Quick Summary
Executive Summary
Graymont, a Canadian manufacturing company, has been listed as a victim on the dark web portal of the chaos ransomware group, with the listing published on June 22, 2026. This incident was identified by SOCRadar’s Dark Web Monitoring service. Graymont operates within the manufacturing sector, a common target for the chaos group, which has been actively targeting industrial firms, particularly in North America, during the second quarter of 2026. Over the 60 days leading up to this listing, chaos claimed eight other victims, showing a preference for the manufacturing, technology, and transportation/logistics sectors. Geographically, their victims are primarily located in the United States, Canada, and Germany. Notable similar listings by chaos include other manufacturing companies and North American organizations such as challenge-mfg.com, cstindustries.com, www.cswindustrials.com, and AireSpring.
Technical Analysis
SOCRadar’s analysis of stealer-log telemetry uncovered a potential initial access vector for Graymont. A sample related to the graymont.com domain contained five records, including one associated with a customer, supplier, or third-party user on an organizational system, and four corporate @graymont.com identities appearing on external third-party services. Crucially, one credential was linked to an internal ADFS identity and single sign-on (SSO) gateway, presenting a high-value target for potential corporate access. The logs, spanning from November 2025 to April 2026, suggest repeated or ongoing credential harvesting. Although these logs do not definitively confirm their use by the chaos group, the pattern aligns with typical initial access methods for