Iran-Linked APT Posed as Chaos Ransomware Member in Espionage Campaign
Iran-Linked APT Posed as Chaos Ransomware Member in Espionage Campaign
https://www.infosecurity-magazine.com/news/iran-linked-apt-chaos-ransomware/
Publish Date: 2026-05-06 09:00:00
Source Domain: www.infosecurity-magazine.com
An APT group linked to the Iranian government pretended to be a Chaos ransomware affiliate in order to provide plausible deniability for geopolitical espionage and prepositioning, Rapid7 has claimed.
The security vendor made the revelations in a new report published on May 6, Muddying the Tracks: The State-Sponsored Shadow Behind Chaos Ransomware.
Rapid7 branded an intrusion which occurred in early 2026 as a false flag operation by the MuddyWater (aka Seedworm, Static Kitten and Mango Sandstorm) group affiliated with the Iranian Ministry of Intelligence and Security.
Read more on Chaos: New Chaos Ransomware Emerges, Launches Wave of Attacks.
The intrusion itself, which took place at an unnamed organization, began with social engineering of an employee via Microsoft Teams screen sharing.
“By operating interactively through compromised users, the attacker [TA] conducted initial discovery, harvested credentials, including MFA manipulation, and quickly transitioned to using legitimate accounts for internal access,” Rapid7 explained.
“From there, the TA established persistence using remote access tools such as DWAgent and AnyDesk, before deploying additional payloads and further control of the environment. Following this, the TA exfiltrated data from the compromised environment and subsequently contacted the victim via email, claiming data theft and initiating ransom negotiations.”
Obfuscation Can’t Hide Iran Links
Although the threat actor alleged successful data exfiltration, the Chaos group operates a “blind” countdown timer, meaning no victim details could be viewed on the RaaS outfit’s data leak site (DLS).
The actor also claimed to have placed a note in the victim organization’s desktop directory containing “access credentials” for a secure chat – however, Rapid7 was unable to locate it.
“Despite these inconsistencies in the initial proof-of-compromise, the TA later published the stolen data on its DLS in line with modern…
