Advisories 6 May 2026 / 0 Comments

MuddyWater Iranian APT Deploying "False Flag" Ransomware via Microsoft Teams (Darkcomp RAT)

Scope: Microsoft Teams (Enterprise Environments)

Severity: Red

The Iranian state-sponsored threat group MuddyWater is conducting a targeted social engineering campaign over Microsoft Teams, impersonating IT support via external chat requests and abusing QuickAssist and AnyDesk screen-sharing sessions to harvest credentials and manipulate MFA prompts, ultimately deploying a bespoke RAT called Darkcomp signed with a compromised certificate attributed to "Donald Gay." The multi-stage infection chain grants persistent covert access, enabling lateral movement, data exfiltration, and ransomware deployment under a Chaos RaaS false flag. Organizations should disable or strictly whitelist external domains in Microsoft Teams, enforce FIDO2 or number-matching MFA, and block unauthorized remote management tools via application control policies.

The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.

MuddyWater Iranian APT Deploying "False Flag" Ransomware via Microsoft Teams (Darkcomp RAT)

PAN-OS User-ID Authentication Portal Buffer Overflow Zero-Day Under Active Exploitation (CVE-2026-0300)

Recent Advisories

Categories

Contact info

Useful Links

Subscribe to our Mailing List

MuddyWater Iranian APT Deploying "False Flag" Ransomware via Microsoft Teams (Darkcomp RAT)

RELATED ADVISORIES

PAN-OS User-ID Authentication Portal Buffer Overflow Zero-Day Under Active Exploitation (CVE-2026-0300)

Recent Advisories

Categories