MuddyWater Used Teams Screen-Sharing to Steal Creds, Deployed Ransomware as Cover

The Iranian state-sponsored group MuddyWater ran a credential theft operation through Microsoft Teams, using live screen-sharing to manipulate victims into exposing their passwords. When they finished exfiltrating data, they dropped Chaos ransomware—not to encrypt files, but to muddy attribution and distract defenders.

Rapid7 researchers attribute the campaign to MuddyWater (also tracked as Mango Sandstorm, Seedworm, and Static Kitten) based on infrastructure overlap, known malware patterns, and tradecraft consistent with the group's previous operations.

The Teams Attack Chain

MuddyWater didn't exploit a vulnerability in Microsoft Teams. Instead, they weaponized the platform's legitimate features through social engineering:

1. Initial contact - Attackers initiate external chat requests, impersonating IT personnel or business contacts
2. Screen-sharing session - Victims accept screen-share invitations for "technical support" or "document review"
3. Credential harvesting - During the live session, attackers either direct victims to phishing pages disguised as Microsoft Quick Assist, or simply ask them to type passwords into local text files
4. MFA manipulation - Attackers manipulate multi-factor authentication settings in real-time, watching victims complete authentication flows

This technique bypasses most phishing defenses. There's no malicious link in an email, no sketchy attachment—just a colleague asking for help during a video call. We've seen similar social engineering tactics evolve as attackers adapt to MFA adoption.

Ransomware as Distraction

Here's where it gets interesting. MuddyWater deployed Chaos ransomware not for financial gain, but as cover for their actual objective: persistent access and data exfiltration.

The ransomware served multiple purposes:

• Distraction - Incident responders focus on ransomware containment while attackers maintain access through other channels
• Attribution confusion - Chaos is associated with financially motivated actors, not nation-state espionage
• Evidence destruction - Encryption scrambles forensic artifacts that might reveal the true scope of compromise

Behind the ransomware noise, MuddyWater established persistent access through remote management tools like DWAgent and AnyDesk—legitimate software that blends with normal IT operations.

Attribution Evidence

Rapid7 connected the campaign to MuddyWater through several indicators:

• Code-signing certificate - A certificate attributed to "Donald Gay" previously signed MuddyWater malware including CastleLoader and Fakeset
• Infrastructure overlap - C2 servers matched known MuddyWater infrastructure
• Malware families - Stagecomp and Darkcomp payloads are MuddyWater signatures
• Targeting profile - Victims aligned with Iranian intelligence collection priorities

As of late March 2026, the Chaos affiliate program claimed 36 victims, predominantly in the U.S. Construction, manufacturing, and business services faced significant targeting.

Why Iran Uses False Flags

Iran has increasingly adopted false-flag tactics in cyber operations. By disguising espionage as cybercrime, MuddyWater achieves several objectives:

• Plausible deniability - "It was just ransomware" deflects diplomatic consequences
• Resource waste - Victims spend time and money on ransomware response rather than hunting for persistent access
• Intelligence preservation - The real operation continues while defenders chase the wrong threat

This approach represents a maturation in Iranian cyber tradecraft, borrowing techniques previously associated with Russian operations like those targeting critical infrastructure.

Defensive Recommendations

1. External Teams access controls - Restrict who can initiate external chats and screen-sharing
2. Train users on vishing - Screen-sharing credential theft is essentially vishing with video
3. Monitor for remote access tools - DWAgent, AnyDesk, and similar software should trigger alerts if not pre-approved
4. Assume ransomware is a symptom - Any ransomware incident should include hunting for persistent access mechanisms
5. Verify IT contacts out-of-band - If "IT support" calls, verify through official channels before sharing credentials

Why This Matters

MuddyWater's false-flag approach complicates both attribution and incident response. Organizations hit by Chaos ransomware might declare the incident contained after paying or restoring from backups, never realizing that Iranian intelligence maintained access throughout.

For security teams, this reinforces that ransomware response cannot be purely about recovery. Every ransomware incident demands a thorough hunt for persistence, lateral movement, and data exfiltration—regardless of whether the ransom is paid.