Rapid7 Links Chaos Ransomware to Iranian State-Sponsored MuddyWater Espionage Operation
A recent cyber intrusion initially characterized as a standard Chaos ransomware attack has been linked with moderate confidence to the Iranian state-sponsored threat group MuddyWater, also known as Seedworm. This connection is drawn from new research conducted by Rapid7, which highlights the evolving tactics of state-sponsored actors in the cyber landscape.
Intrusion Tactics and Techniques
Investigators at Rapid7 discovered that the attackers utilized Microsoft Teams for social engineering, employing interactive screen sharing and credential harvesting techniques to gain access to target systems. Following this initial breach, they deployed remote management tools such as AnyDesk and DWAgent to maintain persistence and facilitate data theft. The use of Chaos ransomware branding appears to be a deliberate ‘false flag’ operation aimed at obscuring the espionage objectives of the attack and complicating attribution efforts.
The report identified several technical overlaps linking the campaign to MuddyWater infrastructure. This includes the use of the ‘Donald Gay’ code-signing certificate, previously associated with operations linked to the Iranian Ministry of Intelligence and Security, as well as command-and-control infrastructure tied to earlier MuddyWater activities.
Shift in Focus: From Ransom to Espionage
Rather than emphasizing large-scale encryption, the attackers concentrated on exfiltrating sensitive information and manipulating multi-factor authentication settings to maintain long-term access within victim environments. Rapid7 noted that this operation reflects a broader trend among state-backed actors who are increasingly adopting ransomware tactics and criminal branding to mask cyber espionage campaigns.
Chaos, identified as a ransomware-as-a-service (RaaS) operation, has been active since February 2025. It specializes in big-game hunting attacks against high-profile organizations, with ransom demands reportedly reaching up to $300,000. Alexandra Blia, a Threat Intelligence Specialist at Rapid7, explained that despite its name, Chaos is distinct from the Chaos malware builder identified in 2021. The group likely emerged following the disruption of BlackSuit infrastructure during Operation Checkmate in July 2025 and is thought to consist of former members of BlackSuit and/or Royal.
Social Engineering and Remote Access Abuse
Blia emphasized that Chaos relies heavily on social engineering and remote access abuse to gain initial access. Techniques observed include spam email flooding combined with voice phishing (vishing), often involving impersonation of IT support personnel. Victims are persuaded to grant remote access via legitimate tools like Microsoft Quick Assist, allowing operators to establish an initial foothold.
The observed use of Chaos ransomware does not signify a shift in the group’s underlying objectives but rather reflects a consistent effort to obscure operational intent and complicate attribution. MuddyWater’s reported increase in operational activity as of early 2026, primarily involving cyber espionage and potential prepositioning for disruptive operations across Western and Middle Eastern networks, has likely intensified its reliance on deceptive false-flag operations.
Previous Activities and Attribution Challenges
The assessment aligns with previously observed behavior. In late 2025, MuddyWater was linked to activities involving the Qilin RaaS ecosystem in an operation targeting an Israeli organization. Following the public attribution of that incident to the Iranian Ministry of Intelligence and Security, it is plausible that the group adopted the Chaos ransomware branding to reduce attribution risk and maintain plausible deniability.
Chaos typically employs double extortion tactics, exfiltrating sensitive data before encryption and threatening public disclosure via its data leak site. The group has also demonstrated triple extortion by threatening distributed denial-of-service (DDoS) attacks against the victim’s infrastructure. These capabilities are reportedly offered to affiliates as part of bundled services, representing a notable feature of its RaaS model.
Initial Access and Evidence of Espionage
The attackers achieved initial access through social engineering conducted via Microsoft Teams, where they initiated one-on-one chats with users from a controlled account. During these interactions, they established screen-sharing sessions, gaining direct visibility and interactive access to user assets. While connected, the hacker executed basic discovery commands, accessed files related to the victim’s VPN configuration, and instructed users to enter their credentials into locally created text files. In at least one instance, a remote management tool (AnyDesk) was deployed to facilitate further access.
The attackers expanded their access within the environment by leveraging compromised accounts and establishing remote access channels. They utilized RDP sessions to navigate between systems, allowing them to operate interactively and access additional resources within the network.
Subsequent emails were distributed to multiple users, alleging successful data exfiltration and providing a .onion link for negotiation. Open-source intelligence collection identified a corresponding entry on the Chaos data leak site referencing data; however, all identifying details were redacted, consistent with the group’s typical practices.
Implications for Cybersecurity
The apparent absence of file encryption, despite the presence of Chaos ransomware artifacts, represents a deviation from typical ransomware behavior. This inconsistency may indicate that the ransomware component functioned primarily as a facilitating or obfuscation mechanism rather than as the primary objective of the intrusion. This deviation highlights a mismatch between typical profit-driven ransomware behavior and the actor’s apparent espionage objectives.
These technical indicators and procedural inconsistencies suggest a targeted, state-sponsored intrusion masquerading as opportunistic extortion activity. Ensar Seker, CISO at SOCRadar, noted that the MuddyWater activity exemplifies how state-aligned threat actors increasingly blur the line between cybercrime and cyber-espionage. Using Chaos ransomware as a decoy provides plausible deniability while distracting incident responders into treating the intrusion as financially motivated cybercrime instead of a long-term intelligence collection operation.
Seker emphasized that the Microsoft Teams social engineering component is particularly notable, as collaboration platforms are becoming effective initial access vectors. Employees inherently trust internal communication tools, and attackers exploit this familiarity to bypass traditional email-focused security controls. Organizations should treat platforms like Teams and Slack as high-risk attack surfaces, applying the same monitoring, user awareness, and identity protection strategies traditionally reserved for email and VPN infrastructure.
The Chaos ransomware incident underscores the increasing convergence between state-sponsored intrusion activity and cybercriminal tradecraft. While the operation incorporated recognizable elements of ransomware campaigns, the absence of encryption and the presence of established espionage techniques suggest that financial gain was unlikely to be the primary objective.
The assessed link to MuddyWater indicates a continued evolution in the group’s operational approach, including the apparent use of RaaS ecosystems and branding to obscure attribution. This aligns with broader trends in which state-aligned actors adopt criminal tactics to introduce ambiguity and delay defensive responses.
Defenders must look beyond overt ransomware indicators and focus on the underlying intrusion lifecycle. Techniques such as social engineering via enterprise communication platforms, credential harvesting with multi-factor authentication manipulation, and the abuse of legitimate remote access tools remain critical enablers of compromise. This activity is best understood as a hybrid intrusion model, where ransomware is leveraged not as an end goal but as a mechanism for concealment, coercion, and operational flexibility within a broader intelligence-driven campaign.
Source: industrialcyber.co
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
