At least one unnamed victim organization
January 1, 2026
•[ social engineering, credential theft, MFA manipulation ]
MuddyWater, an Iran-linked APT associated with Iran's Ministry of Intelligence and Security (MOIS), used Microsoft Teams social engineering against an unnamed victim organization in early 2026. The attackers established remote access, stole credentials, manipulated MFA protections, deployed AnyDesk and DWAgent for persistence, moved laterally, harvested VPN configuration files and other sensitive data, and exfiltrated information. The attackers later sent extortion emails referencing Chaos ransomware and directed the victim to a Chaos leak site, but reporting said no file-encrypting ransomware was deployed, indicating the ransomware framing was likely a false flag for espionage activity.
