MuddyWater Uses Microsoft Teams for False Flag Ransomware Attack — Iranian State Hackers Disguise Espionage as Cybercrime
What Happened
Security firm Rapid7 has attributed a sophisticated ransomware attack to MuddyWater (aka Mango Sandstorm, Seedworm, Static Kitten), an Iranian state-sponsored hacking group, in what researchers describe as a “false flag” operation. The attack was designed to look like an opportunistic ransomware-as-a-service operation under the Chaos brand, but evidence points to a targeted state-backed campaign focused on espionage.
The attack chain began with social engineering via Microsoft Teams, where operators used interactive screen-sharing sessions to harvest credentials and manipulate multi-factor authentication (MFA). Once inside, the attackers deliberately bypassed traditional ransomware workflows — they skipped file encryption entirely, focusing instead on data exfiltration and establishing long-term persistence through remote management tools like DWAgent.
This is not MuddyWater’s first foray into ransomware-as-cover. The group has previously deployed Thanos ransomware against Israeli organizations (2020), partnered with threat actors using the DarkBit persona (2023), and used Qilin ransomware against an Israeli government hospital as recently as October 2025.
Source
Rapid7 — Muddying Tracks: State-Sponsored Shadow Behind Chaos Ransomware
Why This Matters
The blurring line between state-sponsored espionage and cybercrime is one of the most concerning trends in threat intelligence. MuddyWater’s deliberate use of criminal ransomware brands as cover for espionage operations makes attribution harder and creates confusion for incident responders who may waste time negotiating with “ransomware operators” that don’t actually want money.
The Microsoft Teams vector is particularly noteworthy. Screen-sharing to manipulate MFA in real-time is a creative social engineering technique that bypasses many technical controls. Organizations should be training employees to treat unsolicited Teams calls and screen-sharing requests with the same suspicion as phishing emails — especially when they involve authentication prompts.
