z pRQ waaR

The Convergence of State-Sponsored Espionage and Criminal MaaS: Unmasking the MuddyWater and CastleRAT Connection

In a significant development for the cybersecurity landscape, recent forensic investigations have uncovered a direct operational bridge between the Iranian-linked espionage group MuddyWater and the Russian-origin TAG-150 CastleRAT malware-as-a-service (MaaS) platform. This discovery highlights a growing, sophisticated trend: the blurring lines between nation-state intelligence operations and the global cybercriminal ecosystem.

During the investigation, researchers recovered a cache of 15 malware samples. The collection included at least two distinct CastleRAT “builds” and a specialized PowerShell deployment script, reset.ps1, which serves as the primary loader for a previously undocumented JavaScript/Node.js agent known as ChainShell.

The sophistication of the delivery mechanism was evident on the command-and-control (C2) server, where two native Portable Executable (PE) payloads—identified as “Build 120” and “Build 13”—were cleverly concealed using steganography within standard JPEG files to evade traditional file-based detection.

According to detailed analysis by JUMPSEC, the link between these two disparate entities was exposed via a misconfigured C2 web server. This server inadvertently hosted a treasury of incriminating data, including Farsi-labeled tactical tooling, lists of Israeli IP ranges for targeting, and multiple TAG-150 payloads.

ChainShell’s Operational Flow (Source : JUMPSEC).
ChainShell’s Operational Flow (Source : JUMPSEC).

The technical overlap is undeniable: the samples shared hardcoded CastleRAT template identifiers, confirming they were generated from the same underlying MaaS codebase. Notably, the compilation timestamps for these tools coincide with the period immediately preceding the February 28 U.S.–Israel strikes on Iran, suggesting that the threat actors were pre-staging capabilities in anticipation of heightened regional kinetic activity.

ChainShell: Architecture and Blockchain-Resilient C2

ChainShell represents a shift toward highly modular, non-static malware. Rather than shipping with hardcoded theft modules (like keyloggers or credential stealers), the malware dynamically pulls JavaScript instructions from its C2 server using a new Function() construct. This allows attackers to execute arbitrary code on a victim machine in real-time, returning exfiltrated data through a custom-built routine.

On March 4, 2026, researchers at Ctrl-Alt-Intel identified an open directory listing on a server that showed high-confidence indicators of MuddyWater ownership.

Outlook Web Access brute forcer that include Farsi code comments (Source : JUMPSEC).
Outlook Web Access brute forcer containing Farsi code comments (Source : JUMPSEC).

The code on this server featured a blend of identities: Russian-language strings and a system-locale check designed to prevent execution on systems within the Commonwealth of Independent States (CIS). This “geo-fencing” aligns with the known operational practices of TAG-150, who avoid targeting the Russian-speaking region to minimize unnecessary friction with local law enforcement.

The deployment sequence follows a structured chain: reset.ps1 installs the Node.js environment, decrypts an embedded payload, and subsequently drops the ChainShell components along with other JavaScript-based Remote Access Trojans (RATs).

JUMPSEC concludes that MuddyWater is a customer, not a developer, of the CastleRAT platform. Evidence for this includes the presence of Russian developer artifacts in the core logic, contrasted against the server’s Farsi-language comments and specific targeting data (such as Outlook Web Access brute-force scripts) that align with the historical objectives of Iran’s Ministry of Intelligence and Security (MOIS).

Furthermore, the CastleRAT ecosystem is inherently multi-tenant. Other criminal groups, such as the LeakNet ransomware operators, utilize the same JavaScript/Deno codebase. This means that attribution for an intrusion cannot rely solely on the malware family; defenders must instead pivot to analyzing specific JWT credentials, C2 domains, and unique infrastructure configurations.

The “Smokest” Campaign: Connecting the Digital Dots

The most compelling evidence for this attribution is found in the overlapping code-signing certificates and campaign-specific identifiers.

MuddyWater Operations Timeline — January to March 2026 (Source : JUMPSEC).
MuddyWater Operations Timeline — January to March 2026 (Source : JUMPSEC).

Binaries in the delivery chain were signed using certificates issued to “Amy Cherne” and “Donald Gay” via SSL.com. These are the exact same certificates used to sign StageComp, a tool previously and conclusively attributed to MuddyWater by major cybersecurity vendors.

Deep-dive analysis of an MSI installer linked to the Symantec “DinDoor” family revealed communication with the serialmenot.com C2. This communication utilized a JWT containing a campaignId (75cbe18653d52372) and a campaignName of “Smokest”. These markers recur across at least six different JavaScript RAT variants and within CastleRAT Build 120 and Build 666 task names (formatted as VirtualSmokestGuy###).

ChainShell itself functions as a lightweight Node.js execution shell. In a move toward extreme resilience, it resolves its C2 endpoint via an Ethereum smart contract using multiple RPC providers, subsequently establishing communication via AES-256-CBC–encrypted WebSocket channels.

Blockchain C2 variables and smart contract address (Source : JUMPSEC).
Blockchain C2 variables and smart contract address (Source : JUMPSEC).

This chain—Amy Cherne → Smokest JWT → VirtualSmokestGuy—effectively bridges the gap between vendor-confirmed MuddyWater tooling and the native PE infrastructure of CastleRAT. It provides the “smoking gun” that links previously separate observations of CastleLoader and DinDoor to MOIS-tasked operators.

The infrastructure shows a relentless focus on Israeli IP ranges, Laravel-based web applications, and FortiOS appliances—consistent with MuddyWater’s long-term reconnaissance of government, defense, and telecom sectors.

Implications for Defenders: The convergence of Iranian strategic intent and Russian criminal tradecraft creates a significant challenge for incident response. Initial triage may misidentify these intrusions as “routine” cybercrime, potentially delaying the high-priority response required to mitigate a state-sponsored espionage campaign. Defenders must look beyond the malware family and scrutinize the underlying intent, targeting patterns, and infrastructure resilience.

Indicators of Compromise (IoCs)

SHA256 Hash Description
49f17c061a72cadaf9e3f90cc380e994883a965b7a4ad8953d8e8089c65908e6 CastleRAT Build 120 PE (Not yet on VirusTotal)
4aaf77c410f1f465d5e9063af60a07ad184e7a92ee87c973c2ea1542bfd66bff CastleRAT Build 13 PE (Not yet on VirusTotal)
d91f7a2962c0e9de3cd4ea9c770092d86b1641e89f0a7be2307b6451f00e5271 trfr.jpg stego carrier (Build 13)
94f05495eb1b2ebe592481e01d3900615040aa02bd1807b705a50e45d7c53444 NSIS installer (2026-03-11) — Symantec: Trojan.Fakeset / MS: Trojan:Python/MuddyWater.DB!MTB
a8c380b57cb7c381ca6ba845bd7af7333f52ee4dc4e935e98b48bb81facad72b NSIS installer (2026-03-13)
7ab597ff0b1a5e6916cad1662b49f58231867a1d4fa91a4edf7ecb73c3ec7fe6 reset.ps1 (ChainShell deployment script)
c8589ca999526f247db4d3902ade8a85619f8f82338c6230d1b935f413ddcb3d VfZUSQi6oerKau.js (ChainShell dropper/installer)
bedb882c6e2cf896e14ecf12c90aaa6638f780017d1b8687a40b4a81956e230f sysuu2etiprun.js (ChainShell blockchain C2 agent)
3df9dcc45d2a3b1f639e40d47eceeafb229f6d9e7f0adcd8f1731af1563ffb90 HVNC WebView2 component — Symantec: Trojan.Darkcomp
a92d28f1d32e3a9ab7c3691f8bfca8f7586bb0666adbba47eab3e1a8faf7ecc0 StageComp (named “DIDS”) — Symantec: Trojan.StageComp / MS: Trojan:Python/MuddyWater.DB!MTB

Related Articles

Back to top button