tldrdailynews.com logo
Tag

Muddywater

All articles tagged with #muddywater

MuddyWater Uses Teams to Harvest Credentials and Subvert MFA in Chaos False-Flag Campaign
cybersecurity24 days ago

MuddyWater Uses Teams to Harvest Credentials and Subvert MFA in Chaos False-Flag Campaign

Security researchers describe a MuddyWater operation that exploited Microsoft Teams for external contact and screen-sharing to harvest user credentials (credentials.txt/cred.txt) and push MFA changes, followed by backdoor access using DWAgent and AnyDesk. The attackers deployed a custom RAT (Game.exe) and used C2 domains linked to MuddyWater, framing the intrusion as a Chaos ransomware false-flag campaign focused on credential theft and data exfiltration rather than encryption. The campaign featured indicators like a forged code-signing certificate and stolen credentials enabling lateral movement to Domain Controllers.

via CyberSecurityNews|
#credential-harvesting#cybersecurity#mfa
MuddyWater Uses Teams for Credential Theft in False-Flag Ransomware Operation
technology25 days ago

MuddyWater Uses Teams for Credential Theft in False-Flag Ransomware Operation

Rapid7 links MuddyWater to a 2026 operation that used interactive Teams screen-sharing to harvest credentials and bypass MFA, exfiltrate data, and maintain persistence with tools like DWAgent and AnyDesk, while avoiding file encryption to masquerade as a ransomware attack. Described as a false-flag, state-backed campaign, it leverages a Chaos RaaS framework and off-the-shelf tools to blur attribution, highlighting evolving attacker tradecraft that blends cybercrime with strategic aims.

via The Hacker News|
#cybersecurity#iran#microsoft-teams
Iranian Hackers Utilize SimpleHelp Software for Long-Term Access
cybersecurity3 years ago

Iranian Hackers Utilize SimpleHelp Software for Long-Term Access

Iranian threat actor MuddyWater has been using the legitimate remote support software SimpleHelp to ensure persistence on victim devices. The group, believed to be a subordinate element within Iran's Ministry of Intelligence and Security, has previously used ScreenConnect, RemoteUtilities, and Syncro. SimpleHelp is not compromised and is used as intended, with the threat actors downloading the tool from the official website. The exact distribution method used to drop the SimpleHelp samples is currently unclear, although the group is known to send spear-phishing messages bearing malicious links from already compromised corporate mailboxes.

via The Hacker News|
#cybersecurity#iranian-hackers#muddywater