MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
Campaign
Summary
Hide ▲
Show ▼
The MuddyWater campaign used Microsoft Teams social engineering and a Chaos ransomware decoy to gain access, steal credentials, and establish persistence. The operation mattered because it blended state-sponsored intrusion tradecraft with criminal-looking extortion cover, complicating attribution and response. Operators used screen-sharing, MFA manipulation, AnyDesk, RDP, and DWAgent to keep control of compromised systems. They also dropped a Game.exe backdoor via ms_upd.exe, reinforcing the espionage-oriented intent.
Related Happenings
Operation Endgame takedown of Amadey and StealC infrastructure
Law Enforcement
H score66
First: 24.06.2026 18:02
Last: 24.06.2026 18:02
Sources 1
About this happening:
An **international law-enforcement takedown** under **Operation Endgame** disrupted shared infrastructure used by **Amadey** and **StealC**, with **Microsoft**, **Europol**, and i...
Operation Endgame takedown of Amadey and StealC infrastructure
Law EnforcementAbout this happening: An **international law-enforcement takedown** under **Operation Endgame** disrupted shared infrastructure used by **Amadey** and **StealC**, with **Microsoft**, **Europol**, and i...
Mistic backdoor attack activity targeting enterprise sectors since April
Malware Activity
H score33
First: 24.06.2026 13:41
Last: 24.06.2026 13:41
Sources 1
About this happening:
The **Mistic** backdoor is being used in **financially motivated attacks** against **insurance, education, IT, and professional services** organizations, giving operators a stealt...
Mistic backdoor attack activity targeting enterprise sectors since April
Malware ActivityAbout this happening: The **Mistic** backdoor is being used in **financially motivated attacks** against **insurance, education, IT, and professional services** organizations, giving operators a stealt...
Backdoor.Turn Microsoft Teams TURN relay malware activity
Malware Activity
H score29
First: 16.06.2026 13:18
Last: 16.06.2026 13:18
Sources 1
About this happening:
**Backdoor.Turn** is a **Go-based RAT** tied to **DragonForce ransomware** operators that hid command-and-control traffic through **Microsoft Teams TURN relay infrastructure** dur...
Backdoor.Turn Microsoft Teams TURN relay malware activity
Malware ActivityAbout this happening: **Backdoor.Turn** is a **Go-based RAT** tied to **DragonForce ransomware** operators that hid command-and-control traffic through **Microsoft Teams TURN relay infrastructure** dur...
Major U.S. services company hit by ransomware attack linked to DragonForce
Incident
H score38
First: 16.06.2026 13:18
Last: 16.06.2026 13:18
Sources 1
About this happening:
A **DragonForce ransomware** incident hit a **major U.S. services firm** in **December 2025**, with attackers maintaining access for **one to two months** and hiding **command-and...
Major U.S. services company hit by ransomware attack linked to DragonForce
IncidentAbout this happening: A **DragonForce ransomware** incident hit a **major U.S. services firm** in **December 2025**, with attackers maintaining access for **one to two months** and hiding **command-and...
SprySOCKS Windows backdoor activity against government organizations
Malware Activity
H score23
First: 16.06.2026 12:00
Last: 16.06.2026 12:00
Sources 1
About this happening:
**SprySOCKS** now has documented **Windows variants**, **WIN_DRV** and **WIN_PLUS**, expanding a toolset first known as a **Linux-only backdoor**. The activity is tied to **govern...
SprySOCKS Windows backdoor activity against government organizations
Malware ActivityAbout this happening: **SprySOCKS** now has documented **Windows variants**, **WIN_DRV** and **WIN_PLUS**, expanding a toolset first known as a **Linux-only backdoor**. The activity is tied to **govern...
Timeline
-
06.05.2026 16:02 2 articles · 2mo ago
Rapid7 attributes Chaos-decoy intrusion to MuddyWater
Initial DisclosureRapid7 discloses a campaign against the affected organization in which MuddyWater operators used Microsoft Teams social engineering to open chats with employees, harvest credentials, manipulate MFA settings, and maintain access through AnyDesk, DWAgent, and RDP. The operators also used ms_upd.exe to drop Game.exe disguised as a Microsoft WebView2 application, layered a Chaos ransomware decoy over the intrusion, and sent extortion emails while Rapid7 assessed the activity as espionage-oriented and moderately attributed it to MuddyWater, also known as Static Kitten, Mango Sandstorm, and Seedworm.
Show sources
- MuddyWater hackers use Chaos ransomware as a decoy in attacks — www.bleepingcomputer.com — 06.05.2026 16:02
- MuddyWater hackers use Chaos ransomware as a decoy in attacks — www.bleepingcomputer.com — 06.05.2026 16:02