"The threat actors engaged with the victim organization's employees via Microsoft Teams, establishing screen-sharing sessions for access to users' assets. This allowed them to steal credentials, manipulate MFA protections, and compromise accounts."
"While connected, the TA executed basic discovery commands, accessed files related to the victim's VPN configuration, and instructed users to enter their credentials into locally created text files."
"The attackers established persistent access through RDP sessions and the DWAgent remote access tool. Using the access, the hackers deployed additional payloads, moved laterally through the environment, and harvested and exfiltrated information."
"Throughout the intrusion, the attackers never deployed file-encrypting ransomware on the compromised machines, suggesting that Chaos artifacts were planted as false flags to hide the state-sponsored activity."
MuddyWater, an Iran-linked APT actor, executed an intrusion in early 2026, posing as a ransomware attack. The attackers used social engineering for initial access and engaged with victims via Microsoft Teams. They performed espionage-related operations, including credential harvesting and data theft, without deploying file-encrypting ransomware. Persistent access was established through RDP sessions and remote access tools. The attackers later sent extortion emails, claiming to have stolen information. Despite the ransomware pretense, no actual ransomware was deployed, indicating a strategy to mask state-sponsored activities.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]