RustyClaw
RustyClaw is a Rust-based downloader/loader associated with the RomCom threat actor, also tracked in related reporting as TA829. It has been used in targeted spearphishing and exploitation chains to fetch and execute additional payloads from remote servers, extending compromise and enabling delivery of follow-on backdoors. Reporting describes it as part of RomCom’s malware ecosystem alongside SnipBot, Mythic agent, SlipScreen, MeltingClaw, DustyHammock, ShadyHammock, and SingleCamper.
High-confidence reporting places RustyClaw in RomCom campaigns exploiting the WinRAR zero-day CVE-2025-8088, a path traversal vulnerability enabled through Windows Alternate Data Streams. In those July 2025 campaigns, malicious RAR archives disguised as job application or CV documents targeted financial, manufacturing, defense, and logistics organizations in Europe and Canada. Successful exploitation chains could deploy RustyClaw, SnipBot, or Mythic agent, and the activity was assessed as cyberespionage-oriented.
A specifically documented infection chain used a malicious LNK file named Settings.lnk to execute %LOCALAPPDATA%\Complaint.exe, identified as RustyClaw. RustyClaw then downloaded an additional payload from https://melamorri[.]com/iEZGPctehTZ. ESET linked the resulting install_module_x64.dll (SHA-1: 01D32FE88ECDEA2B934A00805E138034BF85BF83) to MeltingClaw activity, with associated C2 https://gohazeldale[.]com. Multiple sources describe RustyClaw and MeltingClaw as closely related or sequential downloaders, and Proofpoint reporting notes TA829 may deliver updated RustyClaw or MeltingClaw loaders in the same process address space, leading to DustyHammock or SingleCamper backdoors.
RustyClaw has been attributed to RomCom in reporting from Cisco Talos and is consistently described as a downloader rather than a full-featured backdoor. Its role is to retrieve further payloads for persistence, reconnaissance, or longer-term access. Mentioned indicators tied to RustyClaw-related activity include %LOCALAPPDATA%\Complaint.exe, Settings.lnk, the URL https://melamorri[.]com/iEZGPctehTZ, install_module_x64.dll, SHA-1 01D32FE88ECDEA2B934A00805E138034BF85BF83, and C2 https://gohazeldale[.]com.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Successful exploitation attempts delivered various backdoors used by the RomCom group, specifically a SnipBot variant, RustyClaw, and the Mythic agent. | ESET researchers have discovered a previously unknown zero-day vulnerability in WinRAR being exploited in the wild by Russia-aligned group RomCom... now assigned CVE-2025-8088: a path traversal vulnerability, made possible with the use of alternate data streams.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Successful exploitation attempts delivered various backdoors used by the RomCom group, specifically a SnipBot variant, RustyClaw, and the Mythic agent.
Techniques & procedures
7 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique"CVE-2025-8088 was exploited by RomCom in an email spearphishing campaign... A malicious archive, disguised as a job applicant’s curriculum vitae or resume, was attached to the emails"
Execution
3 techniquesThe backdoor used by the group is capable of executing commands and downloading additional modules to the victim’s machine.
ESET researchers have discovered a previously unknown zero-day vulnerability in WinRAR being exploited in the wild by Russia-aligned group RomCom... The vulnerability, CVE-2025-8088, is a path traversal vulnerability... Disguised as an application document, the weaponized archives exploited a path traversal flow to compromise its targets.
"A malicious LNK file Updater.lnk... Another LNK file runs... A third malicious LNK file executes..."
Persistence
1 techniquePrivilege Escalation
1 techniqueStealth
1 techniqueThe vulnerability, CVE-2025-8088, is a path traversal vulnerability, which is made possible via the use of alternate data streams.
Command and Control
1 techniqueThe backdoor used by the group is capable of executing commands and downloading additional modules to the victim’s machine.
Recent activity
13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Backdoor used for long-term persistence and covert reconnaissance, described as deployed by RomCom after exploitation of a WinRAR path traversal zero-day.
You can also test your defenses against hundreds of other malware variants, such as SnipBot, SlipScreen Loader, RustyClaw, within minutes...
A phishing-delivered downloader/loader used in RomCom infection chains to fetch or stage additional payloads (including backdoors) after initial access.
Downloader family used to retrieve additional payloads from remote infrastructure to extend or deepen compromise after initial access.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.