Researchers reveal a new alliance between Iranian threat actor Muddy Water and Russian-speaking cybercriminals operating the CastleRAT (TAG-150) MaaS, marking a capability upgrade from simple scripts to professional-grade intrusion tools. The group now deploys a JavaScript-based ChainShell via a reset.ps1 loader, uses HVNC for invisible browser session hijacking, and resolves C2 through an Ethereum smart contract, showing pre-staged deployments ahead of regional escalation. #MuddyWater #ChainShell
Keypoints
- Researchers documented a direct operational link between Muddy Water and the CastleRAT (TAG-150) MaaS platform.
- A misconfigured C2 server containing Farsi comments and Israeli IP lists confirmed actor origin and primary targets.
- The reset.ps1 script deploys ChainShell, which executes raw JavaScript via Function() to run arbitrary code on victims.
- New HVNC capabilities enable invisible browser session hijacking that can bypass MFA and leave no new-login traces.
- ChainShell resolves C2 from an Ethereum smart contract and steganographic JPEG payloads indicate pre-staged deployment before the Feb 28 escalation.
Read More: https://securityonline.info/muddy-water-castlerat-chainshell-malware-alliance/