Unmasking the New Chaos RaaS Group Attacks

    Friday, July 25, 2025 In: Threat Research Print

    Date: 07/25/2025

    Severity: High

    Summary

    A new Chaos ransomware group is carrying out double extortion attacks using spam, social engineering, and remote tools. Their ransomware is fast, stealthy, and hits both local and network systems. Though sharing a name with older variants, this group is likely unrelated and may include ex-BlackSuit (Royal) members.

    Indicators of Compromise (IOC) List

    URL/Domain

    http://185.215.113.16/test/amnew.exe

    http://185.215.113.43/Zu7JuNko/index.php

    http://pivqmane.com/doc/fb.mp4

    http://pivqmane.com/testonload.mp4

    pivqmane.com

    IP Address

    45.61.134.36

    185.156.73.73

    144.172.103.42

    107.170.35.225

    185.215.113.16

    185.215.113.209

    185.215.113.43

    185.215.113.75

    Hash

    22892b8303fa56f4b584a04c09d508d8

    dd3fa6ae969ccdf3d221bd95ffef5a7b

    8975046c5cdbab0e36aa9ccad61b05a898810079

    e1d65daaf338663006014f7d86eea5aebf142134

    0334cd1b8ab17203179da1ae77c1fad97ddf794cc63a6048aca664956d10b2ca

    21cf7da02e01b3c2317178395eff873e50ab9b8f27a23ffed37b2efff8fd6b90

    35c1eb5ff8913c4ca4feb712e05354772146247bdb4b337868c687730f201023

    718be762e8bd513283cd5e21634dc65bd160e47121716fd058daf5f3be42728a

    87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f

    9bcfc98998b9e42b86204e66605b65462eeb8cfd8a0661b3ceebc99d4277e83c

    7c4b465159e1c7dbbe67f0eeb3f58de1caba293999a49843a0818480f05be14e

    11cfea4100ba3731d859148d2011c7225d337db22797f7e111c0f2876e986490

    1d846592ffcc19ed03a34316520aa31369218a88afa4e17ac547686d0348aa5b

    7c4b465159e1c7dbbe67f0eeb3f58de1caba293999a49843a0818480f05be14e

    11cfea4100ba3731d859148d2011c7225d337db22797f7e111c0f2876e986490

    1d846592ffcc19ed03a34316520aa31369218a88afa4e17ac547686d0348aa5b

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection 

    Detection Query 1 : 

    domainname like "http://185.215.113.16/test/amnew.exe" or siteurl like "http://185.215.113.16/test/amnew.exe" or url like "http://185.215.113.16/test/amnew.exe" or domainname like "http://pivqmane.com/doc/fb.mp4" or siteurl like "http://pivqmane.com/doc/fb.mp4" or url like "http://pivqmane.com/doc/fb.mp4" or domainname like "pivqmane.com" or siteurl like "pivqmane.com" or url like "pivqmane.com" or domainname like "http://185.215.113.43/Zu7JuNko/index.php" or siteurl like "http://185.215.113.43/Zu7JuNko/index.php" or url like "http://185.215.113.43/Zu7JuNko/index.php" or domainname like "http://pivqmane.com/testonload.mp4" or siteurl like "http://pivqmane.com/testonload.mp4" or url like "http://pivqmane.com/testonload.mp4"

    Detection Query 2 : 

    dstipaddress IN ("45.61.134.36","185.156.73.73","185.215.113.75","144.172.103.42","107.170.35.225","185.215.113.43","185.215.113.209","185.215.113.16") or srcipaddress IN ("45.61.134.36","185.156.73.73","185.215.113.75","144.172.103.42","107.170.35.225","185.215.113.43","185.215.113.209","185.215.113.16")

    Detection Query 3 : 

    md5hash IN ("22892b8303fa56f4b584a04c09d508d8","dd3fa6ae969ccdf3d221bd95ffef5a7b")

    Detection Query 4 : 

    hash IN ("e1d65daaf338663006014f7d86eea5aebf142134","8975046c5cdbab0e36aa9ccad61b05a898810079")

    Detection Query 5 :

    sha256hash IN ("7c4b465159e1c7dbbe67f0eeb3f58de1caba293999a49843a0818480f05be14e","35c1eb5ff8913c4ca4feb712e05354772146247bdb4b337868c687730f201023","11cfea4100ba3731d859148d2011c7225d337db22797f7e111c0f2876e986490","21cf7da02e01b3c2317178395eff873e50ab9b8f27a23ffed37b2efff8fd6b90","1d846592ffcc19ed03a34316520aa31369218a88afa4e17ac547686d0348aa5b","0334cd1b8ab17203179da1ae77c1fad97ddf794cc63a6048aca664956d10b2ca","718be762e8bd513283cd5e21634dc65bd160e47121716fd058daf5f3be42728a","87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f","9bcfc98998b9e42b86204e66605b65462eeb8cfd8a0661b3ceebc99d4277e83c","7c4b465159e1c7dbbe67f0eeb3f58de1caba293999a49843a0818480f05be14e","11cfea4100ba3731d859148d2011c7225d337db22797f7e111c0f2876e986490")

    Reference:    

    https://blog.talosintelligence.com/new-chaos-ransomware/


    Tags

    MalwareThreat ActorRansomwareChaosSocial EngineeringBlacksuit

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.