Find notable cyber news and cases, enriched with sources, timelines, and signals.

MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy

Campaign
First reported
Last updated
Happening score
H score 37
1 unique sources, 1 articles

Summary

Hide ▲

The MuddyWater campaign used Microsoft Teams social engineering and a Chaos ransomware decoy to gain access, steal credentials, and establish persistence. The operation mattered because it blended state-sponsored intrusion tradecraft with criminal-looking extortion cover, complicating attribution and response. Operators used screen-sharing, MFA manipulation, AnyDesk, RDP, and DWAgent to keep control of compromised systems. They also dropped a Game.exe backdoor via ms_upd.exe, reinforcing the espionage-oriented intent.

Related Happenings

Operation Endgame takedown of Amadey and StealC infrastructure

Law Enforcement
H score66 First: 24.06.2026 18:02 Last: 24.06.2026 18:02 Sources 1

About this happening: An **international law-enforcement takedown** under **Operation Endgame** disrupted shared infrastructure used by **Amadey** and **StealC**, with **Microsoft**, **Europol**, and i...

Mistic backdoor attack activity targeting enterprise sectors since April

Malware Activity
H score33 First: 24.06.2026 13:41 Last: 24.06.2026 13:41 Sources 1

About this happening: The **Mistic** backdoor is being used in **financially motivated attacks** against **insurance, education, IT, and professional services** organizations, giving operators a stealt...

Backdoor.Turn Microsoft Teams TURN relay malware activity

Malware Activity
H score29 First: 16.06.2026 13:18 Last: 16.06.2026 13:18 Sources 1

About this happening: **Backdoor.Turn** is a **Go-based RAT** tied to **DragonForce ransomware** operators that hid command-and-control traffic through **Microsoft Teams TURN relay infrastructure** dur...

Major U.S. services company hit by ransomware attack linked to DragonForce

Incident
H score38 First: 16.06.2026 13:18 Last: 16.06.2026 13:18 Sources 1

About this happening: A **DragonForce ransomware** incident hit a **major U.S. services firm** in **December 2025**, with attackers maintaining access for **one to two months** and hiding **command-and...

SprySOCKS Windows backdoor activity against government organizations

Malware Activity
H score23 First: 16.06.2026 12:00 Last: 16.06.2026 12:00 Sources 1

About this happening: **SprySOCKS** now has documented **Windows variants**, **WIN_DRV** and **WIN_PLUS**, expanding a toolset first known as a **Linux-only backdoor**. The activity is tied to **govern...

Timeline

  1. 06.05.2026 16:02 2 articles · 2mo ago

    Rapid7 attributes Chaos-decoy intrusion to MuddyWater

    Initial Disclosure

    Rapid7 discloses a campaign against the affected organization in which MuddyWater operators used Microsoft Teams social engineering to open chats with employees, harvest credentials, manipulate MFA settings, and maintain access through AnyDesk, DWAgent, and RDP. The operators also used ms_upd.exe to drop Game.exe disguised as a Microsoft WebView2 application, layered a Chaos ransomware decoy over the intrusion, and sent extortion emails while Rapid7 assessed the activity as espionage-oriented and moderately attributed it to MuddyWater, also known as Static Kitten, Mango Sandstorm, and Seedworm.

    Show sources