Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
AsyncRAT Campaign Leverages ScreenConnect to Evade Detection
July 2, 2026
AsyncRAT Campaign Exploits Cloudflare Tunnels and Python for Malware Delivery
July 2, 2026
New Microsoft 365 Phishing Uses OAuth Device Code Flow to Steal Tokens
July 2, 2026
Home/Threats/MuddyWater uses Russian MaaS in new ChainShell attacks
Threats

MuddyWater uses Russian MaaS in new ChainShell attacks

Key Takeaways Iranian state-sponsored threat actor MuddyWater has adopted a Russian Malware-as-a-Service (MaaS) platform called CastleRAT and a new tool, ChainShell. The campaign primarily targets...

David kimber
David kimber
April 10, 2026 4 Min Read
34 0

Key Takeaways

  • Iranian state-sponsored threat actor MuddyWater has adopted a Russian Malware-as-a-Service (MaaS) platform called CastleRAT and a new tool, ChainShell.
  • The campaign primarily targets Israeli entities across critical sectors, including government, defense, telecommunications, and energy.
  • ChainShell utilizes blockchain technology for its command-and-control (C2) infrastructure, making traditional detection and takedown methods less effective.
  • The shift indicates MuddyWater is acquiring advanced, commercially developed offensive capabilities rather than relying solely on custom tools.

MuddyWater Adopts Russian MaaS and Blockchain-Enabled ChainShell in New Attacks

The Iranian state-sponsored hacking group MuddyWater has significantly altered its operational tactics, now leveraging a Russian Malware-as-a-Service (MaaS) platform in a new campaign targeting Israeli organizations. This marks a notable strategic shift for the threat actor, moving away from its historical reliance on bespoke tools.

Table Of Content

  • Key Takeaways
  • MuddyWater Adopts Russian MaaS and Blockchain-Enabled ChainShell in New Attacks
  • MuddyWater’s Evolving Modus Operandi
  • Persistent Campaign Activity
  • ChainShell’s Infection Mechanism and Evasion Design
  • What You Should Do

This latest offensive centers around a previously undocumented tool dubbed ChainShell. The adoption of commercially available offensive capabilities from a criminal marketplace, rather than developing them in-house, raises new concerns for critical infrastructure sectors globally.

MuddyWater’s Evolving Modus Operandi

MuddyWater, also known by aliases such as Seedworm, Mango Sandstorm, TA450, and Static Kitten, operates under the direction of Iran’s Ministry of Intelligence and Security (MOIS). Active since at least 2017, the group has a documented history of targeting government entities, defense contractors, telecommunications providers, and energy companies across the Middle East, as well as in Western nations like the United States and the United Kingdom.

Previous campaigns by MuddyWater frequently employed PowerShell backdoors and legitimate remote monitoring tools for espionage. However, the current campaign highlights a strategic pivot towards acquiring sophisticated, ready-made offensive capabilities from illicit cybercriminal markets.

The platform underpinning these new capabilities is provided by TAG-150, a Russian-speaking cybercriminal group that operates a modular, multi-tenant service known as CastleRAT. Researchers at JumpSEC meticulously traced the connection to this Russian platform through a misconfigured command-and-control (C2) server, a collection of 15 malware samples, and a novel Windows executable payload.

On the exposed server, identified by the IP address 157.20.182.49, analysts discovered Farsi-language code comments alongside lists of Israeli IP ranges. These findings provide compelling evidence of Iranian operators actively targeting Israeli systems.

Persistent Campaign Activity

The campaign exhibits remarkable persistence, as evidenced by its timeline of activity. In early March 2026, researchers at Ctrl-Alt-Intel initially identified the exposed server. Rather than ceasing operations, MuddyWater intensified its efforts. New delivery installers were compiled on March 11th, updated JavaScript malware emerged on March 16th, and a fresh macro-based lure was observed contacting MuddyWater infrastructure on March 20th, confirming the group’s continued activity well beyond initial detection.

The broader implications of this strategic shift are significant. Organizations within the defense, aerospace, energy, and government sectors now face a formidable threat that combines state-level targeting with advanced, commercially developed offensive tools. By integrating CastleRAT and ChainShell, MuddyWater has acquired enhanced capabilities, including hidden VNC sessions for invisible machine control, Chrome cookie decryption, and a blockchain-resistant communication channel designed to evade traditional takedown attempts.

ChainShell’s Infection Mechanism and Evasion Design

The most technically distinctive element of this campaign is ChainShell, a Node.js-based agent engineered to resolve its command-and-control address directly from an Ethereum smart contract via 10 different RPC providers. Unlike conventional malware that relies on static domains or IP addresses, ChainShell’s C2 location is embedded on the blockchain, rendering sinkholing or IP blocking largely ineffective as countermeasures.

ChainShell infiltrates victim systems via reset.ps1, a PowerShell deployer discovered on the C2 server attributed to MuddyWater. This script installs Node.js, subsequently decrypts an embedded payload using AES, and then drops two critical files: sysuu2etiprun.js, the blockchain C2 agent, and VfZUSQi6oerKau.js, which functions as a dropper and installer component.

Once operational, the agent establishes communication with its C2 using AES-256-CBC encrypted WebSocket messages. It sends and receives JavaScript code, which it then executes locally through a new Function() call.

ChainShell’s “thin shell” design contributes significantly to its evasiveness. The agent itself contains no built-in stealer, keylogger, or shell functionalities. All active capabilities are delivered from the server at runtime, meaning static analysis of the initial file provides minimal insight into its actual capabilities. Furthermore, the agent incorporates a locale check at startup, immediately exiting if it detects operation on systems within CIS countries, such as Russia and Ukraine. Researchers interpret this as a genuine developer safeguard rather than a false flag.

What You Should Do

  • Organizations should actively monitor for scheduled tasks matching the naming pattern Virtual{Campaign}Guy{N}.
  • Inspect systems for unexpected Node.js installations, particularly under %LOCALAPPDATA%Nodejs.
  • Apply blocks on all documented network Indicators of Compromise (IOCs) associated with this campaign.
  • Security teams should exercise caution regarding attribution; while CastleRAT or ChainShell artifacts may suggest Russian cybercrime, further analysis of campaign configurations and C2 infrastructure could instead point to Iranian state-level operators.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwareSecurityThreat

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

Critical TP-Link Omada Flaws Let Attackers Remotely Control Devices

Next Post

Attackers Abuse GitHub, GitLab to Host Malware and Phishing Campaigns

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Citrix Bleed (CVE-2023-4966) Critical Vulnerability Actively Exploited
July 2, 2026
DHS Confirms Breach of HSIN Information Sharing Network
July 2, 2026
ChatGPT Flaw Exposes User Files, Poses System Access Risk
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us