New Chaos RaaS Group Using Voice Social Engineering & RMM Abuse for Data Exfiltration

A sophisticated new ransomware-as-a-service operation called Chaos that emerged in February 2025, employing advanced social engineering tactics and legitimate tools to conduct big-game hunting attacks.

The group has demonstrated a concerning evolution in ransomware operations by combining traditional spam campaigns with voice-based manipulation techniques, followed by abuse of remote monitoring and management (RMM) tools for persistent network access.

Security researchers assess with moderate confidence that this new Chaos group consists of former members from the BlackSuit (Royal) ransomware operation, based on striking similarities in encryption methodologies and attack patterns.

The Chaos ransomware group has pioneered a multi-stage social engineering approach that begins with low-effort spam flooding targeting potential victims.

When recipients contact the provided phone numbers, threat actors impersonate IT security representatives and guide victims through installing Microsoft Quick Assist, a legitimate Windows remote assistance tool.

This voice-based social engineering technique, known as “vishing,” allows attackers to establish initial access without deploying traditional malware.

Once inside victim networks, the attackers deploy multiple RMM tools including AnyDesk, ScreenConnect, OptiTune, Syncro RMM, and Splashtop Streamer to maintain persistent connections.

The group demonstrates sophisticated operational security by modifying Windows registry settings to hide user accounts from login screens while maintaining RDP access capabilities.

They systematically reset domain user passwords and attempt to disable multi-factor authentication applications to consolidate their control over compromised environments.

Chaos RaaS Group

The Chaos ransomware represents a significant technical advancement in the ransomware landscape, featuring cross-platform compatibility across Windows, ESXi, Linux, and NAS systems this deliberate obfuscation complicates the identification and mitigation of risks posed by this emerging threat.

The malware employs multi-threaded rapid selective encryption, allowing operators to specify the percentage of each file to encrypt through command-line parameters, optimizing for speed while ensuring complete file corruption.

The ransomware utilizes hybrid cryptographic techniques combining Elliptic Curve Diffie-Hellman (ECDH) with Curve25519 for asymmetric operations and AES-256 for symmetric file encryption.

The group has implemented sophisticated anti-analysis techniques that detect debugging tools, virtual machine environments, and security analysis platforms through window enumeration and process monitoring.

For data exfiltration, attackers abuse GoodSync, legitimate file synchronization software, masquerading malicious executables as Windows system files.

Their data leak site threatens victims with distributed denial-of-service attacks and competitive disclosure if payment demands are not met, following established double extortion methodologies that have become standard in contemporary ransomware operations.

The ransomware operates in three modes: local encryption, network-wide encryption targeting SMB shares, or combined operations that maximize organizational impact.

BlackSuit Ransomware Operation

Security researchers have identified substantial technical and operational overlaps between Chaos and the previously known BlackSuit (Royal) ransomware family.

Both groups utilize identical encryption command parameters, including “/lkey” for 32-byte keys, “/encrypt_step” for selective encryption percentages, and “/work_mode” for operational targeting.

The ransom note structure and messaging themes remain consistent between operations, featuring references to “security testing,” double extortion threats, and similar communication protocols.

Chaos has impacted diverse business verticals across the United States, United Kingdom, New Zealand, and India, operating through the Russian-speaking cybercriminal forum Ransom Anon Market Place (RAMP).

The group explicitly avoids targeting BRICS/CIS countries, hospitals, and government entities while demanding ransoms of approximately $300,000.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.