The hacking group MuddyWater, allegedly backed by the Iranian state, has been implicated in a sophisticated cyberattack that utilizes Microsoft Teams to steal credentials. This operation, noted by Rapid7 in early 2026, employs social engineering strategies to initiate attacks, masquerading as a typical ransomware operation under the guise of the Chaos brand. Despite initial appearances, evidence suggests a targeted operation aimed at obscuring its true origins.
Advanced Social Engineering Tactics
Through Microsoft Teams, attackers engage targets in a high-touch phase of the attack, utilizing screen-sharing to capture credentials and manipulate multi-factor authentication (MFA). Once inside, rather than encrypting files, they focus on data exfiltration and establish extended access using tools like DWAgent. This approach signifies a shift in MuddyWater’s strategy, favoring readily available cybercrime tools to complicate attribution.
Ctrl-Alt-Intel, Broadcom, Check Point, and JUMPSEC have all noted an increase in MuddyWater’s use of such tools, indicating a broader trend in their operations. This includes the deployment of CastleRAT and Tsundere, as observed in recent months, showcasing a tactical shift towards obfuscating their attacks’ true nature.
Historical Context and Recent Developments
MuddyWater’s history with ransomware dates back to 2020, targeting Israeli entities with PowGoop loaders and Thanos ransomware. In 2023, they collaborated with the DarkBit persona for destructive campaigns. By 2025, Qilin ransomware was reportedly used against an Israeli hospital, further illustrating their evolving tactics.
Their use of ransomware as a cover for state-sponsored objectives was highlighted by Check Point, suggesting that involvement in programs like Qilin’s may serve both operational and camouflage purposes. This dual nature complicates defenses, as attacks appear financially driven but serve strategic national goals.
The Role of Chaos Ransomware
Chaos, a ransomware-as-a-service (RaaS) initiative that emerged in 2025, is known for its multiple extortion methods. The group employs a combination of phishing and impersonation tactics to gain initial access, often through Microsoft Teams, and deploys remote access tools like Microsoft Quick Assist to deepen their reach.
Chaos affiliates also use DDoS threats and other extortion tactics, making their operations complex and multifaceted. As of March 2026, the group claimed numerous victims, primarily in the U.S., targeting sectors like construction and manufacturing.
Technical Insights and Attribution Challenges
Rapid7’s analysis revealed MuddyWater’s use of RDP to download malicious software, initiating a multi-stage infection that delivers payloads like remote access trojans disguised as legitimate applications. The campaign’s links to MuddyWater are reinforced by the use of known code-signing certificates.
The convergence of state-sponsored tactics with cybercriminal methodologies poses significant challenges for attribution, often delaying defensive responses. The absence of file encryption in some cases suggests a shift towards using ransomware for obfuscation rather than as a primary attack vector.
Recent discoveries by Hunt.io and ongoing activities by pro-Iranian hacktivists underscore the persistent and escalating nature of these cyber threats, highlighting the interconnectedness of cyber and physical domains in modern conflicts.
