Hackers Used Microsoft Teams and Fake Ransomware to Hide Espionage Campaign

Iranian hacking group MuddyWater posed as a ransomware operation while using Microsoft Teams to gain access to targeted organizations, according to Rapid7.

The campaign used Chaos ransomware branding, but the real goal likely wasn’t financial extortion. Instead, the activity appears to fit a cyber-espionage operation designed to hide behind criminal-looking tactics.

Teams was used as the entry point

The attackers contacted employees directly through Microsoft Teams and pushed them into screen-sharing sessions. From there, they used social engineering to guide victims through actions that exposed credentials and access paths.

One method involved fake Microsoft Quick Assist phishing pages. Attackers also tricked victims into typing passwords into local files and attempted to manipulate multi-factor authentication settings.

The attackers used remote access tools to move deeper

After gaining access, the group used tools such as RDP, AnyDesk, and DWAgent to maintain control. The attackers also reached internal systems, including a domain controller, which suggests a deeper compromise than a simple ransomware incident.

The campaign also deployed a loader named ms_upd.exe and a backdoor called Game.exe. The backdoor was disguised as a WebView2 application and supported command execution through PowerShell and CMD, file uploads, file deletion, and persistent remote shell access.

Ransomware branding likely helped hide the real goal

Using Chaos ransomware branding gave the operation a criminal appearance. This can make attribution harder and distract defenders from the possibility of state-backed espionage.

Rapid7 linked the activity to MuddyWater through infrastructure overlap, known malware patterns such as Stagecomp and Darkcomp, and tradecraft consistent with previous operations. The malware also used anti-analysis checks, anti-VM detection, and a certificate previously associated with MuddyWater-linked activity.

Microsoft Teams attacks remain a growing concern

The report comes after Microsoft warned about rising attacks that abuse Teams for social engineering. The company is also developing new anti-phishing tools to help organizations reduce this type of threat.

In other cybersecurity news, CloudZ RAT has been exploiting Microsoft Phone Link to steal one-time passwords, showing how attackers continue to abuse trusted communication and productivity tools.

Via Bleeping Computer