MuddyWater Turns to Russian Malware-as-a-Service in New ChainShell Campaign

The state-sponsored hacking group MuddyWater has changed its business model and now uses a Russian-made malware-as-a-service platform This article explores hackers going israeli. . The focus of this change is a tool that was not known before called ChainShell.

On an open server with the IP address 157.20.182.49, researchers found Farsi-language code comments and lists of Israeli IP ranges. This shows that Iranian hackers are going after Israeli systems. The change has big effects on businesses in the defense, aerospace, energy, and government sectors because they are now facing both state-level targeting and commercially developed offensive tools. When CastleRAT or ChainShell artifacts show up, security teams should also avoid automatically blaming Russian cybercriminals.

Instead, more research may show that Iranian state-level operators are involved. Organizations affected by this campaign should keep an eye out for scheduled tasks that follow the naming pattern Virtual{Campaign}Guy{N.

Check for Node.js installations that you didn't expect to find under %LOCALAPPDATA%\Nodejs\, and block all known network IOCs. Follow us on Twitter and Facebook, set ZeroOwl as your preferred source in Google, and follow LinkedIn and X to get more updates right away. For all the latest news from ZeroOwl and other places, follow us on Facebook and Twitter.

We also have a weekly Newsquiz that tests how well you remember stories you saw on ZeroOwl news. To learn more, visit CNN.com/newsquiz and join the weekly News Quiz. To get the most up-to-date information about the ZeroOwl team, go to ZeroOwl.co.uk/news and follow them on Twitter at @ZeroOwl_News and @XNewsQuiz. The next NewsQuiz will be on November 30, which is the last day of the month.

Send us a picture of you and your family in the form of a certificate for a chance to win $1,000. Send it to newsquiz@cnn.com.