Iranian state-sponsored group MuddyWater has been caught operating as a paying customer of a Russian malware-as-a-service platform, blending espionage objectives with commercially developed cybercrime tools in a newly documented campaign dubbed “ChainShell,” GBHackers News reports.According to JUMPSEC researchers, the operation hinges on a misconfigured command-and-control server that exposed both custom Iranian tooling and TAG-150’s CastleRAT builds deployed against Israeli targets. The novel ChainShell payload, a JavaScript and Node.js implant, retrieves its C2 address from an Ethereum smart contract and communicates via AES-encrypted WebSocket channels. Attribution rests not on the malware alone but on a trail of SSL.com code-signing certificates issued to “Amy Cherne,” previously linked to MuddyWater’s StageComp tool, and hardcoded JSON Web Token campaign identifiers matching the “Smokest” operation.”This places a traditionally state-directed actor as a paying customer inside a multi-tenant Russian MaaS ecosystem,” the analysis notes. The convergence complicates triage significantly, as defenders may mistakenly dismiss CastleRAT detections as financially motivated Russian crime rather than recognizing them as potential beachheads for Iranian intelligence collection against government and defense sectors.
More
Popular articles
Featured
Newsletter
Subscribe to get the latest news, offers and special announcements.