INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
ATTENTION: This report is based on previous data. New intelligence sources have been linked and the Executive Summary and Mitigations need to be re-synthesized.
Iranian Government Hackers Use Chaos Ransomware
| 2026-05-06 13:00 CRITICAL MEDIUMExecutive Summary AI-generated
Nation-state hackers from Iran are deploying the Chaos ransomware as cover for alleged espionage and data theft operations, according to new research. The malware was eventually attributed directly to Iran's MOIS group, possibly leading to a shift in their tactics by adopting the Chaos brand to reduce attribution risk and maintain plausible deniability. Multiple nation-state groups have adopted the ransomware-as-a-service framework, including China, Russia, North Korea, and Iran, as either cover for espionage attacks or disruptive operations against adversaries. The use of Chaos has existed since February 2025, with cybersecurity experts attributing its creation to former members of BlackSuit and Royal ransomware groups.
Technical Mitigations AI-generated
* Implement a robust incident response plan: Establish clear procedures for responding to ransomware attacks, including containment, eradication, recovery, and post-incident activities. This will help minimize the impact of an attack and ensure that all necessary steps are taken.
* Use multi-factor authentication (MFA): Require users to authenticate with multiple factors, such as passwords, biometric data, or one-time codes, in addition to traditional password-based authentication. This can make it more difficult for hackers to gain access to systems using social engineering tactics.
* Regularly update and patch software: Keep operating systems, applications, and plugins up-to-date with the latest security patches, which can help prevent exploitation of known vulnerabilities by hackers.
* Use a secure file sharing system: Implement a secure file-sharing platform that requires users to authenticate before uploading files. This can help reduce the risk of data breaches caused by unauthorized access or malicious activity.
* Monitor for suspicious behavior and anomalies: Regularly scan systems and networks for signs of unusual activity, such as unexplained changes in network traffic patterns or unexpected login attempts. This can help identify potential security threats early on.
Technical Observables
AI Podcast (EN) detail_available
detail_listen_ai (EN)
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
MuddyWaterMuddyWater
Pay2KeyPay2KeyQilinQilin
Target & Sectors
NORTH_AMERICA
NORTH_AMERICA
DPRK
DPRK
governmentgovernment
Incident Timeline
February 2025
Iranian government hackers used Chaos ransomware to target organizations.
Click on any entity below to view its context and source!
tactic
Ransomware
The Chaos ransomware operation has existed since February 2025 and cybersecurity experts believe it was created by former members of the now-defunct
BlackSuit
and
Royal
ransomware groups.
organisation
BlackSuit
The Chaos ransomware operation has existed since February 2025 and cybersecurity experts believe it was created by former members of the now-defunct
BlackSuit
and
Royal
ransomware groups.
threat_actor
MuddyWater
The malware deployed and certificates used tied back to the toolkit typically used by Iran’s MuddyWater hacking group.
The infrastructure used in the attack was previously tied by security vendors to another MuddyWater campaign identified in March targeting organizations in the Middle East and North Africa.
organisation
Microsoft Teams
Rapid7 provided little information about the victim at the center of the incident, only writing that the hackers used a social engineering campaign leveraging Microsoft Teams to gain initial access.
2025/05/07
Iranian government hackers used MuddyWater ransomware to target an Israeli organization in 2025.
Click on any entity below to view its context and source!
tactic
Ransomware
Researchers last year tied MuddyWater to the Qilin ransomware ecosystem after the strain was used to attack an Israeli organization.
threat_actor
MuddyWater
Researchers last year tied MuddyWater to the Qilin ransomware ecosystem after the strain was used to attack an Israeli organization.
malware
Qilin
Researchers last year tied MuddyWater to the Qilin ransomware ecosystem after the strain was used to attack an Israeli organization.
target_region
Israel
Researchers last year tied MuddyWater to the Qilin ransomware ecosystem after the strain was used to attack an Israeli organization.
late 2025
Iranian government hackers used Chaos ransomware to target an Israeli organization.
Click on any entity below to view its context and source!
malware
Qilin
In late 2025 it was linked to activity involving the
Qilin RaaS ecosystem
in an attack targeting an Israeli organization, Rapid7 noted.
source_region
Israel
In late 2025 it was linked to activity involving the
Qilin RaaS ecosystem
in an attack targeting an Israeli organization, Rapid7 noted.
May 6
Iranian government hackers used Chaos ransomware to target the security vendor.
Click on any entity below to view its context and source!
tactic
Ransomware
The security vendor made the revelations in a new report published on May 6,
Muddying the Tracks: The State-Sponsored Shadow Behind Chaos Ransomware.
2026/05/07
Iranian government hackers used Chaos ransomware as a cover for alleged espionage and data theft operations.
Click on any entity below to view its context and source!
threat_actor
MuddyWater
Incident responders from cybersecurity firm Rapid7 published a report about a recent intrusion that initially appeared to be a Chaos ransomware attack but was later discovered to be an attack attributed to MuddyWater, an Iranian APT group tied to the country’s Ministry of Intelligence and Security (MOIS).
Aside from this unusual behavior, Rapid7 discovered several links to previous infrastructure used by MuddyWater including:
A code-signing certificate (“Donald Gay”) used to validate the malware samples
The moonzonet[.]com domain, which supported command-and-control (C2) infrastructure
Use of pythonw.exe to inject code into suspended processes
Use of interactive Microsoft Teams sessions to harvest MFA and credentials
MuddyWater has previous when it comes to impersonating RaaS groups.
organisation
Espionage Campaign
Iran-Linked APT Posed as Chaos Ransomware Member in Espionage Campaign.
organisation
DLS
Obfuscation Can’t Hide Iran Links
Although the threat actor alleged successful data exfiltration, the Chaos group operates a “blind” countdown timer, meaning no victim details could be viewed on the RaaS outfit’s data leak site (DLS).
organisation
Microsoft Teams
Aside from this unusual behavior, Rapid7 discovered several links to previous infrastructure used by MuddyWater including:
A code-signing certificate (“Donald Gay”) used to validate the malware samples
The moonzonet[.]com domain, which supported command-and-control (C2) infrastructure
Use of pythonw.exe to inject code into suspended processes
Use of interactive Microsoft Teams sessions to harvest MFA and credentials
MuddyWater has previous when it comes to impersonating RaaS groups.
organisation
Microsoft
The intrusion itself, which took place at an unnamed organization, began with social engineering of an employee via
Microsoft Teams
screen sharing.
organisation
AnyDesk
“Furthermore, the inclusion of extortion and negotiation elements could serve to focus defensive efforts on immediate impact, likely delaying the identification of underlying persistence mechanisms established via remote access tools such as DWAgent or AnyDesk.”
organisation
MFA
“By operating interactively through compromised users, the attacker [TA] conducted initial discovery, harvested credentials, including MFA manipulation, and quickly transitioned to using legitimate accounts for internal access,” Rapid7 explained.
organisation
TA
“From there, the TA established persistence using remote access tools such as DWAgent and AnyDesk, before deploying additional payloads and further control of the environment.
organisation
DWAgent
“From there, the TA established persistence using remote access tools such as DWAgent and AnyDesk, before deploying additional payloads and further control of the environment.
early 2026
Iranian government hackers used Chaos ransomware as a cover for their MuddyWater group's espionage activities.
Click on any entity below to view its context and source!
tactic
Espionage
“While attribution evasion is a common characteristic of state-affiliated actors, MuddyWater’s reported increase in operational activity as of early 2026, primarily involving cyber espionage and potential prepositioning for disruptive operations across Western and Middle Eastern networks, has likely intensified its reliance on deceptive false-flag operations,” the two said.
threat_actor
MuddyWater
“While attribution evasion is a common characteristic of state-affiliated actors, MuddyWater’s reported increase in operational activity as of early 2026, primarily involving cyber espionage and potential prepositioning for disruptive operations across Western and Middle Eastern networks, has likely intensified its reliance on deceptive false-flag operations,” the two said.
Rapid7 branded an intrusion which occurred in early 2026 as a false flag operation by the
MuddyWater
(aka Seedworm, Static Kitten and Mango Sandstorm) group affiliated with the Iranian Ministry of Intelligence and Security.
attribution
Seedworm
Rapid7 branded an intrusion which occurred in early 2026 as a false flag operation by the
MuddyWater
(aka Seedworm, Static Kitten and Mango Sandstorm) group affiliated with the Iranian Ministry of Intelligence and Security.
attribution
the Iranian Ministry of Intelligence and Security
Rapid7 branded an intrusion which occurred in early 2026 as a false flag operation by the
MuddyWater
(aka Seedworm, Static Kitten and Mango Sandstorm) group affiliated with the Iranian Ministry of Intelligence and Security.
Intelligence Sources
Infosecurity-Magazine
2026-05-06
Iran-Linked APT Posed as Chaos Ransomware Member in Espionage Campaign
Infosecurity-Magazine
TheRecord
2026-05-07
Infosecurity-Magazine
2026-05-06
Iran-Linked APT Posed as Chaos Ransomware Member in Espionage Campaign
Infosecurity-Magazine
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Reset / Delete
Incident Version History
CURRENT VERSION
Last Updated: 2026-06-15T10:16
Comprehensive Tactical Telemetry
Highly Correlated Entities
9x
organisation
Identified Entity
Espionage Campaign
entity
7x
tactic
Cyber Operation Type
Ransomware
tactic
6x
target region
Target Country
Iran, Islamic Republic of
country
5x
attribution
Attributing Entity
APT
authority
5x
timeline
Temporal Reference
May 6
date
3x
source region
Origin Region
DPRK
region
2x
source region
Origin Country
Iran, Islamic Republic of
country
2x
malware
Malware Payload
Qilin
tool
Contextual Telemetry
Context Block
3 METRICS
industry
Targeted Sector
Government
sector
threat actor
APT Group
MuddyWater
actor
target region
Target Region
DPRK
region
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.