Overview
- Rapid7, which published its findings Wednesday, details an early‑2026 intrusion staged to look like a Chaos ransomware hit even though the operators focused on espionage, not file locking.
- The intruders contacted employees on Microsoft Teams to start screen sharing, stole passwords and manipulated multi‑factor prompts, then kept access using RDP, DWAgent and AnyDesk.
- After moving through the network, the group stole data and emailed staff to demand payment, pointed victims to Chaos’s leak site, failed to leave a ransom note as claimed, and later posted the data anyway.
- Researchers tie the activity to MuddyWater with moderate confidence based on overlaps that include a “Donald Gay” code‑signing certificate, the moonzonet[.]com command server, and custom malware such as the ms_upd.exe loader and the Darkcomp backdoor.
- The operation shows how state actors now borrow ransomware‑as‑a‑service trappings—rentable brands, leak sites and extortion emails—to blur attribution and slow incident response by shifting defenders’ focus.