Cybersecurity researchers have uncovered a new campaign linked to the Iranian state-backed hacking group known as MuddyWater. The attackers reportedly used Microsoft Teams as part of a social engineering attack to steal credentials and gain unauthorized access to targeted organizations.
According to security experts, the campaign was designed to look like a ransomware attack connected to the Chaos ransomware group. However, researchers later discovered that the real objective was espionage, credential theft, long-term persistence, and data exfiltration rather than file encryption.
The attackers reportedly contacted employees through Microsoft Teams and convinced them to join screen-sharing sessions. During these interactions, victims were manipulated into entering credentials, approving multi-factor authentication requests, or allowing remote access tools to be installed on their systems.
Researchers found that the attackers used tools like AnyDesk and DWAgent to maintain remote access after the initial compromise. Instead of encrypting files like traditional ransomware groups, the hackers focused on collecting sensitive information and maintaining hidden access inside the network.
Security analysts believe the use of Chaos ransomware branding was a “false flag” tactic designed to confuse investigators and make the attack appear financially motivated rather than state-sponsored espionage.
The incident highlights how cybercriminals and advanced threat groups are increasingly abusing trusted communication platforms like Microsoft Teams for phishing and social engineering attacks. Experts recommend organizations strengthen employee awareness training, restrict unnecessary remote access tools, monitor unusual login activity, and improve MFA security policies.
For advanced cybersecurity protection and digital safety solutions, you can explore IntelligenceX.
Top comments (0)