Nation-state hackers from Iran are deploying the **Chaos** ransomware as cover for alleged espionage and data theft operations, according to new research. ### MuddyWater's Deceptive Tactics Incident responders from cybersecurity firm **Rapid7** published a report about a recent intrusion that initially appeared to be a **Chaos** ransomware attack but was later discovered to be an attack attributed to **MuddyWater**, an Iranian APT group tied to the country’s Ministry of Intelligence and Security (**MOIS**). **Rapid7’s** Alexandra Blia and Ivan Feigl said the use of the **Chaos** ransomware “reflects a consistent effort to obscure operational intent and complicate attribution.” “While attribution evasion is a common characteristic of state-affiliated actors, **MuddyWater’s** reported increase in operational activity as of early 2026, primarily involving cyber espionage and potential prepositioning for disruptive operations across Western and Middle Eastern networks, has likely intensified its reliance on deceptive false-flag operations,” the two said. ### Chaos Ransomware Origins The **Chaos** ransomware operation has existed since February 2025 and cybersecurity experts believe it was created by former members of the now-defunct **BlackSuit** and **Royal** ransomware groups. ### Initial Access and Data Exfiltration **Rapid7** provided little information about the victim at the center of the incident, only writing that the hackers used a social engineering campaign leveraging **Microsoft Teams** to gain initial access. The hackers contacted employees through external chat requests and initiated one-on-one conversations with users. They eventually established a screen-sharing session with the victim where the hacker accessed files related to VPN configuration and asked the victims to enter credentials. The threat actors also deployed a remote management tool to enable deeper access to the victim’s system. After an undisclosed amount of time, the hackers sent multiple emails to employees of the company threatening to leak stolen data if a ransom was not paid. The extortion process was clumsy but the hackers later published stolen data that the company confirmed is legitimate, according to the researchers. **Rapid7** noted that the absence of file encryption was another inconsistency in the incident that led them to question the true culprit behind the attack. ### Attribution to Iranian MOIS The researchers found troves of technical evidence pointing to Iran’s **MOIS**. The malware deployed and certificates used tied back to the toolkit typically used by Iran’s **MuddyWater** hacking group. The infrastructure used in the attack was previously tied by security vendors to another **MuddyWater** campaign identified in March targeting organizations in the Middle East and North Africa. Blia and Feigl added that the incident “highlights the increasing convergence between state-sponsored intrusion activity and cybercriminal tradecraft.” Researchers last year tied **MuddyWater** to the **Qilin** ransomware ecosystem after the strain was used to attack an Israeli organization. The attack was eventually attributed directly to Iran’s **MOIS**, possibly leading to the hackers adopting the **Chaos** ransomware brand to “reduce attribution risk and maintain a degree of plausible deniability,” **Rapid7** said. ### Blurring Lines: Nation-State Actors and Ransomware Multiple nation-state groups from China, Russia, North Korea and Iran have been seen adopting the ransomware-as-a-service framework as either cover for espionage attacks or as ways to cause disruptions to adversaries. Blia and Feigl said ransomware allows state actors to blur motivations, complicating the attribution by western law enforcement agencies and cyber defenders. Researchers warned in February that North Korean state hackers are using the **Medusa** ransomware in attacks. In several other cases, ransomware has been used as a cover for Chinese espionage activity. Law enforcement agencies have also seen instances of Iranian government hackers using their official access to later launch financially-motivated attacks as part of an effort to double-dip and moonlight as cybercriminals, monetizing their hacking skills. The **FBI** previously said it witnessed Iranian actors partnering with affiliates of the **NoEscape**, **Ransomhouse** and **AlphV** ransomware operations — eventually taking a percentage of ransom payments. At the onset of kinetic hostilities between Iran and the United States, there was a flurry of cyber activity, including alleged ransomware attacks and wiper incidents launched by Iranian actors. A U.S. healthcare organization was targeted in late February with Iran’s **Pay2Key** ransomware and a prominent medical device company was damaged for weeks following a cyberattack by Iranian hackers.