools and Custom RATs

The technical analysis of the 2026 campaign highlights a significant evolution in MuddyWater’s arsenal. The group is increasingly utilizing a “dual-use” approach, blending legitimate administration tools with custom-built malware and Russian-made botnets to stay below the radar of signature-based detection systems.

Persistence via DWAgent and AnyDesk

Once initial access is secured through Teams, the group prioritizes long-term persistence. Instead of deploying high-signal custom backdoors immediately, they often install DWAgent, a legitimate, open-source remote management tool. Because DWAgent is used by many IT departments for genuine support, its presence on a workstation rarely triggers a “high” alert in an EDR (Endpoint Detection and Response) system. This allows MuddyWater to maintain a stable “beachhead” in the environment for weeks or months, exfiltrating data at a slow, methodical pace.

The Rise of CastleRAT and Tsundere

Perhaps the most surprising discovery in the May 6 report is MuddyWater’s involvement in the Russian “Malware-as-a-Service” (MaaS) ecosystem. Researchers identified the deployment of CastleRAT (a versatile remote access trojan) and the Tsundere botnet. These tools appear to be purchased from Russian underground forums, further blurring the lines between state actors and criminal syndicates.

Tsundere is particularly notable for its use of “EtherHiding”. This technique involves storing the Command-and-Control (C2) server addresses within Ethereum smart contracts. The malware queries the blockchain to retrieve its instructions, making the C2 infrastructure virtually impossible to take down through traditional domain blacklisting. The integration of CastleRAT, which was previously used by various e-crime groups, suggests that MuddyWater is willing to invest in high-quality, commercially available malware to reduce the unique digital footprint of the MOIS.

Custom Payload: Darkcomp (Game.exe)

Despite their reliance on off-the-shelf tools, MuddyWater still utilizes custom implants when necessary. The 2026 campaign saw the frequent deployment of a RAT dubbed Darkcomp (often disguised as Game.exe). This backdoor is highly modular, supporting:

• Real-time command execution and shell access.
• File system manipulation and automated staging of exfiltrated data.
• Integration with CastleLoader for subsequent stage delivery.

Forensic teams were able to link these tools back to MuddyWater through a series of tactical errors, including the use of a code-signing certificate issued to “Donald Gay”—a marker previously associated with the group’s Fakeset downloader.

Strategic Defensive Recommendations for 2026

The success of the MuddyWater social engineering campaign underscores a critical vulnerability in modern defense: we have secured the pipes, but we have not secured the people. For SOC teams and CISOs, this threat requires a multi-layered response that extends beyond the traditional network perimeter.

1. Collaboration Platform Governance: Organizations must strictly control external communication on platforms like Microsoft Teams and Slack. This includes disabling external federation by default and requiring explicit administrative approval for guest access. Any request for screen-sharing from an external or unfamiliar “support” account should be automatically blocked and flagged for investigation.

2. Beyond MFA: Phishing-Resistant Identity: This campaign proves that push-based MFA and OTPs are no longer sufficient. Organizations should transition to FIDO2-based hardware security keys (like YubiKeys), which are inherently phishing-resistant because they require a hardware-level handshake with the legitimate domain. Without a physical tap on a pre-registered device, the attacker cannot complete the authentication, regardless of how much social engineering they employ.

3. RMM Tool Monitoring: Security teams must maintain an “allow-list” of authorized remote management tools. The presence of DWAgent, AnyDesk, or ScreenConnect on an endpoint that is not part of the official IT toolkit should trigger an immediate incident response. Behavioral analysis should be tuned to detect “hands-on-keyboard” activity originating from these tools outside of standard maintenance windows.

4. Advanced Threat Hunting: Defenders should proactively hunt for the “EtherHiding” indicators associated with the Tsundere botnet. Monitoring for unusual blockchain-related traffic (JSON-RPC calls to Ethereum nodes) from standard workstations can provide an early warning of a sophisticated implant attempting to reach its C2.

The May 2026 MuddyWater campaign is a stark reminder that as our technical defenses grow stronger, the adversary’s focus on the human psyche grows sharper. By combining the “high-touch” intimacy of Microsoft Teams chats with the “high-noise” distraction of Chaos ransomware, the MOIS has created a playbook that is as effective as it is deceptive. In this new era of “false flag” espionage, the most important firewall isn’t a piece of software—it is a well-trained, skeptical user who knows that a request to “share your screen” is often a request to “share your secrets.”