AN APT group linked to the Iranian government pretended to be a Chaos ransomware affiliate to provide plausible deniability for geopolitical espionage, according to Rapid7 in a report published on 6 May 2026. The intrusion, which Rapid7 says began with social engineering of an employee via Microsoft Teams screen sharing, occurred at an unnamed organisation in early 2026.
The attackers used compromised accounts for internal access, harvested credentials including MFA manipulation, and established persistence with remote tools such as DWAgent and AnyDesk before exfiltrating data and contacting the victim to negotiate ransom–claims described by Rapid7 as part of a broader espionage operation. While the group published stolen data on its data leak site, it did not deploy a ransomware payload, a departure from what a regular Chaos affiliate would be expected to do.
Rapid7 also noted links to MuddyWater infrastructure, including a code-signing certificate named “Donald Gay” and the moonzonet[.]com domain used for C2, illustrating ties to the Iran-aligned actor rather than a purely financial operation.