{"id":240613,"date":"2026-05-06T09:00:00","date_gmt":"2026-05-06T13:00:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/06\/iran-linked-apt-posed-as-chaos-ransomware-member-in-espionage-campaign\/"},"modified":"2026-05-06T21:10:09","modified_gmt":"2026-05-07T01:10:09","slug":"iran-linked-apt-posed-as-chaos-ransomware-member-in-espionage-campaign","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/06\/iran-linked-apt-posed-as-chaos-ransomware-member-in-espionage-campaign\/","title":{"rendered":"Iran-Linked APT Posed as Chaos Ransomware Member in Espionage Campaign"},"content":{"rendered":"<p><a href=\"https:\/\/www.infosecurity-magazine.com\/news\/iran-linked-apt-chaos-ransomware\/\">Iran-Linked APT Posed as Chaos Ransomware Member in Espionage Campaign<\/a><\/p>\n<p><a href=\"https:\/\/www.infosecurity-magazine.com\/news\/iran-linked-apt-chaos-ransomware\/\">https:\/\/www.infosecurity-magazine.com\/news\/iran-linked-apt-chaos-ransomware\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-06 09:00:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.infosecurity-magazine.com\">www.infosecurity-magazine.com<\/a><\/p>\n<p>An APT group linked to the Iranian government pretended to be a Chaos ransomware affiliate in order to provide plausible deniability for geopolitical espionage and prepositioning, Rapid7 has claimed.<\/p>\n<p>The security vendor made the revelations in a new report published on May 6, Muddying the Tracks: The State-Sponsored Shadow Behind Chaos Ransomware.<\/p>\n<p>Rapid7\u00a0branded an intrusion which occurred in early 2026 as a false flag operation by the MuddyWater (aka Seedworm, Static Kitten and Mango Sandstorm) group affiliated with the Iranian Ministry of Intelligence and Security.<\/p>\n<p>Read more on Chaos: New Chaos Ransomware Emerges, Launches Wave of Attacks.<\/p>\n<p>The intrusion itself, which took place at an unnamed organization, began with social engineering of an employee via Microsoft Teams screen sharing.<\/p>\n<p>\u201cBy operating interactively through compromised users, the attacker [TA] conducted initial discovery, harvested credentials, including MFA manipulation, and quickly transitioned to using legitimate accounts for internal access,\u201d Rapid7 explained.<\/p>\n<p>\u201cFrom there, the TA established persistence using remote access tools such as DWAgent and AnyDesk, before deploying additional payloads and further control of the environment. Following this, the TA exfiltrated data from the compromised environment and subsequently contacted the victim via email, claiming data theft and initiating ransom negotiations.\u201d<\/p>\n<h2><strong>Obfuscation Can\u2019t Hide Iran Links<\/strong><\/h2>\n<p>Although the threat actor alleged successful data exfiltration, the Chaos group operates a \u201cblind\u201d countdown timer, meaning no victim details could be viewed on the RaaS outfit\u2019s data leak site (DLS).<\/p>\n<p>The actor also claimed to have placed a note in the victim organization\u2019s desktop directory containing \u201caccess credentials\u201d for a secure chat \u2013 however, Rapid7 was unable to locate it.<\/p>\n<p>\u201cDespite these inconsistencies in the initial proof-of-compromise, the TA later published the stolen data on its DLS in line with modern&#8230;<\/p>\n<p><a href=\"https:\/\/www.infosecurity-magazine.com\/news\/iran-linked-apt-chaos-ransomware\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Iran-Linked APT Posed as Chaos Ransomware Member in Espionage Campaign https:\/\/www.infosecurity-magazine.com\/news\/iran-linked-apt-chaos-ransomware\/ Publish Date: 2026-05-06 09:00:00&#8230;<\/p>\n","protected":false},"author":1,"featured_media":240614,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/assets.infosecurity-magazine.com\/webpage\/og\/13c706d0-7945-40e7-b370-f7823045c3f1.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[34],"class_list":["post-240613","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-threat-actor"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/240613"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=240613"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/240613\/revisions"}],"predecessor-version":[{"id":240615,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/240613\/revisions\/240615"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/240614"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=240613"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=240613"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=240613"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}