What Happened
Rapid7 researchers attributed a sophisticated intrusion campaign to MuddyWater, the Iranian state-sponsored threat group also tracked as Mango Sandstorm and Seedworm. Active in early 2026, the campaign deployed a deceptive playbook: attackers used Microsoft Teams to contact employees, conducted interactive screen-sharing sessions to harvest credentials, and manipulated MFA prompts in real time. Once inside, they planted Chaos ransomware artifacts — a well-known ransomware-as-a-service brand — without ever deploying file encryption.
The operation was a false flag. The ransomware branding was introduced to mislead incident responders into treating the intrusion as an opportunistic criminal attack rather than a targeted state-sponsored espionage campaign. The real objectives were persistent access and data exfiltration. Rapid7 linked the campaign to MuddyWater through a code-signing certificate used to sign the malware, previously attributed to the group’s CastleLoader downloader and Fakeset malware family.
Why This Matters for Canadian Organizations
Microsoft Teams is one of the most widely deployed enterprise collaboration platforms across Canadian private sector, government, and public sector organizations. MuddyWater has historically targeted defence, government, telecommunications, and energy sectors — all of which have significant presence in Canada. The false flag ransomware tactic is particularly dangerous because it triggers a different incident response playbook: organizations experiencing what appears to be ransomware often focus on containment and recovery, missing the persistence mechanisms and data exfiltration — the actual objective.
Canadian security teams relying on SMS-based MFA are directly at risk from the social engineering component of this campaign. The attackers’ ability to manipulate MFA approval in real time through a screen-sharing session sidesteps the protection entirely without requiring any technical exploitation. Given the Canadian Centre for Cyber Security’s ongoing warnings about Iranian threat actors targeting Canadian organizations, this campaign warrants direct attention from Canadian SOC teams and IT administrators managing Microsoft Teams environments. PIPEDA breach notification obligations apply if personal or sensitive data was exfiltrated.
What to Do
Review Microsoft Teams external access settings and restrict or block Teams communications from unverified external tenants where not operationally required. Implement phishing-resistant MFA such as hardware security keys or passkey authentication in place of SMS or push notification approval. Train employees to recognize unsolicited Microsoft Teams contact and screen-sharing requests as a social engineering vector — not only email phishing. When investigating apparent ransomware incidents, always treat persistent access and exfiltration as objectives in parallel with encryption response, regardless of the ransomware brand involved. Review endpoint logs for code-signing certificates tied to MuddyWater tooling including CastleLoader and Fakeset indicators of compromise.
Source: The Hacker News | SecurityWeek
