Muddy Water

MuddyWater is an Iran-nexus APT assessed in the provided content as subordinate to Iran’s Ministry of Intelligence and Security (MOIS), active since at least 2017. Aliases explicitly mentioned in the content include Earth Vetala, MERCURY, Static Kitten, Seedworm, TEMP.Zagros, Mango Sandstorm, and TA450. The group is described as conducting espionage-oriented and other Iran-linked operations, and was identified by the Israel National Cyber Directorate among Iranian groups behind at least 15 phishing campaigns targeting Israeli public- and private-sector organizations. INCD stated these campaigns used tailored social-engineering lures such as fake Rafael job offers on LinkedIn, spoofed security-update emails, cash-offer scams, and academic conference invitations with malicious links, with the objective of gaining initial access and then moving deeper into victim organizations for espionage, damage, information gathering, and influence operations. The content also attributes to MuddyWater a spearphishing campaign targeting diplomatic, maritime, financial, telecommunications, and other sectors across the Middle East. In that activity, malicious Microsoft Word documents with VBA macros and icon spoofing were used to deliver a Rust-based implant referred to as RustyWater, aligned in the reporting with Archer RAT / RUSTRIC. The macros decoded a hex-embedded payload, wrote it to C:\ProgramData\CertificationKit.ini, and executed it via an obfuscated WScript.Shell/cmd.exe chain. Reported RustyWater capabilities include anti-debugging and anti-tampering via a vectored exception handler, host-information collection, string obfuscation with XOR, discovery of more than 25 antivirus/EDR products, persistence via a Windows Run registry key, asynchronous HTTP command-and-control using Rust reqwest and tokio, JSON/Base64/XOR multilayer data obfuscation for exfiltration, randomized jitter, and process injection into explorer.exe using VirtualAllocEx and WriteProcessMemory. The reporting characterizes this as an evolution from MuddyWater’s legacy PowerShell/VBS-heavy tradecraft toward a more modular, lower-noise Rust RAT.