Publication Date: 2026-07-15
Source: Security Arsenal Dark Web Intelligence Unit
Data Origin: Chaos Leak Site (Direct Observation via Ransomware.live)
Threat Actor Profile — CHAOS
Group Overview: CHAOS is a relatively low-volume, high-impact ransomware operation that has recently shifted its focus toward North American critical infrastructure. Unlike "big game hunting" groups that flood leak sites, CHAOS maintains a sparse posting cadence (3 victims in the last 100 posts), suggesting either a closed-group model or a highly selective RaaS operation.
Operational Model:
- Extortion Strategy: Strict double extortion. The group threatens data leaks and implements encryption.
- Ransom Demands: Estimated to range from $500k to $2M based on victim profiles (Pharma, Brewing, Specialty Chemicals).
- Initial Access Vectors: CHAOS demonstrates advanced capability in exploiting perimeter security appliances and remote management tools rather than relying solely on phishing. Recent activity strongly correlates with the exploitation of CVE-2026-50751 (Check Point) and CVE-2024-1708 (ScreenConnect).
- Dwell Time: Observations suggest a dwell time of 3–7 days. The group moves rapidly from initial access (via perimeter CVEs) to lateral movement, likely to bypass EDR detection windows that might catch long-term persistence mechanisms.
Current Campaign Analysis
Campaign Summary: On 2026-07-14, the CHAOS leak site updated with three new victims, marking a distinct escalation in activity. This burst aligns with the recent addition of specific CVEs to the CISA Known Exploited Vulnerabilities (KEV) catalog in Q2 2026.
Targeted Sectors:
- Healthcare:
aphenapharma.com(US) - Manufacturing:
spectrumchemical.com(US) - Agriculture/Food Production:
sleemanbreweries.ca(CA)
Geographic Focus:
- Primary: United States (2 victims)
- Secondary: Canada (1 victim)
Victim Profile: The victims are mid-to-large enterprise entities with significant supply chain footprints.
- Sleeman Breweries: High-volume production, reliance on OT/IoT.
- Spectrum Chemical: Specialized manufacturing, high-value IP.
- Aphena Pharma: Critical healthcare provider, high pressure to pay to ensure patient safety.
Observed TTPs & CVE Correlation: The simultaneous posting of victims on the same day suggests a automated or scripted exploitation process targeting unpatched perimeter defenses.
- CVE-2026-50751 (Check Point Security Gateway): Used to bypass network perimeter authentication, granting internal network access.
- CVE-2024-1708 (ConnectWise ScreenConnect): Used for remote code execution (RCE) once inside the network, facilitating hands-on-keyboard activity for lateral movement.
- CVE-2026-20131 (Cisco FMC): Potential disruption of security logging and firewall rule modification to hide exfiltration traffic.
Detection Engineering
The following detection rules are designed to catch the specific initial access vectors and lateral movement patterns observed in the CHAOS campaign.
SIGMA Rules
---
title: Potential ConnectWise ScreenConnect Path Traversal Exploit (CVE-2024-1708)
id: 8a3c2b1d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
description: Detects potential exploitation of the path traversal vulnerability in ConnectWise ScreenConnect leading to RCE.
status: experimental
date: 2026/07/15
references:
- https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- '/LiveEventController.ashx'
- 'App_Extensions/'
condition: selection
falsepositives:
- Legitimate administrative access (verify user-agent and source IP)
level: high
tags:
- cve.2024.1708
- initial_access
- ransomware
- chaos
---
title: Suspicious PsExec Lateral Movement
id: 1b2c3d4e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
description: Detects the usage of PsExec or similar tools for lateral movement, a common tactic for CHAOS operators.
status: experimental
date: 2026/07/15
author: Security Arsenal Research
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\PsExec.exe'
- Image|endswith: '\PAExec.exe'
- OriginalFileName: 'PsExec.exe'
selection_cli:
CommandLine|contains:
- '\\192.168.'
- '\\10.'
- '-accepteula'
condition: 1 of selection*
falsepositives:
- System administration
level: medium
tags:
- lateral_movement
- t1021.002
- chaos
---
title: Check Point IKEv1 Anomaly Implied Authentication Bypass
id: 2c3d4e5f-6a7b-8c9d-0e1f-2a3b4c5d6e7f
description: Detects high volume of IKEv1 connections or failures associated with CVE-2026-50751 exploitation attempts.
status: experimental
date: 2026/07/15
author: Security Arsenal Research
logsource:
product: firewall
detection:
selection:
dst_port: 500
protocol: 'UDP'
vpn_feature: 'IKE'
filter_ikev2:
vendor_specific|contains: 'IKEv2'
condition: selection and not filter_ikev2
falsepositives:
- Legacy VPN configurations
level: high
tags:
- cve.2026.50751
- perimeter_breach
- chaos
KQL (Microsoft Sentinel)
Hunt for lateral movement and data staging consistent with CHAOS pre-encryption activity.
let TimeFrame = 1h;
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
// Hunt for common lateral movement tools
| where ProcessCommandLine has_any ("psexec", "wmic", "powershell -enc", "schtasks")
// Filter out known administrative hosts if necessary, or investigate all
| where InitiatingProcessAccountName != "SYSTEM"
// Look for mass file modifications or access (Staging)
| join kind=inner (
DeviceFileEvents
| where Timestamp > ago(TimeFrame)
| where ActionType == "FileCreated"
| summarize FileCount = count(), ListOfFiles = make_set(FileName) by DeviceId, Timestamp
) on DeviceId
| where FileCount > 50
| project DeviceId, Timestamp, ProcessCommandLine, InitiatingProcessFileName, FileCount, ListOfFiles
PowerShell Response Script
Rapid response script to identify persistence mechanisms often used by CHAOS before detonation.
# CHAOS Response: Check for Scheduled Task Persistence and Recent Shadow Copy Deletion
Write-Host "[*] Checking for Scheduled Tasks created in the last 7 days..."
Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddDays(-7)} | Select-Object TaskName, TaskPath, Date, Author
Write-Host "[*] Checking for recent VSS Shadow Copy deletions (System Event ID 7036)..."
$Events = Get-WinEvent -FilterHashtable @{LogName='System'; Id=7036; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue
if ($Events) {
$VSSEvents = $Events | Where-Object {$_.Message -like '*Volume Shadow Copy*'}
if ($VSSEvents) { $VSSEvents | Select-Object TimeCreated, Message }
}
Write-Host "[*] enumerating established non-local RDP connections..."
Get-NetTCPConnection -State Established -LocalPort 3389 | Select-Object LocalAddress, RemoteAddress, OwningProcess
---
Incident Response Priorities
-
T-Minus Detection Checklist:
- Check logs for successful logons to
spectrumchemical.com(or similar internal assets) via VPN/Remote Access between 2026-07-10 and 2026-07-13. - Hunt for
C:\Windows\Temp\orProgramDatadirectories containing renamed executables (common RMM/ScreenConnect abuse). - Investigate any unusual PowerShell execution logs involving
System.Net.WebClientorInvoke-Expression.
- Check logs for successful logons to
-
Critical Assets for Exfiltration:
- Healthcare: Patient PII/PHI databases (SQL Servers).
- Manufacturing: CAD drawings, formulas, and ERP systems (SAP/Oracle).
- Beverage: Supply chain logistics and fermentation recipes.
-
Containment Actions:
- Immediate: Disconnect Check Point and Cisco FMC management interfaces from the internet. Revoke all active ScreenConnect sessions.
- Isolate: Segment off OT/IoT networks from IT networks immediately (specifically for Brewing/Chemical victims).
- Credential Reset: Force reset of all local administrator passwords and privileged Domain Admin accounts.
Hardening Recommendations
Immediate (24 Hours)
- Patch CISA KEV: Immediately apply patches for CVE-2026-50751 (Check Point), CVE-2024-1708 (ScreenConnect), and CVE-2026-20131 (Cisco FMC).
- Block RMM: Block internet access to known ScreenConnect endpoints at the firewall, allowing only specific management subnets.
- MFA Enforcement: Enforce phishing-resistant MFA on all VPN gateways and remote management interfaces.
Short-term (2 Weeks)
- Network Segmentation: Implement strict Zero Trust segmentation between IT, OT, and Management planes.
- Audit Perimeter: Conduct an external penetration test focusing on VPN concentrators and Firewall Management Centers.
- Elastic Search: Deploy additional logging to perimeter devices to detect IKEv1 anomalies and path traversal attempts.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.