Key Takeaways
- Rapid7 links a Chaos ransomware‑themed intrusion to the Iranian state‑sponsored group MuddyWater (Seedworm) with moderate confidence.
- The attack used Microsoft Teams social engineering, screen sharing, and credential harvesting, then deployed AnyDesk/DWAgent for persistence.
- Rather than encrypting files, the actors focused on data exfiltration, MFA manipulation, and long‑term access, indicating espionage as the primary goal.
- Chaos ransomware branding served as a false‑flag tactic to obscure intent, complicate attribution, and provide plausible deniability.
- Defenders should monitor collaboration platforms, hunt for credential‑harvesting artifacts, and look beyond surface ransomware indicators to detect state‑backed intrusions.
Overview of the Intrusion and Attribution
Rapid7’s investigation revealed that what initially appeared to be a conventional Chaos ransomware attack is, in fact, a cyber‑espionage operation linked with moderate confidence to the Iranian state‑sponsored threat group MuddyWater, also known as Seedworm. The researchers noted that the attackers employed a blend of social engineering, credential harvesting, and remote‑access tools before deploying the Chaos ransomware payload. The use of Chaos branding was interpreted as a deliberate false‑flag maneuver designed to mask the operation’s true espionage objectives and hinder attribution efforts.
Technical Indicators Linking to MuddyWater
Several technical overlaps tied the campaign to known MuddyWater infrastructure. The threat actors used the “Donald Gay” code‑signing certificate, which has been previously associated with Iranian Ministry of Intelligence and Security‑linked activities. Additionally, command‑and‑control servers observed in the intrusion matched IP addresses and domains utilized in earlier MuddyWater campaigns. These artifacts, combined with the group’s typical tactics, provided the basis for Rapid7’s attribution assessment.
Objectives: Espionage over Extortion
Unlike typical ransomware incidents that prioritize large‑scale encryption for financial gain, this operation emphasized data exfiltration, manipulation of multi‑factor authentication settings, and the establishment of long‑term footholds within victim networks. The attackers harvested sensitive information, altered MFA configurations to maintain access, and avoided encrypting files unless necessary for deception. This focus on stealthy intelligence collection aligns with MuddyWater’s historical emphasis on cyber espionage and pre‑positioning for potential disruptive actions.
Chaos Ransomware‑as‑a‑Service Background
Chaos operates as a ransomware‑as‑a‑service (RaaS) platform that emerged after the July 2025 law‑enforcement takedown of BlackSuit infrastructure during Operation Checkmate. The group markets itself as a “big‑game hunter” targeting high‑profile organizations, with reported ransom demands reaching up to $300 000. Chaos advertises its affiliate program on cybercrime forums such as RAMP (prior to its takedown) and RehubCom, offering services that include double, triple, and even quadruple extortion tactics. Despite its criminal façade, the service can be leveraged by state actors seeking camouflage for espionage campaigns.
Initial Access via Microsoft Teams Social Engineering
The intrusion began with attackers initiating one‑on‑one chats in Microsoft Teams from a controlled account. During these interactions, they established screen‑sharing sessions, gaining live view and interactive control over the victim’s desktop. While connected, the threat actors ran basic discovery commands, accessed VPN‑related files, and coerced users into entering credentials into locally created text files. In at least one case, they deployed the remote management tool AnyDesk to solidify their presence and facilitate further movement inside the environment.
Lateral Movement and Persistence
After obtaining initial footholds, the threat actors used compromised credentials to launch RDP sessions, enabling them to pivot laterally across systems and access additional resources. They also installed persistent remote‑access agents such as DWAgent, ensuring continued connectivity even if the initial vector was closed. This combination of legitimate remote‑desktop protocols and third‑party tools allowed the attackers to operate interactively, conduct reconnaissance, and stage data‑exfiltration activities without triggering typical ransomware‑detonation alerts.
Extortion Tactics and Data Leak Site
Although the attackers claimed to have stolen data and threatened public disclosure, they did not follow the typical encryption‑first ransomware workflow. Instead, they employed double extortion (threatening to leak exfiltrated data), triple extortion (adding DDoS threats), and even hinted at quadruple extortion by warning of contacting customers or competitors. A .onion link was supplied for negotiation, and a corresponding entry appeared on the Chaos data‑leak site, though all identifying details were redacted per the group’s “blind” countdown timer. Despite inconsistencies in the proof‑of‑compromise claims, the leaked data later published on the site was verified as legitimate by the victim.
Analysis of Missing Encryption and False‑Flag Nature
The noticeable absence of file encryption, despite the presence of Chaos ransomware artifacts, suggests that the ransomware component served primarily as an obfuscation or facilitation tool rather than the main objective. This deviation from profit‑driven ransomware behavior supports the hypothesis that the actors aimed to conceal espionage activities behind a criminal façade. By using Chaos branding, MuddyWater gains plausible deniability, diverts incident responders toward treating the event as financially motivated crime, and slows strategic defensive responses during the critical early stages of an investigation.
Defensive Recommendations and Broader Implications
Ensar Seker, CISO at SOCRadar, emphasized that collaboration platforms like Microsoft Teams have become high‑risk attack surfaces because attackers exploit the inherent trust users place in internal communication tools. Organizations should apply the same monitoring, user‑awareness, and identity‑protection strategies to Teams, Slack, and similar apps that they reserve for email and VPN infrastructure. Furthermore, defenders are urged to look beyond overt ransomware indicators—such as encryption notes or ransom demands—and focus on the underlying intrusion lifecycle: credential harvesting, MFA tampering, abuse of legitimate remote‑access tools, and unusual activity in collaboration logs. Recognizing these patterns enables early detection of state‑backed operations that hide behind cyber‑crime camouflage.