ChainShell: MuddyWater & Russian MaaS

SOC Prime Team

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

MuddyWater, an Iran-linked espionage actor, is leveraging the Russian TAG-150 malware-as-a-service platform to deliver CastleRAT and a newer Node.js, blockchain-enabled C2 agent tracked as ChainShell against Israeli and other high-value targets. The activity is supported by an exposed, misconfigured C2 web server, a PowerShell deployer script (reset.ps1), and PE payloads concealed via steganography. Multiple CastleRAT releases (including Build 120 and Build 13) contain shared hard-coded identifiers that point to the same MaaS lineage. The backend infrastructure appears to be campaignized, using shared domains (for example, serialmenot.com) and per-operation JWT credentials to separate access and tracking across deployments.

Investigation

JUMPSEC reviewed the exposed C2 host, recovered 15 malware samples, and tied the reset.ps1 deployment logic to delivery of both ChainShell and multiple CastleRAT builds. Investigators also correlated code-signing certificates (Amy Cherne and Donald Gay) seen in known MuddyWater tooling to the TAG-150 MSI installer, forming a high-confidence attribution trail. Additional overlap was observed across samples in hard-coded build markers, recurring scheduled-task naming conventions, and JWT campaign IDs embedded in the tooling and server-side artifacts.

Mitigation

Monitor for reset.ps1, associated scheduled tasks, and unique mutex or file-path artifacts linked to CastleRAT and ChainShell. Block known TAG-150 infrastructure, including serialmenot.com, ttrdomennew.com, and sharecodepro.com, and scrutinize PowerShell-driven installation of Node.js components. Enforce strict code-signing controls and validate suspicious certificates against known MuddyWater-linked signing material.

Response

If indicators are found, isolate impacted endpoints, capture full disk and memory images, and sweep for additional CastleRAT and ChainShell remnants. Revoke or distrust compromised code-signing certificates, reset affected credentials, and coordinate reporting with relevant national CERTs. Review network telemetry for Ethereum RPC access patterns and JWT usage tied to the serialmenot.com command-and-control workflow.

"graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#ffcc99 classDef technique fill:#c2f0c2 classDef malware fill:#ff9999 classDef process fill:#ffd966 %% Nodes action_phishing["Action – T1566.002 Phishing Malicious macrou2011enabled document (ClickFix/BatClickFix) delivered via email"] class action_phishing action action_user_exec["Action – T1204.002 User Execution Victim opens the document triggering PowerShell"] class action_user_exec action tool_powershell["Tool – T1059.001 PowerShell Script interpreter used to load the loader"] class tool_powershell tool tool_cmstp["Tool – T1218.003 CMSTP System binary proxy execution that loads malicious INF"] class tool_cmstp tool technique_dll_sideload["Technique – T1574.002 DLL Sideu2011Loading Malicious DLLs loaded via INF"] class technique_dll_sideload technique technique_dll_hijack["Technique – T1574.005 Hijack Execution Flow Malicious userenv.dll and xmllite.dll placed beside legitimate binaries"] class technique_dll_hijack technique technique_scheduled_task["Technique – T1543.001 Create or Modify System Process Scheduled tasks (VirtualSmokestGuy120/666) for persistence"] class technique_scheduled_task technique technique_steganography["Technique – T1027.003 Steganography Native PE payloads hidden inside JPEG images"] class technique_steganography technique technique_embedded_payload["Technique – T1027.009 Embedded Payloads Additional payloads further concealed"] class technique_embedded_payload technique technique_data_obfusc["Technique – T1001 Data Obfuscation AESu2011256u2011CBC encryption of C2 traffic"] class technique_data_obfusc technique technique_uac_bypass["Technique – T1548.002 Abuse Elevation Control Mechanism CMSTP execution bypasses UAC"] class technique_uac_bypass technique technique_steal_cookie["Technique – T1539 Steal Web Session Cookie Decrypt Chrome v127+ appu2011bound cookies"] class technique_steal_cookie technique technique_forge_cookie["Technique – T1606.001 Forge Web Credentials Use extracted cookies for authentication"] class technique_forge_cookie technique technique_alt_auth["Technique – T1550.004 Use Alternate Authentication Material Abuse cookies for lateral movement"] class technique_alt_auth technique technique_vnc["Technique – T1021.005 Remote Services VNC Hidden VNC provides invisible desktop control"] class technique_vnc technique technique_remote_service["Technique – T1021 Remote Services Additional lateral movement via remote services"] class technique_remote_service technique technique_dead_drop["Technique – T1102.001 Dead Drop Resolver C2 address resolved from Ethereum smart contract"] class technique_dead_drop technique technique_websocket_bidirectional["Technique – T1102.002 WebSocket Bidirectional WebSocket channel for command exchange"] class technique_websocket_bidirectional technique technique_websocket_oneway["Technique – T1102.003 Oneu2011Way Communication Fallback C2 path"] class technique_websocket_oneway technique technique_web_protocol["Technique – T1071.001 Application Layer Protocol Web Protocols Traffic over WebSocket via HTTPS"] class technique_web_protocol technique malware_chainshell["Malware – Name: ChainShell Payload orchestrator handling C2, encryption, and lateral movement"] class malware_chainshell malware %% Connections action_phishing –>|leads_to| action_user_exec action_user_exec –>|executes| tool_powershell tool_powershell –>|loads| tool_cmstp tool_cmstp –>|uses| technique_dll_sideload tool_cmstp –>|bypasses| technique_uac_bypass technique_dll_sideload –>|enables| technique_dll_hijack technique_dll_hijack –>|supports| technique_scheduled_task technique_scheduled_task –>|creates| malware_chainshell malware_chainshell –>|contains| technique_steganography malware_chainshell –>|contains| technique_embedded_payload malware_chainshell –>|encrypts| technique_data_obfusc malware_chainshell –>|steals| technique_steal_cookie technique_steal_cookie –>|enables| technique_forge_cookie technique_forge_cookie –>|enables| technique_alt_auth technique_alt_auth –>|enables| technique_vnc technique_vnc –>|uses| technique_remote_service malware_chainshell –>|resolves C2 via| technique_dead_drop technique_dead_drop –>|communicates via| technique_websocket_bidirectional technique_websocket_bidirectional –>|fallback to| technique_websocket_oneway technique_websocket_bidirectional –>|uses protocol| technique_web_protocol "

Attack Flow

View

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Attack Narrative & Commands:
1. Stage 1 – Prepare a simple C2 server (run on the attacker machine or a controlled VM). The server listens on port 9999 and echoes received data.
2. Stage 2 – On the target Windows host, launch a PowerShell back‑door that opens a TCP connection to the C2 server on port 9999. The payload uses native .NET classes to avoid creating a separate executable, mimicking a “living‑off‑the‑land” approach.
3. Stage 3 – Optional proxy hop: The PowerShell script first contacts a local HTTP proxy (listening on 127.0.0.1:8080) which forwards the TCP traffic to the remote C2 server, demonstrating that the destination port stays unchanged.
These steps produce firewall events with DestinationPort = 9999, satisfying the Sigma rule.

Regression Test Script:

# -------------------------------------------------
# CastleRAT‑style C2 simulation – PowerShell
# -------------------------------------------------
# 1. Define C2 server address (replace with your test IP)
$c2Ip = "10.0.0.50"
$c2Port = 9999

# 2. OPTIONAL: Define local proxy (if you want to test proxy hop)
$useProxy = $false
$proxyHost = "127.0.0.1"
$proxyPort = 8080

# 3. Function to open a TCP stream (direct or via proxy)
function Invoke-C2Connection {
    param (
        [string]$destIp,
        [int]$destPort,
        [bool]$viaProxy
    )
    if ($viaProxy) {
        # Simple HTTP CONNECT tunnel
        $proxyUri = "http://$proxyHost`:$proxyPort"
        $client = New-Object System.Net.Sockets.TcpClient($proxyHost,$proxyPort)
        $stream = $client.GetStream()
        $connectRequest = "CONNECT $destIp`:$destPort HTTP/1.1`r`nHost: $destIp`r`n`r`n"
        $bytes = [System.Text.Encoding]::ASCII.GetBytes($connectRequest)
        $stream.Write($bytes,0,$bytes.Length)
        # Discard proxy response
        $buffer = New-Object byte[] 1024
        $null = $stream.Read($buffer,0,$buffer.Length)
        Write-Host "[+] Proxy tunnel established"
        return $stream
    } else {
        $client = New-Object System.Net.Sockets.TcpClient($destIp,$destPort)
        Write-Host "[+] Direct TCP connection established"
        return $client.GetStream()
    }
}

# 4. Open the connection
$stream = Invoke-C2Connection -destIp $c2Ip -destPort $c2Port -viaProxy:$useProxy

# 5. Send a simple beacon
$beacon = "CastleRAT Beacon $(Get-Date -Format o)`n"
$bytes = [System.Text.Encoding]::UTF8.GetBytes($beacon)
$stream.Write($bytes,0,$bytes.Length)
Write-Host "[+] Beacon sent"

# 6. Keep the channel open for a short period (simulate persistence)
Start-Sleep -Seconds 15

# 7. Cleanup
$stream.Close()
Write-Host "[+] Connection closed"

Cleanup Commands:

# Ensure any lingering TCP connections are closed
Get-NetTCPConnection -RemotePort 9999 -State Established | ForEach-Object {
    try {
        $proc = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
        if ($proc) { Stop-Process -Id $proc.Id -Force }
    } catch {}
}

# Remove any temporary proxy listener if it was started locally
Stop-Process -Name "python" -Force -ErrorAction SilentlyContinue

Additional Observations & Hardening Recommendations

Enrich Port‑Based Detection: Combine the port check with known malicious C2 IPs/domains, TLS fingerprinting, or abnormal traffic volume heuristics.
Allow‑List Legitimate Services: Create an exception list for applications that legitimately use ports 9999 or 8888 (e.g., certain database or management tools).
Behavioural Baselines: Deploy statistical models to flag low‑frequency outbound connections to high‑risk ports originating from non‑server endpoints.
Process Context: Correlate firewall events with the originating process (ImageFileName, CommandLine). Flag connections made by unexpected processes (e.g., powershell.exe, cmd.exe).

By applying these mitigations, the rule’s resilience can be raised from the current 2 to a 4‑5 range, dramatically reducing false positives while preserving detection of genuine CastleRAT C2 traffic.

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free