Key Findings

• State–Cybercrime Convergence: JUMPSEC identified conclusive evidence linking MuddyWater infrastructure to the Russian-speaking TAG-150 criminal ecosystem, demonstrating how nation-state actors are increasingly leveraging commercial cybercrime tooling.
• Discovery of “ChainShell” Malware: Researchers uncovered a previously undocumented Node.js-based implant, deployed via a PowerShell script (reset.ps1), enabling flexible command execution and stealthy remote operations.
• Blockchain-Enabled Command and Control: ChainShell uses Ethereum-based smart contracts to dynamically resolve its command-and-control (C2) infrastructure, significantly increasing resilience against disruption.
• Multiple Malware Artifacts Identified: Analysis of an exposed C2 server revealed 15 malware samples, including CastleRAT builds hidden in steganographic image files and additional JavaScript-based RAT variants.
• Active and Ongoing Campaign: Despite public exposure, MuddyWater continued operations in March 2026, deploying updated malware and phishing lures days after initial detection.

Operational Impact

The findings highlight a growing trend in which state-sponsored actors combine targeted espionage with off-the-shelf cybercriminal tools, dramatically increasing both speed and sophistication of attacks.

By adopting CastleRAT and ChainShell, MuddyWater gains access to advanced capabilities including:

• Hidden Virtual Network Computing (HVNC) for stealth system control
• Credential theft and Chrome cookie decryption
• Resilient, decentralised C2 communications

This evolution introduces a critical challenge for defenders: misattribution risk. The use of Russian-developed malware may lead incident responders to incorrectly classify activity as financially motivated cybercrime rather than state-backed espionage.

Targeting and Threat Landscape

Evidence recovered from the exposed infrastructure, including Farsi-language code comments and Israeli IP targeting lists, indicates a sustained focus on Israeli organisations, with broader implications for defence, energy, government, and telecommunications sectors globally.

MuddyWater—also tracked as Seedworm, Mango Sandstorm, TA450, and Static Kitten—has remained active since at least 2017, targeting entities across the Middle East, the United States, and Europe.

Expert Insight

JUMPSEC assesses that this campaign represents a “capability leap” for MuddyWater, enabling rapid adoption of advanced offensive tooling without the traditional resource burden of in-house development.

The convergence of adversarial ecosystems means organisations must move beyond siloed approaches to cyber risk:

Criminal indicators may now mask strategic, state-level activity, requiring security teams to reassess attribution, detection, and response models.

Recommendations for Organisations

JUMPSEC advises organisations—particularly those in high-risk sectors—to:

• Reassess threat models to account for hybrid state–criminal operations
• Enhance detection for PowerShell-based loaders and Node.js implants
• Monitor for indicators linked to CastleRAT and ChainShell infrastructure
• Strengthen attribution and incident response processes

The full story can be found here:

www.jumpsec.com/guides/chainshell-muddywater-russian-criminal-infrastructure/