Ddos 
ChainShell's Operational Flow | Image: JUMPSEC
A significant shift in the digital arms race has been uncovered, as researchers reveal a new alliance between state-sponsored espionage and the cybercriminal underground. A new report from JUMPSEC has documented a “direct operational link between the exposed infrastructure of Iranian threat actor Muddy Water and TAG-150 CastleRAT malware”βa modular malware-as-a-service (MaaS) platform developed by Russian-speaking cybercriminals.
This collaboration signals a “capability upgrade” for Muddy Water, moving away from simple scripts toward professional-grade, invisible intrusion tools.
The breakthrough came through the analysis of a misconfigured Command and Control (C2) web server. Within this server, researchers found Farsi code comments alongside Israeli IP range lists, confirming the actor’s origin and their primary targets.
The key artifact discovered was a script named reset.ps1. This script serves as the deployer for a novel, JavaScript-based malware dubbed “ChainShell”. According to JUMPSEC, ChainShell’s operational flow involves the C2 server sending raw JavaScript code that the agent then executes using a new Function() call, allowing the attacker to run virtually anything on the victim’s machine.
Historically, Muddy Waterβs toolkit was limited to PowerShell backdoors and basic HTTP beacons. While effective, these tools lacked the sophistication required for deep, persistent access. The adoption of CastleRAT and ChainShell changes the game entirely.
One of the most dangerous features of this new arsenal is Hidden Virtual Network Computing (HVNC). JUMPSEC notes that “HVNC (Hidden desktop, invisible browser hijacking)… allows the operator to silently access organisation infrastructure, view webmail, cloud infrastructure, and more, all while masquerading as the victim’s own session cookies, bypassing MFA”.
In the past, Muddy Water would need to steal credentials and access accounts from their own infrastructure, which is easily flagged. Now, they can operate from within the victimβs own browser session, leaving no footprint of a “new login”.
The report highlights that these new tools can bypass Googleβs latest security measures, such as Chrome v127+ app-bound decryption. This is a task their previous PowerShell tools were “incapable of”.
While standard C2 domains can be sinkholed or taken down by law enforcement, “ChainShell resolves its C2 from an Ethereum smart contract, which is highly resistant to disruption”.
The timing of these deployments is not coincidental. Researchers found two native payloads (“Build 120” and “Build 13”) hidden inside steganographic JPEG images. These were compiled just before the US and Israel attacked Iran on February 28th, a move JUMPSEC describes as “consistent with pre-staged capability ahead of anticipated escalation”.
The Iranian state has effectively “outsourced” its technical innovation. As the report concludes, “they went from remote manual hacking to automated credential theft and invisible browser control… and they bought it off-the-shelf instead of building it themselves”.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
