MuddyWater uses Russian MaaS in new ChainShell attacks
Key Takeaways Iranian state-sponsored threat actor MuddyWater has adopted a Russian Malware-as-a-Service (MaaS) platform called CastleRAT and a new tool, ChainShell. The campaign primarily targets...
Key Takeaways
- Iranian state-sponsored threat actor MuddyWater has adopted a Russian Malware-as-a-Service (MaaS) platform called CastleRAT and a new tool, ChainShell.
- The campaign primarily targets Israeli entities across critical sectors, including government, defense, telecommunications, and energy.
- ChainShell utilizes blockchain technology for its command-and-control (C2) infrastructure, making traditional detection and takedown methods less effective.
- The shift indicates MuddyWater is acquiring advanced, commercially developed offensive capabilities rather than relying solely on custom tools.
MuddyWater Adopts Russian MaaS and Blockchain-Enabled ChainShell in New Attacks
The Iranian state-sponsored hacking group MuddyWater has significantly altered its operational tactics, now leveraging a Russian Malware-as-a-Service (MaaS) platform in a new campaign targeting Israeli organizations. This marks a notable strategic shift for the threat actor, moving away from its historical reliance on bespoke tools.
Table Of Content
This latest offensive centers around a previously undocumented tool dubbed ChainShell. The adoption of commercially available offensive capabilities from a criminal marketplace, rather than developing them in-house, raises new concerns for critical infrastructure sectors globally.
MuddyWater’s Evolving Modus Operandi
MuddyWater, also known by aliases such as Seedworm, Mango Sandstorm, TA450, and Static Kitten, operates under the direction of Iran’s Ministry of Intelligence and Security (MOIS). Active since at least 2017, the group has a documented history of targeting government entities, defense contractors, telecommunications providers, and energy companies across the Middle East, as well as in Western nations like the United States and the United Kingdom.
Previous campaigns by MuddyWater frequently employed PowerShell backdoors and legitimate remote monitoring tools for espionage. However, the current campaign highlights a strategic pivot towards acquiring sophisticated, ready-made offensive capabilities from illicit cybercriminal markets.
The platform underpinning these new capabilities is provided by TAG-150, a Russian-speaking cybercriminal group that operates a modular, multi-tenant service known as CastleRAT. Researchers at JumpSEC meticulously traced the connection to this Russian platform through a misconfigured command-and-control (C2) server, a collection of 15 malware samples, and a novel Windows executable payload.
On the exposed server, identified by the IP address 157.20.182.49, analysts discovered Farsi-language code comments alongside lists of Israeli IP ranges. These findings provide compelling evidence of Iranian operators actively targeting Israeli systems.
Persistent Campaign Activity
The campaign exhibits remarkable persistence, as evidenced by its timeline of activity. In early March 2026, researchers at Ctrl-Alt-Intel initially identified the exposed server. Rather than ceasing operations, MuddyWater intensified its efforts. New delivery installers were compiled on March 11th, updated JavaScript malware emerged on March 16th, and a fresh macro-based lure was observed contacting MuddyWater infrastructure on March 20th, confirming the group’s continued activity well beyond initial detection.
The broader implications of this strategic shift are significant. Organizations within the defense, aerospace, energy, and government sectors now face a formidable threat that combines state-level targeting with advanced, commercially developed offensive tools. By integrating CastleRAT and ChainShell, MuddyWater has acquired enhanced capabilities, including hidden VNC sessions for invisible machine control, Chrome cookie decryption, and a blockchain-resistant communication channel designed to evade traditional takedown attempts.
ChainShell’s Infection Mechanism and Evasion Design
The most technically distinctive element of this campaign is ChainShell, a Node.js-based agent engineered to resolve its command-and-control address directly from an Ethereum smart contract via 10 different RPC providers. Unlike conventional malware that relies on static domains or IP addresses, ChainShell’s C2 location is embedded on the blockchain, rendering sinkholing or IP blocking largely ineffective as countermeasures.
ChainShell infiltrates victim systems via reset.ps1, a PowerShell deployer discovered on the C2 server attributed to MuddyWater. This script installs Node.js, subsequently decrypts an embedded payload using AES, and then drops two critical files: sysuu2etiprun.js, the blockchain C2 agent, and VfZUSQi6oerKau.js, which functions as a dropper and installer component.
Once operational, the agent establishes communication with its C2 using AES-256-CBC encrypted WebSocket messages. It sends and receives JavaScript code, which it then executes locally through a new Function() call.
ChainShell’s “thin shell” design contributes significantly to its evasiveness. The agent itself contains no built-in stealer, keylogger, or shell functionalities. All active capabilities are delivered from the server at runtime, meaning static analysis of the initial file provides minimal insight into its actual capabilities. Furthermore, the agent incorporates a locale check at startup, immediately exiting if it detects operation on systems within CIS countries, such as Russia and Ukraine. Researchers interpret this as a genuine developer safeguard rather than a false flag.
What You Should Do
- Organizations should actively monitor for scheduled tasks matching the naming pattern
Virtual{Campaign}Guy{N}. - Inspect systems for unexpected Node.js installations, particularly under
%LOCALAPPDATA%Nodejs. - Apply blocks on all documented network Indicators of Compromise (IOCs) associated with this campaign.
- Security teams should exercise caution regarding attribution; while CastleRAT or ChainShell artifacts may suggest Russian cybercrime, further analysis of campaign configurations and C2 infrastructure could instead point to Iranian state-level operators.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.