Graymont Data Breach

Alleged

Ransomware claim involving Graymont.

Published: Jun 22, 2026 Chaos
Threat Level
High
Confidence: High

Quick Summary

Company
Graymont
Industry
Manufacturing
Threat Actor
Chaos
Date of Incident
Jun 22, 2026
Status
Alleged

Executive Summary

Graymont, a Canadian manufacturing company, has been listed as a victim on the dark web portal of the chaos ransomware group, with the listing published on June 22, 2026. This incident was identified by SOCRadar’s Dark Web Monitoring service. Graymont operates within the manufacturing sector, a common target for the chaos group, which has been actively targeting industrial firms, particularly in North America, during the second quarter of 2026. Over the 60 days leading up to this listing, chaos claimed eight other victims, showing a preference for the manufacturing, technology, and transportation/logistics sectors. Geographically, their victims are primarily located in the United States, Canada, and Germany. Notable similar listings by chaos include other manufacturing companies and North American organizations such as challenge-mfg.com, cstindustries.com, www.cswindustrials.com, and AireSpring.

Technical Analysis

SOCRadar’s analysis of stealer-log telemetry uncovered a potential initial access vector for Graymont. A sample related to the graymont.com domain contained five records, including one associated with a customer, supplier, or third-party user on an organizational system, and four corporate @graymont.com identities appearing on external third-party services. Crucially, one credential was linked to an internal ADFS identity and single sign-on (SSO) gateway, presenting a high-value target for potential corporate access. The logs, spanning from November 2025 to April 2026, suggest repeated or ongoing credential harvesting. Although these logs do not definitively confirm their use by the chaos group, the pattern aligns with typical initial access methods for

Is Your Organization Exposed on the Dark Web?

Enter your company domain to get a free dark web exposure report instantly.