Iranian government hackers using Chaos ransomware as cover, researchers say

Rapid7 researchers link an intrusion that appeared as a Chaos ransomware incident to Iran-aligned APT MuddyWater (MOIS), concluding the ransomware branding was used as a false flag for espionage and data theft; attackers gained access through Microsoft Teams social engineering, harvested VPN credentials via screen-sharing, deployed remote management tools, exfiltrated data and later published stolen files, while lacking file-encryption and showing infrastructure/artifacts tied to prior MuddyWater campaigns.