The Convergence of State-Sponsored Espionage and Criminal MaaS: Unmasking the MuddyWater and CastleRAT Connection
In a significant development for the cybersecurity landscape, recent forensic investigations have uncovered a direct operational bridge between the Iranian-linked espionage group MuddyWater and the Russian-origin TAG-150 CastleRAT malware-as-a-service (MaaS) platform. This discovery highlights a growing, sophisticated trend: the blurring lines between nation-state intelligence operations and the global cybercriminal ecosystem.
During the investigation, researchers recovered a cache of 15 malware samples. The collection included at least two distinct CastleRAT “builds” and a specialized PowerShell deployment script, reset.ps1, which serves as the primary loader for a previously undocumented JavaScript/Node.js agent known as ChainShell.
The sophistication of the delivery mechanism was evident on the command-and-control (C2) server, where two native Portable Executable (PE) payloads—identified as “Build 120” and “Build 13”—were cleverly concealed using steganography within standard JPEG files to evade traditional file-based detection.
According to detailed analysis by JUMPSEC, the link between these two disparate entities was exposed via a misconfigured C2 web server. This server inadvertently hosted a treasury of incriminating data, including Farsi-labeled tactical tooling, lists of Israeli IP ranges for targeting, and multiple TAG-150 payloads.

The technical overlap is undeniable: the samples shared hardcoded CastleRAT template identifiers, confirming they were generated from the same underlying MaaS codebase. Notably, the compilation timestamps for these tools coincide with the period immediately preceding the February 28 U.S.–Israel strikes on Iran, suggesting that the threat actors were pre-staging capabilities in anticipation of heightened regional kinetic activity.
ChainShell: Architecture and Blockchain-Resilient C2
ChainShell represents a shift toward highly modular, non-static malware. Rather than shipping with hardcoded theft modules (like keyloggers or credential stealers), the malware dynamically pulls JavaScript instructions from its C2 server using a new Function() construct. This allows attackers to execute arbitrary code on a victim machine in real-time, returning exfiltrated data through a custom-built routine.
On March 4, 2026, researchers at Ctrl-Alt-Intel identified an open directory listing on a server that showed high-confidence indicators of MuddyWater ownership.

The code on this server featured a blend of identities: Russian-language strings and a system-locale check designed to prevent execution on systems within the Commonwealth of Independent States (CIS). This “geo-fencing” aligns with the known operational practices of TAG-150, who avoid targeting the Russian-speaking region to minimize unnecessary friction with local law enforcement.
The deployment sequence follows a structured chain: reset.ps1 installs the Node.js environment, decrypts an embedded payload, and subsequently drops the ChainShell components along with other JavaScript-based Remote Access Trojans (RATs).
JUMPSEC concludes that MuddyWater is a customer, not a developer, of the CastleRAT platform. Evidence for this includes the presence of Russian developer artifacts in the core logic, contrasted against the server’s Farsi-language comments and specific targeting data (such as Outlook Web Access brute-force scripts) that align with the historical objectives of Iran’s Ministry of Intelligence and Security (MOIS).
Furthermore, the CastleRAT ecosystem is inherently multi-tenant. Other criminal groups, such as the LeakNet ransomware operators, utilize the same JavaScript/Deno codebase. This means that attribution for an intrusion cannot rely solely on the malware family; defenders must instead pivot to analyzing specific JWT credentials, C2 domains, and unique infrastructure configurations.
The “Smokest” Campaign: Connecting the Digital Dots
The most compelling evidence for this attribution is found in the overlapping code-signing certificates and campaign-specific identifiers.

Binaries in the delivery chain were signed using certificates issued to “Amy Cherne” and “Donald Gay” via SSL.com. These are the exact same certificates used to sign StageComp, a tool previously and conclusively attributed to MuddyWater by major cybersecurity vendors.
Deep-dive analysis of an MSI installer linked to the Symantec “DinDoor” family revealed communication with the serialmenot.com C2. This communication utilized a JWT containing a campaignId (75cbe18653d52372) and a campaignName of “Smokest”. These markers recur across at least six different JavaScript RAT variants and within CastleRAT Build 120 and Build 666 task names (formatted as VirtualSmokestGuy###).
ChainShell itself functions as a lightweight Node.js execution shell. In a move toward extreme resilience, it resolves its C2 endpoint via an Ethereum smart contract using multiple RPC providers, subsequently establishing communication via AES-256-CBC–encrypted WebSocket channels.

This chain—Amy Cherne → Smokest JWT → VirtualSmokestGuy—effectively bridges the gap between vendor-confirmed MuddyWater tooling and the native PE infrastructure of CastleRAT. It provides the “smoking gun” that links previously separate observations of CastleLoader and DinDoor to MOIS-tasked operators.
The infrastructure shows a relentless focus on Israeli IP ranges, Laravel-based web applications, and FortiOS appliances—consistent with MuddyWater’s long-term reconnaissance of government, defense, and telecom sectors.
Implications for Defenders: The convergence of Iranian strategic intent and Russian criminal tradecraft creates a significant challenge for incident response. Initial triage may misidentify these intrusions as “routine” cybercrime, potentially delaying the high-priority response required to mitigate a state-sponsored espionage campaign. Defenders must look beyond the malware family and scrutinize the underlying intent, targeting patterns, and infrastructure resilience.
Indicators of Compromise (IoCs)
| SHA256 Hash | Description |
|---|---|
49f17c061a72cadaf9e3f90cc380e994883a965b7a4ad8953d8e8089c65908e6 |
CastleRAT Build 120 PE (Not yet on VirusTotal) |
4aaf77c410f1f465d5e9063af60a07ad184e7a92ee87c973c2ea1542bfd66bff |
CastleRAT Build 13 PE (Not yet on VirusTotal) |
d91f7a2962c0e9de3cd4ea9c770092d86b1641e89f0a7be2307b6451f00e5271 |
trfr.jpg stego carrier (Build 13) |
94f05495eb1b2ebe592481e01d3900615040aa02bd1807b705a50e45d7c53444 |
NSIS installer (2026-03-11) — Symantec: Trojan.Fakeset / MS: Trojan:Python/MuddyWater.DB!MTB |
a8c380b57cb7c381ca6ba845bd7af7333f52ee4dc4e935e98b48bb81facad72b |
NSIS installer (2026-03-13) |
7ab597ff0b1a5e6916cad1662b49f58231867a1d4fa91a4edf7ecb73c3ec7fe6 |
reset.ps1 (ChainShell deployment script) |
c8589ca999526f247db4d3902ade8a85619f8f82338c6230d1b935f413ddcb3d |
VfZUSQi6oerKau.js (ChainShell dropper/installer) |
bedb882c6e2cf896e14ecf12c90aaa6638f780017d1b8687a40b4a81956e230f |
sysuu2etiprun.js (ChainShell blockchain C2 agent) |
3df9dcc45d2a3b1f639e40d47eceeafb229f6d9e7f0adcd8f1731af1563ffb90 |
HVNC WebView2 component — Symantec: Trojan.Darkcomp |
a92d28f1d32e3a9ab7c3691f8bfca8f7586bb0666adbba47eab3e1a8faf7ecc0 |
StageComp (named “DIDS”) — Symantec: Trojan.StageComp / MS: Trojan:Python/MuddyWater.DB!MTB |