MuddyWater Turns to Russian Malware-as-a-Service in New ChainShell Campaign

Iranian state-backed hacking group MuddyWater has made a decisive operational shift, adopting a Russian-built Malware-as-a-Service platform to power a new campaign against Israeli targets.

The operation, built around a previously unknown tool called ChainShell, marks a clear departure from the group’s earlier reliance on custom-developed tools, and raises fresh concerns for organisations in critical sectors worldwide.

MuddyWater — also known as Seedworm, Mango Sandstorm, TA450, and Static Kitten — operates under Iran’s Ministry of Intelligence and Security (MOIS).

Active since at least 2017, the group has targeted government agencies, defence organizations, telecommunications firms, and energy companies across the Middle East and parts of the West, including the United States and United Kingdom.

Where earlier campaigns leaned on PowerShell backdoors and legitimate remote monitoring tools to carry out espionage, this campaign shows MuddyWater now purchasing ready-made offensive capabilities from a criminal marketplace.

The platform behind these capabilities belongs to TAG-150, a Russian-speaking cybercriminal group running a modular, multi-tenant service called CastleRAT.

Analysts at JumpSEC traced the link to this Russian platform through a misconfigured C2 server, 15 malware samples, and a novel Windows executable payload.

On the exposed server at IP address 157.20.182.49, researchers found Farsi-language code comments alongside Israeli IP range lists — clear evidence of Iranian operators targeting Israeli systems.

The timeline of activity reveals just how persistent this campaign has been. In early March 2026, researchers at Ctrl-Alt-Intel first identified the exposed server.

Rather than pulling back, MuddyWater pushed forward — new delivery installers were compiled on March 11th, updated JavaScript malware appeared on March 16th, and a fresh macro-based lure was spotted contacting MuddyWater infrastructure on March 20th, confirming the group remained active well past the point of detection.

The broader impact of this shift is serious. Organisations in the defence, aerospace, energy, and government sectors now face a threat that combines state-level targeting with commercially developed offensive tools.

By adopting CastleRAT and ChainShell, MuddyWater has gained capabilities it previously lacked — including hidden VNC sessions that let attackers control a machine invisibly, Chrome cookie decryption, and a blockchain-resistant communication channel that resists traditional takedown efforts.

ChainShell’s Infection Mechanism and Evasion Design

The most technically distinct element of this campaign is ChainShell, a Node.js-based agent that resolves its command-and-control address directly from an Ethereum smart contract via 10 RPC providers.

Blockchain C2 Variables and Smart Contract Address (Source - JumpSEC) — Blockchain C2 Variables and Smart Contract Address (Source – JumpSEC)

Unlike conventional malware that relies on fixed domains or IP addresses, ChainShell’s C2 location lives on the blockchain, making sinkholing or IP blocking largely ineffective against it.

ChainShell arrives on a victim’s machine through reset.ps1, a PowerShell deployer found on the MuddyWater-attributed C2 server.

The script installs Node.js, AES-decrypts an embedded payload, and drops two files: sysuu2etiprun.js, the blockchain C2 agent, and VfZUSQi6oerKau.js, a dropper and installer component

ChainShell's Operational Flow (Source - JumpSEC) — ChainShell’s Operational Flow (Source – JumpSEC)

Once running, the agent communicates with the C2 through AES-256-CBC encrypted WebSocket messages, sending and receiving JavaScript that it executes locally through a new Function() call.

AES WebSocket Encryption (Source - JumpSEC) — AES WebSocket Encryption (Source – JumpSEC)

What makes ChainShell hard to detect is its thin shell design — the agent carries no built-in stealer, keylogger, or shell. All active capabilities are delivered from the server at runtime, so static analysis of the file reveals little about what it can actually do.

The agent also performs a locale check on startup and exits immediately on CIS country systems such as Russia and Ukraine, a developer safeguard researchers assess as genuine rather than a false flag.

Organisations exposed to this campaign should monitor for scheduled tasks matching the naming pattern Virtual{Campaign}Guy{N}, check for unexpected Node.js installations under %LOCALAPPDATA%Nodejs, and apply blocks on all documented network IOCs.

Security teams should also avoid defaulting to Russian cybercrime attribution when CastleRAT or ChainShell artefacts surface — further analysis of campaign configurations and C2 infrastructure may instead point to Iranian state-level operators.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

Original article can be found here

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.