Iranian hackers launch ransomware campaign looking to steal details via Microsoft Teams

News
By published

An espionage campaign was concealed behind a ransomware attack

Digital code on the background of the Iranian flag.
(Image credit: Getty Images / Anton Petrus)
  • Iranian APT MuddyWater posed as IT staff via Microsoft Teams, tricking victims into granting remote access
  • They deployed infostealers, altered MFA, exfiltrated data, and staged a Chaos ransomware infection as cover
  • Researchers concluded the true motive was espionage, not profit, highlighting state‑sponsored tradecraft overlap with criminal tactics

Iranian state-sponsored hackers ran a cyber-espionage campaign, and then tried to throw investigators off track with a ransomware infection, experts have warned.

An investigation into a recent attack from security researchers Rapid7 found how an unnamed victim was recently approached via Microsoft Teams, by someone from outside their organization. They posed as IT technicians, discussed solving a technical problem with the victim, and managed to get them to install and run an AnyDesk session.

After getting remote access, they deployed different malware and infostealer variants, harvesting credentials and modifying multi-factor authentication (MFA) settings, establishing persistence, and exfiltrating sensitive information from the now-compromised endpoints.

Latest Videos From

MuddyWater behind the attacks

The final move was to deploy the Chaos ransomware encryptor. Chaos is a relatively new RaaS operation, first observed in 2025 and known for targeting large entities, double-extortion tactics, and social engineering.

The majority of their victims are located in the United States. The victim of this attack was even added to Chaos’ data leak site, making it all look as if this was, indeed, a ransomware attack.

However, Rapid7 can’t be fooled. After analyzing the techniques, code-signing certificates, and other operational tradecraft, the researchers determined - with moderate confidence - that this was in fact the work of MuddyWater, a threat actor also known as Static Kitten, Mango Sandstorm, and Seedworm.

“The strategy highlights the convergence between state-sponsored intrusion activity and criminal tradecraft, where a big “tell” lies in the techniques that were deployed - and those that weren’t. This strategy suggests the primary goal was not financial gain,” Rapid7 said in its report.

MuddyWater is apparently on the payroll of the Iranian Ministry of Intelligence and Security (MOIS). The Iranian government has multiple hacking collectives doing its bidding, which is mostly cyber-espionage and data harvesting. These include CyberAv3ngers, APT35 (AKA Charming Kitten), and APT 34 (AKA OilRig or Helix Kitten).

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.