MuddyWater Uses Teams to Harvest Credentials and Subvert MFA in Chaos False-Flag Campaign

May 7, 2026 at 06:28 PM

•

1 min read

MuddyWater Uses Teams to Harvest Credentials and Subvert MFA in Chaos False-Flag Campaign — Photo: CyberSecurityNews

TL;DR Summary

Security researchers describe a MuddyWater operation that exploited Microsoft Teams for external contact and screen-sharing to harvest user credentials (credentials.txt/cred.txt) and push MFA changes, followed by backdoor access using DWAgent and AnyDesk. The attackers deployed a custom RAT (Game.exe) and used C2 domains linked to MuddyWater, framing the intrusion as a Chaos ransomware false-flag campaign focused on credential theft and data exfiltration rather than encryption. The campaign featured indicators like a forged code-signing certificate and stolen credentials enabling lateral movement to Domain Controllers.

Topics:technology #credential-harvesting #cybersecurity #mfa #microsoft-teams #muddywater #remote-access-tools

Share this article

Hackers Use Microsoft Teams to Steal Credentials and Manipulate MFA CyberSecurityNews
MuddyWater Uses Microsoft Teams to Steal Credentials in False Flag Ransomware Attack The Hacker News
Iran-sponsored threat group behind false flag social engineering campaign Cybersecurity Dive
Iran-Linked APT Posed as Chaos Ransomware Member in Espionage Campaign Infosecurity Magazine
Iranian cyber espionage disguised as a Chaos Ransomware attack Security Affairs

Reading Insights

Total Reads

Unique Readers

Time Saved

60 min

vs 61 min read

Condensed

99%

12,029 → 83 words

Want the full story? Read the original article

Read on CyberSecurityNews

JavaScript Required

tl;dr daily news requires JavaScript to be enabled. Please enable JavaScript in your browser settings.

Related Sources

Reading Insights