Iran’s MuddyWater Used Microsoft Teams Screen-Sharing to Run a False-Flag Ransomware Espionage Campaign

Iran is running two parallel playbooks against Western targets simultaneously.

Last month, we documented how Iran’s Ministry of Intelligence and Security was openly recruiting UK residents via Telegram bots and crypto payments — arson, antisemitic vandalism, and surveillance farming out to disposable proxies on British streets. Now Rapid7 has published attribution for the digital arm of the same ministry’s operations: MuddyWater, the Iranian state APT, ran a false-flag campaign in which it posed as Chaos ransomware operators to conduct intelligence collection against a US bank, an airport, nonprofit organizations, and a defense and aerospace software supplier with operations in Israel.

The ransomware branding was cover. The objective was espionage. The attack vector was Microsoft Teams.

Who MuddyWater Is

MuddyWater — also tracked as Static Kitten, Mercury, Earth Vetala, and TEMP.Zagros — is one of Iran’s most active and long-running cyber espionage units. Publicly attributed to Iran’s Ministry of Intelligence and Security (MOIS) by the US Cyber Command, CISA, and the UK’s NCSC in a 2022 joint advisory, the group has been operational since at least 2017 and is assessed to be a subordinate element of MOIS with a primary mandate of intelligence collection.

MuddyWater’s historical targeting is consistent with Iranian strategic priorities: government agencies, defense contractors, telecommunications providers, and media organizations across the Middle East, Europe, and the United States. The group has been documented conducting operations against targets in Turkey, Pakistan, Israel, Saudi Arabia, the UAE, Iraq, Austria, and the US. Unlike Iran’s other prominent cyber units — APT33 (Charming Kitten/Mint Sandstorm, linked to IRGC) and APT34 (OilRig, also MOIS-linked) — MuddyWater has historically relied more on publicly available and off-the-shelf tools rather than custom malware, which complicates attribution and reduces development cost.

The group is known for extensive use of spear-phishing with macro-enabled documents, PowerShell-based post-exploitation frameworks, and — increasingly — social engineering of IT personnel. The Microsoft Teams attack vector documented by Rapid7 represents an evolution in tradecraft that places MuddyWater squarely in the same operational lane as North Korea’s IT worker infiltration campaigns and Scattered Spider’s help desk vishing: the human is the vulnerability, not the software.

What a False-Flag Ransomware Operation Is — and Why Iran Uses Them

A false-flag operation in cyber context means presenting your activity as the work of a different actor to misdirect attribution. Deploying ransomware under a known criminal brand — in this case Chaos ransomware, a toolkit that circulates in cybercriminal communities — achieves several things simultaneously for a state actor.

It confuses attribution. Incident responders who find Chaos ransomware on a network start their threat model with financially motivated criminal actors, not Iranian intelligence. The first 72 hours of an incident response are critical for containment and evidence preservation; if the victim’s IR team is looking for a ransomware-as-a-service affiliate instead of a state APT, they may miss the lateral movement artifacts that reveal the true objective.

It provides plausible deniability. Iran can deny state involvement by pointing to the criminal tooling. “We didn’t do this; some criminal gang used our infrastructure” is a deniability argument that has worked for Russian state actors for years when their operations overlap with criminal toolkits.

It covers the true objective. If MuddyWater’s real goal is credential theft and intelligence collection, ransomware deployment serves as a distraction: the victim focuses on recovery while the attacker’s exfiltration, already complete, goes unexamined. In some false-flag cases, ransomware is never actually deployed — the threat of it is sufficient to panic the target while the espionage objective is quietly completed.

It creates financial ambiguity. Ransom demands can obscure the question of why a state intelligence service would care about a particular organization. “They wanted money” is a more intuitive narrative than “they wanted the defense contractor’s client list.”

The Microsoft Teams Attack Vector

Rapid7’s analysis describes MuddyWater using Microsoft Teams as the primary credential harvesting vector — a significant tradecraft development that security teams need to understand precisely.

The attack pattern, as reconstructed by Rapid7, involves establishing a Teams session with a target organization’s personnel — likely through a compromised or spoofed external tenant, or by exploiting the default Teams configuration that allows external users to initiate chats with internal users. Once in a call or meeting session, the attacker requests or manipulates the target into sharing their screen.

Screen-sharing as a credential harvesting tool is deceptively effective. A target sharing their screen may navigate to an authentication portal, internal application, or password manager, inadvertently exposing credentials, session tokens, or authentication workflows in the shared view. The attacker records the session (a capability built into Teams), extracts the visible credentials, and uses them post-session.

Critically, this technique is designed to bypass MFA. Rather than attacking the authentication mechanism directly, the attacker harvests a valid session that has already completed MFA — or captures the authentication flow in real time and replays it quickly enough to piggyback on the validated session. This is session hijacking via social engineering rather than technical exploit, and it is extremely difficult to prevent through technical controls alone.

The technique is not entirely new — similar social engineering vectors using remote support tools have been documented for years — but its implementation through Teams is significant because Teams is now ubiquitous in enterprise environments and is trusted by users in a way that cold-call remote access requests are not.

The Target Set and What It Reveals

The four target categories Rapid7 identified — a US bank, an airport, nonprofit organizations, and a defense/aerospace software supplier with Israel operations — are not random. They map directly to Iranian intelligence collection priorities.

A US bank is a primary target for sanctions evasion intelligence, financial routing information, and understanding how Iran-linked entities’ assets are tracked and frozen. Iranian state entities and IRGC-linked businesses have faced decades of sanctions architecture; understanding the financial intelligence picture that US institutions have is a standing collection requirement.

An airport has obvious physical security and logistics intelligence value, but also provides access to travel records, cargo manifests, and the kind of operational data that matters for tracking individuals of interest — whether diplomats, intelligence officers, or Iranian dissidents.

A defense and aerospace software supplier with Israel operations is almost self-explanatory in the context of Iranian intelligence priorities. Israel is Iran’s primary regional adversary. A supplier serving Israeli defense or aerospace clients is a potential source of technical intelligence about Israeli military systems, capabilities, or vulnerabilities.

Nonprofits — the most eclectic entry — are consistent with MuddyWater’s documented history of targeting organizations that work with or around Iranian diaspora communities, human rights organizations monitoring Iran, or NGOs involved in policy advocacy related to Iranian sanctions or nuclear negotiations.

Taken together, this is a classic Iranian MOIS collection target set: financial intelligence, travel intelligence, adversary military intelligence, and diaspora/civil society monitoring. The ransomware branding was the cover story; this was a prioritized collection operation.

Rapid7’s Attribution

Rapid7’s attribution confidence rests on a combination of technical indicators and behavioral signatures. MuddyWater’s use of specific PowerShell frameworks, command-and-control infrastructure patterns, and post-exploitation tooling has been extensively documented over the past seven years, creating a fingerprint that persists even when the group rotates tools. The Chaos ransomware deployment is an outlier from MuddyWater’s historical toolkit — which is itself a signal: criminal groups using Chaos are not running simultaneous operations against a carefully selected geopolitical target set; that targeting specificity points toward state direction.

CISA, Cyber Command, and NCSC have previously published MuddyWater indicators at the government level. Rapid7’s analysis adds the Teams vector and the false-flag ransomware tactic as documented operational updates, which is significant: it suggests MuddyWater is actively evolving its methodology to counter the improved detection capabilities that followed the 2022 public attribution.

What Defenders Need to Do

Three concrete actions for security teams based on this campaign:

Restrict and audit Microsoft Teams external access. The default Teams configuration allows any external user with a Microsoft 365 account to initiate contact with your internal users. Review your external access and guest access policies. At minimum, require that external session participants be from approved domains. Consider disabling external-initiated screen-sharing requests entirely for sensitive personnel.

Train users specifically on Teams-based social engineering. Your phishing awareness training almost certainly covers email. It probably does not cover the scenario where someone requests screen sharing in a Teams meeting and the user complies because it feels like a normal meeting activity. Add this scenario explicitly.

Monitor for anomalous external Teams tenants. Security tooling that monitors Teams activity — Microsoft’s Defender for Cloud Apps, or third-party CASB solutions — should be configured to flag unusual external tenant interactions, particularly those involving screen-sharing or file transfer with unfamiliar organizations.

The broader lesson from the MuddyWater campaign is that the perimeter has moved entirely to identity. An attacker who can harvest a valid, MFA-authenticated session is inside your security controls regardless of how many technical layers surround your infrastructure. The investment in technical controls needs to be matched by an equivalent investment in user education for exactly the kind of meeting-based social engineering MuddyWater deployed here.

Sources

• Rapid7: “Muddying Tracks: State-Sponsored Shadow Behind Chaos Ransomware”
• The Hacker News: “MuddyWater Uses Microsoft Teams to Pose as Ransomware Operators”
• Cybersecurity Dive: “Iran Threat Group Used False Flag Social Engineering”
• CISA/NSA/CNMF/NCSC Joint Advisory: “Iranian Government-Sponsored APT Group MuddyWater” (February 2022)
• Breached.Company: “Sabotage-for-Hire on Telegram: How Iran’s Intelligence Service Is Recruiting British Teenagers”

Breached.Company covers state-sponsored cyber and hybrid threats, breach disclosures, and signals intelligence for the security community. For threat intelligence retainers and vCISO consulting, CISO Marketplace connects you with vetted advisors.