Rewterz Annual Threat Intelligence Report 2025 - Download Now

Request a Demo
Rewterz

Azure AD Bypass Using Phantom Devices and PRT Abuse

May 6, 2026

Microsoft Teams Used for Credential Theft and MFA Bypass – Active IOCs

Severity

High

Analysis Summary

In early 2026, incident responders uncovered a sophisticated hybrid espionage campaign attributed with moderate confidence to the Iranian APT group MuddyWater. The operation initially appeared to be a standard ransomware intrusion using Chaos ransomware, but forensic analysis revealed it was a deliberate “false flag” tactic designed to disguise state-sponsored intelligence gathering as financially motivated cybercrime. Instead of encrypting systems for extortion, the attackers focused on credential theft, long-term persistence, and stealthy data exfiltration across Western and MENA-region organizations.

The intrusion chain began through unsolicited external chat requests on Microsoft Teams, where attackers posed as IT support personnel. They manipulated victims into sharing their screens, running system discovery commands, and even manually creating credential files such as credentials.txt. In some cases, users were persuaded to add attacker-controlled devices to MFA configurations, enabling full account takeover. Once access was obtained, the attackers authenticated into internal systems including Domain Controllers and deployed remote access tools like DWAgent and AnyDesk to maintain persistent footholds.

According to the Researcher, after establishing control, the attackers deployed a custom multi-stage payload chain. A downloader (ms_upd.exe) fetched components from command-and-control infrastructure, including a legitimate WebView2 library, encrypted configuration data, and a custom backdoor named Game.exe. This RAT impersonated Microsoft components and enabled extensive espionage capabilities such as remote command execution, interactive shell access, file manipulation, and sandbox evasion. Communication was routed through attacker-controlled domains like moonzonet[.]com and uploadfiler[.]com, while the malware leveraged AES-encrypted configurations but also contained inconsistencies suggesting uneven operational maturity.

Attribution to MuddyWater was reinforced through multiple indicators, including reused code-signing certificates, infrastructure overlaps with prior campaigns, and consistent use of social engineering personas such as IT support. The campaign’s “false flag” use of Chaos ransomware a known double-extortion ransomware family was intended to mislead defenders and divert attention away from espionage objectives. Security analysts recommend prioritizing detection of Teams-based social engineering, unauthorized MFA changes, dual remote access tool deployment, and outbound traffic to known C2 domains as key indicators of compromise.

Impact

  • Sensitive Data Theft
  • Security Bypass
  • Gain Access
  • Financial Loss

Indicators of Compromise

Domain Name

  • uploadfiler.com
  • adm-pulse.com
  • moonzonet.com

IP

  • 172.86.126.208
  • 116.203.208.186

MD5

  • 2115e69f71d9f51a6c6c2effdaee2df2
  • 7f3c8a7fe78d3d05b6022df3ea0c15fb
  • 439c0a0a46627bd166e08436f383ad56

SHA-256

  • 3df9dcc45d2a3b1f639e40d47eceeafb229f6d9e7f0adcd8f1731af1563ffb90

  • a92d28f1d32e3a9ab7c3691f8bfca8f7586bb0666adbba47eab3e1a8faf7ecc0

  • 24857fe82f454719cd18bcbe19b0cfa5387bee1022008b7f5f3a8be9f05e4d14

SHA1

  • 559052799a52d1b29ac7e87935e9a0c80df5fb16
  • 0ba2306ec15f7124fafc7615e81f34c7986ba9a5
  • c16099c29ccdb34764e4d15b1dab2d141d159950

Remediation

  • Block all threat indicators at your respective controls.
  • Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
  • Enforce strict controls on external messaging in Microsoft Teams, including disabling or limiting unsolicited chat requests from outside the organization.
  • Train employees to never share screens, credentials, or system information during unsolicited “IT support” sessions, especially via chat or call.
  • Implement strong MFA protections (preferably phishing-resistant methods like FIDO2 keys) and prevent users from adding new MFA devices without IT approval.
  • Monitor and alert on suspicious creation of local credential-harvesting files such as credentials.txt or unusual text file activity in user directories.
  • Block or tightly control remote administration tools like AnyDesk and DWAgent unless explicitly approved, and continuously monitor for their execution.
  • Strengthen endpoint detection and response (EDR) rules to detect suspicious commands such as whoami, ipconfig /all, and abnormal PowerShell usage during interactive sessions.
  • Implement network monitoring and egress filtering to detect or block connections to known malicious infrastructure (e.g., C2-style domains like moonzonet[.]com or uploadfiler[.]com).
  • Enforce conditional access policies that restrict login attempts from unmanaged or untrusted devices, especially after unusual authentication patterns.