MuddyWater, an Iranian state-sponsored hacking group operating under the direction of Iran's Ministry of Intelligence and Security (MOIS), has been observed disguising espionage intrusions as Chaos ransomware attacks. The group is abusing Microsoft Teams for social engineering, establishing persistent access, harvesting credentials, and exfiltrating data before deploying Chaos ransomware as a misdirection tactic — leaving victims focused on ransomware recovery while missing the deeper compromise.
The campaign was detailed by BleepingComputer following analysis by security researchers who tracked the group's evolving tactics across multiple victim environments.
MuddyWater Background
MuddyWater (also tracked as MERCURY, SeedWorm, Boggy Serpent, and Static Kitten) is one of Iran's most prolific state-sponsored cyber espionage groups, active since at least 2017. The group primarily targets:
- Government ministries and defense agencies in the Middle East
- Telecommunications providers
- Critical infrastructure operators
- Think tanks and NGOs with policy relevance to Iranian interests
- Technology and media companies
The US Treasury sanctioned MuddyWater in 2022, and the group has been the subject of joint cybersecurity advisories from CISA, the NSA, the FBI, and intelligence services of allied nations including the UK, Australia, Canada, and Germany.
The Microsoft Teams Social Engineering Vector
The use of Microsoft Teams as a social engineering channel marks a tactical evolution for MuddyWater. Historically, the group relied heavily on spear-phishing emails, but Teams-based attacks offer several advantages for threat actors:
- Lower user suspicion — Teams messages from "colleagues" or "IT support" are treated with higher trust than cold emails
- Bypass email security — Endpoint protection and email gateways that analyze attachments don't inspect Teams message content
- Direct interactive sessions — Attackers can engage targets in real-time conversation to overcome hesitation
- Legitimate platform — Traffic blends with normal corporate communications
MuddyWater uses Teams messages to impersonate IT support staff, requesting that targets:
- Install remote management software ("for system maintenance")
- Click links to download "security updates"
- Join remote desktop sessions to "resolve urgent issues"
Once a target complies, the attacker establishes a remote administration session using legitimate tools — a technique that significantly complicates detection since legitimate remote management traffic is routine in enterprise environments.
Observed Attack Progression
Step 1 — Teams-Based Social Engineering
Attackers initiate contact via Microsoft Teams using compromised or attacker-controlled accounts posing as IT administrators or helpdesk staff. The pretexts vary but typically involve urgency ("your system needs an emergency security update") or authority ("IT security has flagged your account").
Step 2 — Remote Management Tool Deployment
Victims are persuaded to install one of several legitimate remote management tools that MuddyWater has been documented abusing:
| Tool | Notes |
|---|---|
| ScreenConnect (ConnectWise) | Frequently abused; C2 via vendor cloud |
| AnyDesk | Widely abused across threat actor landscape |
| Atera | Previously documented in MuddyWater campaigns |
| Level.io | Newer platform; lower detection rates |
| SimpleHelp | Used in 2025-2026 campaigns |
Using legitimate software keeps the attacker's footprint minimal and helps evade antivirus and EDR detection.
Step 3 — Credential Harvesting & Lateral Movement
Once the remote session is established, the attacker deploys credential harvesting tools targeting:
- LSASS process — Extracting cached Active Directory credentials
- Browser credential stores — Chrome, Edge, Firefox saved passwords
- Windows Credential Manager — Stored network credentials
- Exchange/Outlook profiles — Email account credentials
Harvested credentials are used to move laterally to additional systems, escalate privileges, and gain access to high-value targets including file servers, email archives, Active Directory, and SharePoint.
Step 4 — Data Exfiltration (Primary Mission)
Before deploying the ransomware decoy, the attackers spend time identifying and exfiltrating data of intelligence value. Target data typically includes:
- Government documents and policy communications
- Personnel records and contact databases
- Technical documentation and network diagrams
- Email archives
- VPN and remote access configurations
Data is staged and exfiltrated to attacker-controlled infrastructure, completing the espionage objective.
Step 5 — Chaos Ransomware Deployment (Decoy)
With the intelligence collection complete, the attackers deploy Chaos ransomware across the environment. Chaos is a publicly available .NET-based ransomware builder that produces functional ransomware requiring no custom development. Using commodity ransomware provides MuddyWater with:
- Attribution confusion — Chaos is used by many financially motivated actors; attribution to a nation-state is harder
- Distraction — Victims and responders focus on ransomware recovery, potentially missing evidence of the preceding espionage activity
- Evidence contamination — File encryption over-writes file metadata and complicates forensic reconstruction of attacker activity
Implications for Incident Response
The use of ransomware as a decoy has significant implications for how incidents should be scoped and investigated:
Do not close the incident when encryption is addressed. Restoring from backups or paying a ransom addresses only the ransomware component. The underlying APT access and any harvested credentials likely persist.
Treat every ransomware incident as a potential APT intrusion. Particularly for government, defense, telecom, and critical infrastructure targets, investigate beyond the ransomware payload to determine whether credential theft and data exfiltration preceded encryption.
Audit credential exposure. After any ransomware incident, rotate all credentials — Active Directory accounts, service accounts, cloud credentials, VPN credentials — not just the accounts confirmed as compromised.
Review Teams external access policies. Restrict or audit external user access to Microsoft Teams. Enable logging for external communications. Consider requiring employee verification for external contacts requesting remote sessions.
Detection Opportunities
| Stage | Detection Signal |
|---|---|
| Initial access | Teams messages from external accounts requesting remote sessions |
| Tool deployment | Installation of remote management software not in IT-approved list |
| Credential harvesting | LSASS access by non-system processes; Mimikatz-like behavior |
| Lateral movement | Pass-the-hash, pass-the-ticket events; new admin logons |
| Data staging | Large volume file access from a single account in short timeframe |
| Exfiltration | Outbound data to cloud storage or unusual endpoints |
| Ransomware | Shadow copy deletion commands; rapid file modification at scale |