Chaos has posted 14 victim claims in the past 30 days, a sharp acceleration from a tracker presence that only began in mid-May 2026, with manufacturing and business services each absorbing four hits and the United States accounting for eight of the named organizations. Recent claims include a German business-services firm, a Canadian mining-materials manufacturer (Graymont), and a U.S. roofing supplier, pointing to opportunistic sector spread rather than narrow vertical targeting. The group is described as a ransomware-as-a-service operation recruiting affiliates via the RAMP dark web forum, with claimed lineage from former BlackSuit/Royal operators and cross-platform payloads covering Windows, Linux, ESXi, and NAS environments; none of those self-descriptions have been independently verified. Operationally, RaaS groups of this profile typically harvest credentials through phishing or exposed remote-access services before moving laterally and disabling endpoint defenses ahead of encryption, and the ESXi/NAS capability specifically suggests an intent to maximize damage per intrusion by hitting virtualized infrastructure. The duplicate victim entries visible in recent claims may reflect staging artifacts or a leak-site publishing pattern rather than double targeting.