An Iranian state-backed hacking group known as MuddyWater was linked to an early 2026 intrusion that used Microsoft Teams for initial access and appeared at first to be a Chaos ransomware attack, according to a technical analysis from Rapid7. The incident relied on screen-sharing, credential theft and MFA manipulation, and the attackers later skipped encryption in favor of data theft and persistence.
KEY FACTS
- Initial access Attackers used Teams chat requests and screen-sharing sessions to reach employees.
- Observed behavior The group used compromised accounts, remote management tools and lateral movement inside the victim network.
- Payloads The malware chain included ms_upd.exe, game.exe, WebView2Loader.dll and an encrypted configuration file.
- Attribution clues A code-signing certificate tied to “Donald Gay” was used to sign ms_upd.exe.
The report says the attackers used Microsoft Quick Assist, AnyDesk and DWAgent to maintain access after the initial social engineering phase. It also says the victim was later contacted by email for ransom talks, even though the campaign did not follow a typical ransomware model.
Rapid7 said the intrusion began with external Teams requests that were used to engage employees, harvest credentials and work around multi-factor authentication. In one case, the attackers also instructed users to enter credentials into locally created text files. The report says the group then used RDP to download a signed executable from an external server and launch a multi-stage infection chain.
The analysis links the activity to MuddyWater through the certificate used to sign the first-stage file, which had been seen before on malware tied to the same cluster. It also notes that the group has previously been associated with ransomware or destructive operations, including campaigns that used Thanos and Qilin branding. Similar tradecraft has been described by other security firms in recent months, including the use of CastleRAT and Tsundere.
The report says the apparent goal was not file encryption but long-term access and data exfiltration. It also says the Chaos ransomware brand may have been used to obscure attribution and delay defensive response while the operators kept persistence inside the network.
WHY IT MATTERS
The case shows how state-linked actors can blend in with criminal ransomware operations by using common remote access tools, commercial-style extortion and familiar social engineering. That mix can make it harder for defenders to identify the true purpose of an intrusion and respond before data is taken.