Chaotic Behavior

Rapid7 published a report linking an attack conducted under the Chaos brand to activity overlapping with known MuddyWater operations.

During the campaign, the attackers sent emails claiming to have stolen data and provided a link to a .onion site for negotiations. Later, a related listing concerning the victim organization appeared on the ransomware group's DLS. Analysis of the organization's infrastructure revealed no evidence of ransomware deployment, but investigators discovered a loader and a remote access trojan (RAT) signed with a certificate previously believed to be linked to MuddyWater operations.

The case demonstrates that ransomware can be used not only for financial gain, but also as cover for operations likely associated with state-backed groups. This approach echoes a previously discussed campaign during the protests in Iran: the attackers combine technical methods with exploitation of context and trust, whether through political narratives or other forms of coercion. As a result, attacks become less straightforward, making detection and attribution more difficult.