Iranian state-sponsored hacking group MuddyWater has significantly altered its operational tactics, now leveraging a Russian-developed Malware-as-a-Service (MaaS) platform for its latest campaign. This strategic shift, observed in a new operation utilizing a previously unidentified tool named ChainShell, signals MuddyWater’s move away from custom malware towards commercially available offensive capabilities, posing a heightened threat to organizations worldwide.
MuddyWater, also known by aliases such as Seedworm and Mango Sandstorm, is believed to operate under the direction of Iran’s Ministry of Intelligence and Security (MOIS). The group has been active since at least 2017, frequently targeting entities in critical sectors including government, defense, telecommunications, and energy across the Middle East and extending to Western nations. Previously, their operations relied on bespoke PowerShell backdoors and legitimate remote administration tools; however, this new campaign indicates a purchase of ready-made tools from criminal marketplaces.
The underlying MaaS platform powering this campaign is reportedly CastleRAT, a modular, multi-tenant malware service operated by TAG-150, a Russian-speaking cybercriminal collective. Security analysts at JumpSEC identified the link to this Russian platform through a misconfigured command-and-control (C2) server and analysis of 15 malware samples, including a novel Windows executable payload. Evidence found on the exposed server, including Farsi-language code comments and lists of Israeli IP address ranges, strongly suggests the Iranian operators were actively targeting Israeli systems.
The timeline of observed activity indicates a persistent and adaptive campaign. Initial detection of the exposed server by Ctrl-Alt-Intel occurred in early March 2026. Despite this discovery, MuddyWater continued its operations, with new reconnaissance installers compiled on March 11th, updated JavaScript malware emerging on March 16th, and a fresh macro-based lure communicating with MuddyWater infrastructure on March 20th, confirming the group’s continued activity post-detection.
This operational pivot by MuddyWater carries significant implications. Organizations within the defense, aerospace, energy, and government sectors now face a threat actor that effectively combines state-level strategic targeting with advanced, commercially developed offensive capabilities. The adoption of CastleRAT and ChainShell provides MuddyWater with enhanced functionalities previously unavailable to them, such as covert VNC sessions enabling invisible remote control of compromised machines, the decryption of browser cookies, and the utilization of blockchain-resistant communication channels that significantly hinder traditional takedown efforts.
ChainShell’s Infection Mechanism and Advanced Evasion Techniques
A key technical development in this campaign is ChainShell, a Node.js-based agent designed to retrieve its command-and-control (C2) address directly from an Ethereum blockchain smart contract. This method bypasses traditional C2 infrastructure reliance on fixed domain names or IP addresses, rendering common sinkholing and IP blocking countermeasures largely ineffective. ChainShell’s C2 location is managed via 10 RPC providers, adding a layer of resilience to its operational infrastructure. This blockchain-based C2 mechanism is a notable aspect of the ChainShell malware.
The initial infection vector for ChainShell involves a PowerShell script named reset.ps1, found on the MuddyWater-attributed C2 server. This script is responsible for installing Node.js, decrypting an embedded payload using AES, and deploying two critical JavaScript files: sysuu2etiprun.js, which acts as the blockchain C2 agent, and VfZUSQi6oerKau.js, serving as a dropper and installer component.
Once operational, the ChainShell agent establishes communication with its C2 server through encrypted WebSocket messages employing AES-256-CBC encryption. It receives and transmits JavaScript code, which is then executed locally within the agent’s environment using a new Function() call. This dynamic execution of received code contributes to ChainShell’s evasive capabilities.
ChainShell’s design emphasizes a “thin shell” approach, minimizing the presence of built-in malicious functionalities within the agent itself. This means that specific capabilities, such as data exfiltration tools, keyloggers, or command shells, are not embedded within the initial payload. Instead, these active components are delivered from the C2 server at runtime. Consequently, static analysis of the ChainShell file provides limited insight into its full operational potential. Furthermore, the agent includes a safeguard that causes it to terminate immediately if it detects it is running on systems in CIS countries, such as Russia and Ukraine, a behavior security researchers assess as a genuine developer feature rather than a deceptive tactic.
Organizations targeted by this campaign are advised to monitor for scheduled tasks exhibiting the naming convention Virtual{Campaign}Guy{N}. Security teams should also scrutinize their environments for unexpected Node.js installations located under %LOCALAPPDATA%Nodejs and implement network blocks for all documented Indicators of Compromise (IOCs) associated with this activity. Importantly, attribution efforts when encountering CastleRAT or ChainShell should avoid defaulting to Russian cybercrime origins; further in-depth analysis of campaign-specific configurations and C2 infrastructure may reveal connections to Iranian state-sponsored operations.