Iranian government hackers using Chaos ransomware as cover, researchers say

Nation-state hackers from Iran are deploying the Chaos ransomware as cover for alleged espionage and data theft operations, according to new research.

Incident responders from cybersecurity firm Rapid7 published a report about a recent intrusion that initially appeared to be a Chaos ransomware attack but was later discovered to be an attack attributed to MuddyWater, an Iranian APT group tied to the country’s Ministry of Intelligence and Security (MOIS).

Rapid7’s Alexandra Blia and Ivan Feigl said the use of the Chaos ransomware “reflects a consistent effort to obscure operational intent and complicate attribution.” 

“While attribution evasion is a common characteristic of state-affiliated actors, MuddyWater’s reported increase in operational activity as of early 2026, primarily involving cyber espionage and potential prepositioning for disruptive operations across Western and Middle Eastern networks, has likely intensified its reliance on deceptive false-flag operations,” the two said.

The Chaos ransomware operation has existed since February 2025 and cybersecurity experts believe it was created by former members of the now-defunct BlackSuit and Royal ransomware groups.

Rapid7 provided little information about the victim at the center of the incident, only writing that the hackers used a social engineering campaign leveraging Microsoft Teams to gain initial access. 

The hackers contacted employees through external chat requests and initiated one-on-one conversations with users. They eventually established a screen-sharing session with the victim where the hacker accessed files related to VPN configuration and asked the victims to enter credentials. 

The threat actors also deployed a remote management tool to enable deeper access to the victim’s system. After an undisclosed amount of time, the hackers sent multiple emails to employees of the company threatening to leak stolen data if a ransom was not paid. 

The extortion process was clumsy but the hackers later published stolen data that the company confirmed is legitimate, according to the researchers. 

Rapid7 noted that the absence of file encryption was another inconsistency in the incident that led them to question the true culprit behind the attack.  

The researchers found troves of technical evidence pointing to Iran’s MOIS. The malware deployed and certificates used tied back to the toolkit typically used by Iran’s MuddyWater hacking group. 

The infrastructure used in the attack was previously tied by security vendors to another MuddyWater campaign identified in March targeting organizations in the Middle East and North Africa. 

Blia and Feigl added that the incident “highlights the increasing convergence between state-sponsored intrusion activity and cybercriminal tradecraft.” 

Researchers last year tied MuddyWater to the Qilin ransomware ecosystem after the strain was used to attack an Israeli organization. The attack was eventually attributed directly to Iran’s MOIS, possibly leading to the hackers adopting the Chaos ransomware brand to “reduce attribution risk and maintain a degree of plausible deniability,” Rapid7 said.

Multiple nation-state groups from China, Russia, North Korea and Iran have been seen adopting the ransomware-as-a-service framework as either cover for espionage attacks or as ways to cause disruptions to adversaries. 

Blia and Feigl said ransomware allows state actors to blur motivations, complicating the attribution by western law enforcement agencies and cyber defenders. 

Researchers warned in February that North Korean state hackers are using the Medusa ransomware in attacks.

In several other cases, ransomware has been used as a cover for Chinese espionage activity. Law enforcement agencies have also seen instances of Iranian government hackers using their official access to later launch financially-motivated attacks as part of an effort to double-dip and moonlight as cybercriminals, monetizing their hacking skills. 

The FBI previously said it witnessed Iranian actors partnering with affiliates of the NoEscape, Ransomhouse and AlphV ransomware operations — eventually taking a percentage of ransom payments. 

At the onset of kinetic hostilities between Iran and the United States, there was a flurry of cyber activity, including alleged ransomware attacks and wiper incidents launched by Iranian actors. A U.S. healthcare organization was targeted in late February with Iran’s Pay2Key ransomware and a prominent medical device company was damaged for weeks following a cyberattack by Iranian hackers.