MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
Campaign
Summary
Hide ▲
Show ▼
The MuddyWater campaign used Microsoft Teams social engineering and a Chaos ransomware decoy to gain access, steal credentials, and establish persistence. The operation mattered because it blended state-sponsored intrusion tradecraft with criminal-looking extortion cover, complicating attribution and response. Operators used screen-sharing, MFA manipulation, AnyDesk, RDP, and DWAgent to keep control of compromised systems. They also dropped a Game.exe backdoor via ms_upd.exe, reinforcing the espionage-oriented intent.
Related Happenings
Fox Tempest's malware-signing service scales trusted-signed malware for ransomware gangs
Threat Actor Meta
First: 20.05.2026 00:47
Last: 20.05.2026 00:47
Sources 1
About this happening:
Microsoft disrupted **Fox Tempest**'s **malware-signing service** in **May 2026**, cutting off a criminal platform that helped ransomware gangs and other cybercriminals obtain tru...
Fox Tempest's malware-signing service scales trusted-signed malware for ransomware gangs
Threat Actor MetaAbout this happening: Microsoft disrupted **Fox Tempest**'s **malware-signing service** in **May 2026**, cutting off a criminal platform that helped ransomware gangs and other cybercriminals obtain tru...
Microsoft civil action against Fox Tempest infrastructure takedown
Regulatory/Legal Action
First: 19.05.2026 18:00
Last: 19.05.2026 18:00
Sources 1
About this happening:
Microsoft filed a **civil action** against **Fox Tempest** in the **US District Court for the Southern District of New York**, securing a **court order** that enabled a broad disr...
Microsoft civil action against Fox Tempest infrastructure takedown
Regulatory/Legal ActionAbout this happening: Microsoft filed a **civil action** against **Fox Tempest** in the **US District Court for the Southern District of New York**, securing a **court order** that enabled a broad disr...
KongTuke Microsoft Teams initial access campaign
Campaign
First: 14.05.2026 15:12
Last: 14.05.2026 15:12
Sources 1
About this happening:
The **KongTuke** campaign now uses **Microsoft Teams** social engineering to gain persistent access to **corporate networks**, shortening initial compromise to **under five minute...
KongTuke Microsoft Teams initial access campaign
CampaignAbout this happening: The **KongTuke** campaign now uses **Microsoft Teams** social engineering to gain persistent access to **corporate networks**, shortening initial compromise to **under five minute...
Open-OSS/privacy-filter Hugging Face infostealer activity
Malware Activity
First: 11.05.2026 10:05
Last: 11.05.2026 10:05
Sources 1
About this happening:
A malicious **Hugging Face repository** called **Open-OSS/privacy-filter** impersonated **OpenAI's Privacy Filter** and delivered a **Rust-based information stealer** to **Windows...
Open-OSS/privacy-filter Hugging Face infostealer activity
Malware ActivityAbout this happening: A malicious **Hugging Face repository** called **Open-OSS/privacy-filter** impersonated **OpenAI's Privacy Filter** and delivered a **Rust-based information stealer** to **Windows...
Ministry of Justice and Legal Affairs of Oman hit by network compromise
Incident
First: 06.05.2026 16:00
Last: 06.05.2026 16:00
Sources 1
About this happening:
The **Ministry of Justice and Legal Affairs of Oman** suffered an **active intrusion** that exposed **session logs** and **more than 26,000 user records**, raising risk to judicia...
Ministry of Justice and Legal Affairs of Oman hit by network compromise
IncidentAbout this happening: The **Ministry of Justice and Legal Affairs of Oman** suffered an **active intrusion** that exposed **session logs** and **more than 26,000 user records**, raising risk to judicia...
Timeline
-
06.05.2026 16:02 2 articles · 21d ago
Rapid7 attributes Chaos-decoy intrusion to MuddyWater
Initial DisclosureRapid7 discloses a campaign against the affected organization in which MuddyWater operators used Microsoft Teams social engineering to open chats with employees, harvest credentials, manipulate MFA settings, and maintain access through AnyDesk, DWAgent, and RDP. The operators also used ms_upd.exe to drop Game.exe disguised as a Microsoft WebView2 application, layered a Chaos ransomware decoy over the intrusion, and sent extortion emails while Rapid7 assessed the activity as espionage-oriented and moderately attributed it to MuddyWater, also known as Static Kitten, Mango Sandstorm, and Seedworm.
Show sources
- MuddyWater hackers use Chaos ransomware as a decoy in attacks — www.bleepingcomputer.com — 06.05.2026 16:02
- MuddyWater hackers use Chaos ransomware as a decoy in attacks — www.bleepingcomputer.com — 06.05.2026 16:02