When a ransomware attack locks files and drops a payment demand, most security teams reach for the same playbook: isolate the damage, restore from backups, and figure out whether to negotiate. But a growing body of threat intelligence suggests that some incidents branded with the Chaos ransomware family may not be criminal shakedowns at all. Researchers at several threat-intelligence firms have linked a subset of these operations to MuddyWater, an Iranian hacking group that answers to Tehran’s Ministry of Intelligence and Security (MOIS), raising the possibility that what looks like a quick extortion hit is actually a cover for long-term espionage.
MuddyWater’s confirmed ties to Iranian intelligence
The strongest public evidence tying MuddyWater to the Iranian state comes from a joint advisory (AA22-055A) co-signed by five Western agencies: CISA, the FBI, the NSA, the U.K.’s National Cyber Security Centre, and the U.S. Cyber National Mission Force. Published in February 2022, the advisory states without hedging that MuddyWater is “a subordinate element” of MOIS, language that in intelligence-community terms signals high confidence in the attribution.
The advisory catalogs a broad toolkit: spearphishing emails, exploitation of publicly known software vulnerabilities, and side-loading of malicious libraries to burrow into government and private-sector networks worldwide. The group’s primary objectives, according to the five agencies, are data theft and persistent access, not the smash-and-grab encryption that defines most financially motivated ransomware crews.
Microsoft, which tracks the group under the name Mango Sandstorm (formerly Mercury), has documented additional tradecraft in subsequent years, including MuddyWater’s use of legitimate remote-management tools such as Atera and SimpleHelp to blend into normal IT traffic once inside a network. That evolution shows a group constantly refining its ability to look unremarkable.
Why Chaos ransomware makes useful camouflage
Chaos is a .NET-based ransomware builder that first circulated on underground forums around mid-2021. Its source code leaked widely, spawning variants like Yashma and making it accessible to low-skill criminals and sophisticated operators alike. Because Chaos infections are common and rarely attributed to any single actor, slapping its branding on an intrusion creates immediate noise: defenders see a known commodity and default to standard ransomware response procedures.
That default response is exactly what benefits an espionage team. Ransomware playbooks prioritize restoring availability, negotiating with extortionists, and notifying affected parties. They do not typically prioritize hunting for a quiet intelligence collector that may have been moving laterally through the network for weeks before the ransomware detonated. By triggering the wrong playbook, the attacker buys time to exfiltrate sensitive data while responders focus on encrypted files and ransom notes.
The tactic is not without precedent. Russia’s Sandworm group used the NotPetya wiper in 2017 disguised as ransomware, causing billions of dollars in damage while masking what U.S. and U.K. authorities later called a destructive attack against Ukraine. More recently, analysts at Secureworks and Mandiant have flagged cases where Chinese-linked actors deployed ransomware to complicate attribution after stealing intellectual property. MuddyWater’s reported use of Chaos, as described by private-sector researchers, fits a broader pattern in which state-backed groups borrow criminal tools to muddy the forensic trail.
What the public evidence does and does not show
It is important to be precise about where the evidence stands as of mid-2026. The AA22-055A advisory firmly attributes MuddyWater to MOIS and details the group’s tools and techniques, but it does not mention Chaos ransomware by name. No published indicator-of-compromise set from CISA or its partner agencies draws a direct technical line between MuddyWater command-and-control infrastructure and specific Chaos binaries.
The connection between MuddyWater and Chaos branding comes primarily from threat-intelligence firms and independent researchers, including teams at Secureworks and Mandiant, who have reported overlaps in tactics, infrastructure, and targeting between known MuddyWater campaigns and incidents involving Chaos-family payloads. Those assessments carry analytical weight, but they have not been formally echoed in government attribution language. Defenders should treat the link as a credible hypothesis advanced by respected private-sector analysts, not yet confirmed at the same confidence level as the core MOIS attribution endorsed by five government agencies.
Also unresolved is whether the branding choice reflects a centralized MOIS directive or an ad hoc decision by individual MuddyWater operators. State-linked hacking groups often operate with significant autonomy. If the tactic is centrally directed, organizations should expect it to evolve and potentially spread to other Iranian-linked groups such as Mint Sandstorm or Peach Sandstorm. If it is opportunistic, it could fade as quickly as it appeared.
What defenders should do differently
The practical implication is straightforward: any ransomware incident involving Chaos-family indicators should trigger a parallel investigation for espionage-style activity. That means looking beyond encrypted files for signs of data staging, unusual lateral movement, credential dumping, and long-lived command-and-control beacons that might predate the ransomware detonation. Incident responders should preserve logs and forensic artifacts as if they were handling a nation-state intrusion, not just an extortion attempt.
CISA’s referenced guidance on recognizing social-engineering attacks and avoiding malicious software reinforces that many high-end intrusions still begin with basic user missteps and unpatched systems. Phishing lures crafted to mimic legitimate business communications remain MuddyWater’s most reliable way through the door, and improving fundamentals like email filtering, application whitelisting, and prompt patching can blunt both state-backed and criminal threats.
Organizations should also update their incident-response playbooks so that “ransomware” is treated as a symptom, not a complete diagnosis. When Chaos or similar families are detected, response teams should consider whether the attacker may have dual objectives: monetizing access through encryption while quietly exfiltrating sensitive data for intelligence use. That perspective supports more cautious decisions about bringing systems back online, reissuing credentials, and disclosing the scope of an incident to regulators and affected parties.
Where the intelligence gaps on Chaos attribution remain
Victim lists and timelines for alleged Chaos-branded MuddyWater operations have not appeared in any primary government disclosure. Without that data, it is difficult to assess how widespread the tactic has been or whether it targeted specific sectors, such as government agencies, telecommunications providers, or critical infrastructure operators, more heavily than others.
The link between MuddyWater and MOIS is well supported by a multi-agency advisory, and the group’s reliance on phishing and commodity tools fits patterns documented over years of public reporting. The specific claim that MuddyWater has cloaked some operations in Chaos ransomware branding, however, rests on private-sector analysis rather than government-backed attribution. Until primary government sources or detailed technical disclosures fill that gap, organizations are best served by treating Chaos-linked incidents as potential espionage cases while remaining clear-eyed about the uncertainty around attribution and intent.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
