MuddyWater APT Leverages Microsoft Teams and False Flag Ransomware Tactics for Data Exfiltration

Executive Summary

The Iranian state-sponsored threat group MuddyWater (also known as Mango Sandstorm, Seedworm, and Static Kitten) has been identified as the actor behind a novel espionage campaign that leverages Microsoft Teams for social engineering and masquerades as a ransomware attack. The operation, which began in early 2026, targets organizations of strategic value to Iran. Attackers engage victims in interactive screen-sharing sessions to harvest credentials, bypass multi-factor authentication (MFA), and install remote access tools for data exfiltration and long-term persistence. This false flag operation, which mimics the Chaos ransomware group, is a deliberate tactic to mislead incident responders and delay attribution, highlighting a strategic shift towards blending state-sponsored espionage with common cybercrime techniques.

Threat Overview

The campaign is characterized by its high-touch social engineering vector. Threat actors initiate contact and persuade targets to join a Microsoft Teams meeting. During the session, the victim is manipulated into running commands or entering credentials into a text file under the guise of a troubleshooting or collaborative exercise. This allows the attackers to capture credentials in real-time, effectively neutralizing MFA protections.

Unlike a typical ransomware attack, the primary objective is not financial extortion through data encryption. Instead, MuddyWater focuses on cyber espionage. After gaining initial access, the group deploys legitimate remote management and monitoring (RMM) tools, including DWAgent and AnyDesk, to maintain a persistent foothold on the compromised network. The use of these dual-use tools allows their malicious activity to blend in with normal administrative traffic.

The targets include government entities and other organizations of strategic interest in the United States, Western countries, the Asia-Pacific (APAC) region, and the Middle East. The use of a false ransomware persona is a calculated deception designed to create confusion and misdirect forensic analysis towards a criminal, rather than state-sponsored, origin.

Technical Analysis

Attribution to MuddyWater was established with "moderate confidence" based on several key technical indicators. A malicious executable, ms_upd.exe, was signed with a code-signing certificate issued to "Donald Gay." This specific certificate has been previously linked to MuddyWater operations. The group's TTPs in this campaign include:

• Initial Access: T1566.004 - Spearphishing via Service: Attackers use Microsoft Teams as the delivery vehicle for their social engineering attack.
• Execution: The victim is tricked into executing commands or scripts provided by the attacker during the Teams session.
• Credential Access: T1552.001 - Credentials In Files: Attackers convince the user to type credentials into a text file, which they can then access.
• Defense Evasion & Persistence: T1219 - Remote Access Software: The group deploys legitimate tools like DWAgent and AnyDesk to maintain access and evade detection. They also used a custom remote access trojan named Game.exe.
• Masquerading: T1036.003 - Rename System Utilities: The operation mimics the Chaos ransomware group, a classic false flag tactic.
• Command and Control: T1071.001 - Web Protocols: The deployed RATs and RMM tools communicate with C2 infrastructure over standard web protocols.

The attackers also utilized off-the-shelf malware from the cybercrime ecosystem, including CastleRAT and Tsundere, further blurring the lines between their operations and those of financially motivated criminals.

Impact Assessment

The primary impact of this campaign is not business disruption from encryption but rather the long-term strategic risk associated with data exfiltration and persistent espionage. For affected organizations, the compromise could lead to the theft of sensitive government secrets, intellectual property, and confidential business information. The establishment of a persistent backdoor creates an ongoing threat, allowing MuddyWater to conduct further reconnaissance, move laterally within the network, and exfiltrate data over an extended period. The false flag nature of the attack complicates incident response, potentially leading to incorrect remediation strategies focused on ransomware recovery rather than APT eviction.

IOCs — Directly from Articles

Cyber Observables — Hunting Hints

Security teams may want to hunt for the following patterns to detect related activity:

Detection & Response

Detecting this campaign requires a multi-layered approach focusing on behavior rather than just signatures.

1. Endpoint Monitoring: Use an EDR solution to monitor for the installation and execution of unauthorized remote access tools like DWAgent and AnyDesk. Create alerts for processes spawned by Microsoft Teams, especially command-line interpreters like cmd.exe or powershell.exe. D3FEND's D3-PA - Process Analysis is critical here.
2. Network Traffic Analysis: Implement D3-NTA - Network Traffic Analysis to monitor for and alert on outbound connections to the known IOCs and other suspicious domains. Look for beaconing activity characteristic of RMM tools.
3. Log Auditing: Ingest Microsoft 365 audit logs into a SIEM. Correlate security alerts on endpoints with Teams meeting logs to identify potential social engineering sessions. Monitor for suspicious file creation and script execution following interactive sessions with external users.
4. Incident Response: If an infection is suspected, treat it as an APT incident, not a standard ransomware case. The goal is eviction, not just recovery. Isolate affected hosts, preserve forensic evidence, and conduct a thorough investigation to identify the full scope of the compromise, including lateral movement and data staging.

Mitigation

Mitigation efforts should focus on user awareness, access controls, and hardening the environment.

1. User Training: This is the most critical defense. Educate users about social engineering tactics, especially those involving interactive sessions and requests to run commands or enter credentials. Implement M1017 - User Training.
2. Application Control: Use application allowlisting policies to prevent the execution of unauthorized software, including unapproved RMM tools. This aligns with M1038 - Execution Prevention.
3. MFA Hardening: While the attack bypasses MFA through credential theft, continue to enforce it universally. This is a foundational control as per M1032 - Multi-factor Authentication. Augment with policies that require re-authentication for sensitive actions.
4. Network Segmentation: Restrict outbound traffic from workstations to only what is necessary for business operations. This can help block C2 communications from unauthorized tools. This is a form of M1030 - Network Segmentation.
5. Endpoint Hardening: Configure PowerShell to use Constrained Language Mode and enable script block logging to make malicious script execution more difficult and visible.