MuddyWater Linked to Iranian MOIS Uses Russian MaaS in ChainShell Campaign
Iran-linked threat group MuddyWater has been tied to a ChainShell campaign that reportedly uses Russian malware-as-a-service infrastructure, underscoring growing overlap between state-backed espionage and criminal tooling. Reporting on the activity said the operation relied on blockchain-based command-and-control and reflected operational links between the Iran-aligned actor and Russian cybercrime services, extending a long-running pattern of MuddyWater adapting external tools and tradecraft for intrusion operations.
U.S. and allied agencies have previously attributed MuddyWater to Iran’s Ministry of Intelligence and Security (MOIS) and described the group as targeting government and commercial organizations across Asia, Africa, Europe, and North America, including telecommunications, defense, local government, and oil and gas. Public reporting and government advisories say the group has used spearphishing, exploitation of known flaws such as CVE-2020-0688 and CVE-2020-1472, DLL side-loading, obfuscated PowerShell, and malware including PowGoop, Mori, Small Sieve, Canopy/Starwhale, and POWERSTATS to establish access, maintain persistence, exfiltrate data, and in some cases deploy ransomware.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
New reporting highlights MuddyWater's ChainShell attack activity
A 2026 report described MuddyWater as using Russian malware-as-a-service in a new ChainShell attack. This appears to be continued reporting on the ChainShell activity and its operational links to Russian criminal tooling.
JUMPSEC reports ChainShell linking MuddyWater to Russian MaaS
JUMPSEC threat intelligence reported a ChainShell campaign or capability in which the Iran-aligned MuddyWater actor used Russian malware-as-a-service. The reporting also said the activity relied on blockchain-based command-and-control infrastructure, highlighting overlap between state-aligned operations and cybercriminal services.
Five Eyes and U.S. agencies publish joint MuddyWater advisory
On February 24, 2022, the FBI, CISA, U.S. Cyber Command CNMF, NSA, and NCSC-UK issued a joint advisory on Iranian government-sponsored MuddyWater activity. The advisory detailed TTPs, malware, exploited vulnerabilities including CVE-2020-1472 and CVE-2020-0688, and recommended mitigations and IOCs.
USCYBERCOM publicly links MuddyWater to Iran's MOIS
US Cyber Command publicly attributed MuddyWater to Iran’s Ministry of Intelligence and Security, identifying it as a subordinate element involved in Iranian intelligence operations. It also uploaded malware samples and JavaScript artifacts associated with the group to VirusTotal to aid defenders.
MuddyWater conducts MOIS-linked espionage campaigns globally
By approximately 2018, Iranian government-sponsored MuddyWater activity was targeting government and commercial organizations across Asia, Africa, Europe, and North America. The group used spearphishing, known vulnerability exploitation, DLL side-loading, obfuscated PowerShell, and malware families such as PowGoop, Mori, and POWERSTATS.
MuddyWater begins sustained cyber operations
MuddyWater is described as having conducted campaigns since at least 2017, initially targeting organizations in the Middle East and later expanding into Europe and North America. Reported victim sectors included telecommunications, government IT services, and oil.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
MuddyWater Uses Russian MaaS in New ChainShell Attack
gbhackers.com
Open sourceChainShell: MuddyWater's Russian MaaS Link - Infosec.Pub
infosec.pub
Open sourceUSCYBERCOM: MuddyWater APT is linked to Iran's MOIS intelligence
securityaffairs.co
Open sourceCisa
cisa.gov
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
MuddyWater Used DLL Side-Loading and PowerShell Tooling in Multi-Country Espionage Campaign
Iran-linked **MuddyWater** (also tracked as **Seedworm**) was tied to an espionage campaign that compromised at least nine organizations across nine countries and four continents, hitting sectors including manufacturing, education, government, financial services, professional services, telecommunications, and an international airport. Researchers said the group used **DLL side-loading** with legitimate signed binaries such as `fmapp.exe` from Fortemedia and `sentinelmemoryscanner.exe` from SentinelOne to launch malicious DLLs, including the open-source **ChromElevator** tool for browser-data theft. One confirmed victim was a major South Korean electronics manufacturer, where the attackers reportedly maintained access for about a week, while earlier activity also targeted telecom providers in Egypt, Sudan, and Tanzania. The operators combined stealthy execution with a broad post-compromise toolkit, using **Node.js** to launch PowerShell payloads for reconnaissance, screenshot capture, privilege escalation, credential theft, and SOCKS5 reverse-proxy tunneling. Symantec also linked MuddyWater to the **MuddyC2Go** PowerShell framework, use of legitimate remote-management software **SimpleHelp**, and the publicly available **Venom Proxy** to maintain access and move through victim networks. Persistence was established through registry modifications, credentials were harvested through fake login prompts and registry hive dumping, and stolen data was exfiltrated via the public file-transfer service `sendit[.]sh`, indicating a sustained intelligence-collection effort aligned with Iranian state interests.
May 27, 2026
Iranian MOIS-Linked Threat Actors Increasingly Leverage Cybercrime Tools and Infrastructure
Check Point Research reported that **Iranian Ministry of Intelligence and Security (MOIS)-linked actors** are increasingly moving beyond simply *posing* as cybercriminals and are instead **directly engaging with the cybercrime ecosystem**—using criminal tooling, services, and operational models to support state objectives while complicating attribution. The activity is highlighted in operations tied to **Void Manticore** (including the *Handala Hack* persona) and **MuddyWater**, where researchers observed repeated overlaps with criminal tools and infrastructure, suggesting an affiliate-style or service-consumption model that improves resilience and capability. Reporting on the research noted that **Void Manticore** has incorporated the commercially sold infostealer **Rhadamanthys** (marketed on cybercrime forums) into campaigns, including phishing activity targeting Israeli entities; the infostealer has been paired with custom wipers and lure themes such as impersonated **F5 updates** and even messages spoofing the **Israeli National Cyber Directorate (INCD)**. The same coverage reiterated that **MuddyWater** continues MOIS-aligned espionage activity and is also associated with cybercrime-style tooling and services, reinforcing the assessment that Iranian state operators are increasingly blending state tradecraft with criminal malware, infrastructure, and monetized services rather than relying solely on false-flag “ransomware” or hacktivist branding.
Apr 14, 2026
MuddyWater Phishing Campaign Targets Middle East and North Africa Government Networks
Iranian state-sponsored threat actor MuddyWater has conducted a large-scale cyberespionage campaign breaching over 100 government entities and international organizations across the Middle East and North Africa. The attackers leveraged a compromised enterprise mailbox, accessed via NordVPN, to send convincing phishing emails from legitimate addresses to embassies, ministries, and telecom providers. These emails contained weaponized Microsoft Word attachments that, when opened and macros enabled, deployed the updated "Phoenix" backdoor, granting persistent remote access, credential theft, and file exfiltration capabilities. The campaign also utilized off-the-shelf remote management tools such as PDQ and Action1 to blend in with legitimate administrative traffic and pilfered browser passwords from Chrome, Edge, Opera, and Brave. Researchers at Group-IB highlighted that MuddyWater, also known as Seedworm, APT34, OilRig, and TA450, has demonstrated evolving tradecraft and operational maturity in this operation, mixing official government and personal email addresses to increase the likelihood of successful compromise. The campaign's scale and targeting suggest either a significant increase in capability or a broader intelligence collection mandate from Iranian authorities. MuddyWater, linked to Iran's Ministry of Intelligence and Security, has a history of targeting government, energy, telecom, and defense sectors, focusing on long-term espionage rather than destructive attacks. Analysts warn that further activity is likely amid ongoing regional tensions.
Mar 21, 2026