Rapid7 Links Chaos Ransomware to Iranian State-Sponsored MuddyWater Espionage Operation
A recent cyber intrusion, initially identified as a typical Chaos ransomware attack, has been linked with moderate confidence to the Iranian state-sponsored threat group MuddyWater, also known as Seedworm. This connection emerges from new research by Rapid7, shedding light on the evolving strategies employed by state-sponsored actors in the cyber landscape.
Intrusion Tactics and Techniques
Rapid7’s investigation revealed that the attackers leveraged Microsoft Teams for social engineering, utilizing interactive screen sharing and credential harvesting techniques to infiltrate target systems. After breaching the initial defenses, they deployed remote management tools such as AnyDesk and DWAgent to maintain persistence and facilitate data theft. The branding of Chaos ransomware appears to serve as a deliberate ‘false flag’ operation, designed to obscure the espionage objectives of the attack and complicate attribution efforts.
The report highlights several technical overlaps linking this campaign to MuddyWater’s infrastructure. Notably, the use of the ‘Donald Gay’ code-signing certificate, previously associated with operations tied to the Iranian Ministry of Intelligence and Security, and command-and-control infrastructure linked to earlier MuddyWater activities were identified.
Shift in Focus: From Ransom to Espionage
The attackers shifted their focus from large-scale encryption to exfiltrating sensitive information and manipulating multi-factor authentication settings to ensure long-term access within victim environments. Rapid7 noted that this operation reflects a broader trend among state-backed actors who increasingly adopt ransomware tactics and criminal branding to disguise cyber espionage campaigns.
Chaos, recognized as a ransomware-as-a-service (RaaS) operation, has been active since February 2025, specializing in big-game hunting attacks against high-profile organizations, with ransom demands reportedly reaching up to $300,000. Alexandra Blia, a Threat Intelligence Specialist at Rapid7, clarified that despite its name, Chaos is distinct from the Chaos malware builder identified in 2021. The group likely emerged following the disruption of BlackSuit infrastructure during Operation Checkmate in July 2025 and is believed to consist of former members of BlackSuit and/or Royal.
Social Engineering and Remote Access Abuse
Blia emphasized that Chaos heavily relies on social engineering and remote access abuse to gain initial access. Techniques observed include spam email flooding combined with voice phishing (vishing), often involving impersonation of IT support personnel. Victims are persuaded to grant remote access via legitimate tools like Microsoft Quick Assist, allowing operators to establish an initial foothold.
The observed use of Chaos ransomware does not indicate a change in the group’s underlying objectives but rather reflects a consistent effort to obscure operational intent and complicate attribution. MuddyWater’s reported increase in operational activity as of early 2026, primarily involving cyber espionage and potential prepositioning for disruptive operations across Western and Middle Eastern networks, has likely intensified its reliance on deceptive false-flag operations.
Previous Activities and Attribution Challenges
This assessment aligns with previously observed behavior. In late 2025, MuddyWater was linked to activities involving the Qilin RaaS ecosystem in an operation targeting an Israeli organization. Following the public attribution of that incident to the Iranian Ministry of Intelligence and Security, it is plausible that the group adopted the Chaos ransomware branding to mitigate attribution risk and maintain plausible deniability.
Chaos typically employs double extortion tactics, exfiltrating sensitive data before encryption and threatening public disclosure via its data leak site. The group has also demonstrated triple extortion by threatening distributed denial-of-service (DDoS) attacks against the victim’s infrastructure. These capabilities are reportedly offered to affiliates as part of bundled services, representing a notable feature of its RaaS model.
Initial Access and Evidence of Espionage
The attackers gained initial access through social engineering conducted via Microsoft Teams, initiating one-on-one chats with users from a controlled account. During these interactions, they established screen-sharing sessions, gaining direct visibility and interactive access to user assets. While connected, the hacker executed basic discovery commands, accessed files related to the victim’s VPN configuration, and instructed users to enter their credentials into locally created text files. In at least one instance, a remote management tool (AnyDesk) was deployed to facilitate further access.
The attackers expanded their access within the environment by leveraging compromised accounts and establishing remote access channels. They utilized RDP sessions to navigate between systems, allowing them to operate interactively and access additional resources within the network.
Subsequent emails were sent to multiple users, alleging successful data exfiltration and providing a .onion link for negotiation. Open-source intelligence collection identified a corresponding entry on the Chaos data leak site referencing data; however, all identifying details were redacted, consistent with the group’s typical practices.
Implications for Cybersecurity
The absence of file encryption, despite the presence of Chaos ransomware artifacts, represents a deviation from typical ransomware behavior. This inconsistency may suggest that the ransomware component functioned primarily as a facilitating or obfuscation mechanism rather than as the primary objective of the intrusion. This highlights a mismatch between typical profit-driven ransomware behavior and the actor’s apparent espionage objectives.
These technical indicators and procedural inconsistencies suggest a targeted, state-sponsored intrusion masquerading as opportunistic extortion activity. Ensar Seker, CISO at SOCRadar, noted that the MuddyWater activity exemplifies how state-aligned threat actors increasingly blur the line between cybercrime and cyber-espionage. Using Chaos ransomware as a decoy provides plausible deniability while distracting incident responders into treating the intrusion as financially motivated cybercrime instead of a long-term intelligence collection operation.
Seker emphasized that the Microsoft Teams social engineering component is particularly notable, as collaboration platforms are becoming effective initial access vectors. Employees inherently trust internal communication tools, and attackers exploit this familiarity to bypass traditional email-focused security controls. Organizations should treat platforms like Teams and Slack as high-risk attack surfaces, applying the same monitoring, user awareness, and identity protection strategies traditionally reserved for email and VPN infrastructure.
The Chaos ransomware incident underscores the increasing convergence between state-sponsored intrusion activity and cybercriminal tradecraft. While the operation incorporated recognizable elements of ransomware campaigns, the absence of encryption and the presence of established espionage techniques suggest that financial gain was unlikely to be the primary objective.
The assessed link to MuddyWater indicates a continued evolution in the group’s operational approach, including the apparent use of RaaS ecosystems and branding to obscure attribution. This aligns with broader trends in which state-aligned actors adopt criminal tactics to introduce ambiguity and delay defensive responses.
Defenders must look beyond overt ransomware indicators and focus on the underlying intrusion lifecycle. Techniques such as social engineering via enterprise communication platforms, credential harvesting with multi-factor authentication manipulation, and the abuse of legitimate remote access tools remain critical enablers of compromise. This activity is best understood as a hybrid intrusion model, where ransomware is leveraged not as an end goal but as a mechanism for concealment, coercion, and operational flexibility within a broader intelligence-driven campaign.
For ongoing coverage and breaking updates, visit our Latest News section.
Published on 2026-05-12 05:17:00 • By the Editorial Desk
