MalwareUsed by 2 actors

RustyWater

RustyWater is a Rust-based remote access trojan/backdoor associated in public reporting with the Iranian threat actor MuddyWater (also tracked as Seedworm, Mango Sandstorm, Static Kitten, MERCURY, TA450, TEMP.Zagros, and Earth Vetala) and assessed as linked to MOIS. Reporting describes it as part of MuddyWater’s shift away from primarily PowerShell/VBS-heavy tooling toward more modular and stealthier Rust implants. It has been observed in spear-phishing campaigns targeting organizations across the Middle East, with repeated reporting on diplomatic, maritime, financial, telecommunications, and government entities; Israel is described as a primary focus in some reporting, with additional targeting across other Middle Eastern countries and GCC states.

The documented infection chain uses spear-phishing emails impersonating legitimate or official communications, often themed as cybersecurity guidelines, policy documents, maritime or diplomatic matters, financial compliance, or alerts. Attached malicious Microsoft Word documents contain VBA macros that require the victim to enable macros/content. Reported macro behavior includes extracting hex-encoded payload data from a UserForm/TextBox, converting it to binary, writing it to C:\ProgramData\CertificationKit.ini, and executing it via obfuscated WScript.Shell/cmd.exe command construction using Chr()/ASCII-value reconstruction. Some reporting notes icon spoofing and a dropped stage-2 PE disguised as "reddit.exe" with a Cloudflare logo.

RustyWater is described as using encrypted or obfuscated HTTP command-and-control implemented with Rust libraries including reqwest and tokio, with asynchronous communications, configured timeouts, connection pooling, retry logic, and randomized sleep/jitter to reduce detectability. Collected data is reported to be structured as JSON and protected through layered obfuscation/encryption, including Base64 encoding and XOR encryption; the content specifically states RustyWater has encoded collected data with Base64. Reported host reconnaissance includes collection of username, computer name, and domain details. The malware is also described as supporting file operations and command execution, modular post-exploitation expansion, and in some reporting process injection into explorer.exe using VirtualAllocEx and WriteProcessMemory.

Persistence is reported via Windows Registry Run keys, specifically under the current user, pointing to C:\ProgramData\CertificationKit.ini. Anti-analysis and evasion features described in the content include anti-debugging, anti-VM checks, anti-tampering via a vectored exception handler, position-independent XOR string encryption, and discovery of more than 25 antivirus/EDR products by checking service names, files, and installation paths, with behavior changes when security tools are detected.

High-confidence indicators and artifacts directly mentioned in the content include the dropped path C:\ProgramData\CertificationKit.ini, registry path SOFTWARE\Microsoft\Windows\CurrentVersion\Run, the reqwest/0.12.23 user-agent string, and a reported C2 domain nomercys.it[.]com. Reported sample hashes include 76aad2a7fa265778520398411324522c57bfd7d2ff30a5cfe6460960491bc552 and f38a56b8dc0e8a581999621eef65ef497f0ac0d35e953bd94335926f00e9464f. Some reporting notes limited overlap or naming alignment with variants referred to as Archer RAT or RUSTRIC.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

MuddyWater

По публичным отчётам, Seedworm предположительно наращивает инструментарий: упоминаются RustyWater (Rust-based RAT), а также злоупотребление RMM-инструментами Syncro и PDQ Connect...

via codebycodeby.net

Muddy Water

"...Muddy Water APT... deliver Rust based implants..." (report title references "RustyWater implant")

via ctoatncsc substackctoatncsc.substack.com

MITRE ATT&CK

Techniques & procedures

23 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques

T1566PhishingEvidence2

From February to July 2024, more than 50 phishing emails were observed across 10+ sectors with hundreds of recipients.

T1566.001Spearphishing AttachmentEvidence3

Delivery: Spear-phishing attachments themed around diplomacy, maritime, financial compliance, and cybersecurity alerts

Execution

5 techniques

T1053Scheduled Task/JobEvidence1

MuddyWater, the long-standing MOIS-linked advanced persistent threat group, quietly deployed Rust-based implants known as GhostFetch, RustyWater and Dindoor into Israeli government networks and US systems as part of ongoing Operation Olalampo positioning. This phase represented classic pre-positioning, where state-sponsored advanced persistent threats prepared long-term access.

T1059Command and Scripting InterpreterEvidence2

The group's WMI-based persistence and memory-resident implant execution are specifically designed to evade the host-based detection tools most commonly deployed in government environments.

T1059.001PowerShellEvidence2

Execution & Persistence: PowerShell/PowerGoop, Rust-based implants (RustyWater/CHAR/Archer RAT), registry Run keys, scheduled tasks (T1059.001, T1547.001).

T1059.005Visual BasicEvidence1

CloudSEK (January 9, 2026): RustyWater/Archer RAT, delivered via phishing email titled “Cybersecurity Guidelines” from a compromised TMCell domain (Altyn Asyr CJSC, Turkmenistan). VBA macro WriteHexToFile dropped reddit.exe with Cloudflare branding.

T1204.002Malicious FileEvidence1

Initial Access: Spear-phishing with malicious Word docs/VBA macros (T1566.001), macro execution (T1204.002).

Persistence

2 techniques

T1053Scheduled Task/JobEvidence1

T1547.001Registry Run Keys / Startup FolderEvidence2

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or batch files in the Windows Startup folder.

Privilege Escalation

3 techniques

T1053Scheduled Task/JobEvidence1

T1055Process InjectionEvidence1

The RustyWater implant and the CHAR backdoor represent the apex of this evolution, incorporating asynchronous C2 communication, process injection, layered encryption

T1547.001Registry Run Keys / Startup FolderEvidence2

Stealth

6 techniques

T1027Obfuscated Files or InformationEvidence3

Evasion: Anti-debugging, anti-VM, position-independent XOR encryption, randomised sleep intervals

T1036MasqueradingEvidence2

Chromium_Stealer payload masquerading as a calculator application.

T1055Process InjectionEvidence1

The RustyWater implant and the CHAR backdoor represent the apex of this evolution, incorporating asynchronous C2 communication, process injection, layered encryption

T1140Deobfuscate/Decode Files or InformationEvidence1

“…employ multiple obfuscation techniques (T1140) …” / “modified UPX packing … encrypts its configuration using AES-256-CBC …”

T1497Virtualization/Sandbox EvasionEvidence1

Evasion: Anti-debugging, anti-VM, position-independent XOR encryption, randomised sleep intervals

T1620Reflective Code LoadingEvidence1

Defense Evasion: Obfuscation, reflective loading, disabling security tools, living-off-the-land (T1027, T1620, T1562).

Credential Access

1 technique

T1555.003Credentials from Web BrowsersEvidence1

Credential Access & Collection: Browser credential dumping, system info gathering (T1555.003, T1082).

Discovery

2 techniques

T1082System Information DiscoveryEvidence1

Credential Access & Collection: Browser credential dumping, system info gathering (T1555.003, T1082).

T1497Virtualization/Sandbox EvasionEvidence1

Evasion: Anti-debugging, anti-VM, position-independent XOR encryption, randomised sleep intervals

Collection

1 technique

T1560Archive Collected DataEvidence1

BabyShark has encoded data using certutil before exfiltration... KONNI has used a custom base64 key to encode stolen data before exfiltration... Mafalda can encode data using Base64 prior to exfiltration.

Command and Control

4 techniques

T1071Application Layer ProtocolEvidence1

“most commonly rely on application layer protocols (T1071), such as HTTP …” and multiple groups use HTTPS/Discord/Telegram/DoH/MQTT.

T1071.001Web ProtocolsEvidence3

Implant: RustyWater Rust-based RAT with encrypted HTTP C2

T1105Ingress Tool TransferEvidence1

MuddyWater maintained its Rust backdoors into US banks, airports and Israeli defence software companies.

T1132Data EncodingEvidence2

C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding... APT19 HTTP malware variant used Base64 to encode communications to the C2 server... APT33 has used base64 to encode command and control traffic.

Exfiltration

1 technique

T1041Exfiltration Over C2 ChannelEvidence2

Elise exfiltrates data using cookie values that are Base64-encoded... KONNI has used a custom base64 key to encode stolen data before exfiltration... Kevin can Base32 encode chunks of output files during exfiltration.

Other

1 technique

T1562Impair DefensesEvidence1

Defense Evasion: Obfuscation, reflective loading, disabling security tools, living-off-the-land (T1027, T1620, T1562).

INDICATORS OF COMPROMISE

IOCs tracked for this family

1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

1 tracked

IPs, domains, and DNS infrastructure linked to this family.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app4 months ago

ACTIVITY FEED

Recent activity

19 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

19 SOURCESView more in app

codebyNews

Jun 1, 2026

APT42 и Seedworm: credential harvesting без малвари

Rust-based remote access trojan reportedly associated with Seedworm's evolving toolset.

osint team blogNews

Mar 15, 2026

How Kinetic Strikes Opened the Door to Cyber and Influence War | by SIMKRA | Mar, 2026 | OSINT Team

A Rust-based implant reportedly used by MuddyWater for stealthy pre-positioning and persistent access in targeted networks.

falconfeeds blogNews

Mar 4, 2026

FalconFeeds.io Blog | Latest Cyber Threat Intelligence & Security Insights

A Rust-based remote access trojan using encrypted HTTP command-and-control, with anti-debugging, anti-VM, XOR encryption, and randomized sleep intervals for evasion.

breakglass intelNews

Mar 3, 2026

MuddyWater Exposed: An Iranian APT's Entire Offensive Toolkit Recovered from an Open Directory - Breakglass Intelligence - Breakglass Intelligence

Rust-based backdoor referenced as part of known MuddyWater operations targeting Israeli government entities.

+15 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching1

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping23

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.