RustyStealer

RustyStealer is an information-stealing malware family and credential-harvesting tool. The provided reporting describes it as a Rust-based stealer, including a newer "RustyStealer 2" variant, and in one analyzed sample as a Rust-compiled launcher carrying a 5.5 MB AES-encrypted payload. Its primary role is theft of credentials and other user data; reporting also states it is used to harvest browser sessions and cryptocurrency wallets. In observed intrusions, RustyStealer enabled attackers to compromise legitimate high-privilege accounts that were then used for lateral movement. Open-source reporting cited in the content says RustyStealer activity has been observed before deployment of Ymir ransomware, indicating its use as an access-enabling precursor in some intrusion chains.

RustyStealer has been documented since 2021. In a Kaspersky-observed intrusion, RustyStealer infiltrated multiple systems two days before Ymir ransomware was deployed. Attackers then used compromised high-privilege accounts with WinRM and PowerShell for lateral movement and remote control, and also installed tools such as Process Hacker and Advanced IP Scanner and executed SystemBC-related scripts. Separate reporting states that after abuse of a ScreenConnect installation, the follow-on malware was RustyStealer, which both harvested credentials and delivered additional malware.

The malware appears in multiple criminal distribution ecosystems. Breakglass Intelligence reported Amadey botnet campaigns tagged fbf543 distributing RustyStealer alongside other stealers, RATs, loaders, miners, and abused RMM tools, consistent with a pay-per-install or initial-access-broker style operation. In those campaigns, RustyStealer was one of many payload families delivered over several days. The content also states that Amadey drops RustyStealer, along with Vidar, LummaStealer, SalatStealer, and SantaStealer, to harvest credentials, browser sessions, and crypto wallets.

RustyStealer is also linked in the provided content to state-aligned activity. Synaptic Systems published a technical analysis describing RustyStealer as an infostealer used by the Iranian APT group MuddyWater. Separately, Breakglass Intelligence reported a SilverFox campaign targeting Chinese-speaking individuals in which RustyStealer was used alongside ValleyRAT and Gh0stRAT. In that campaign, a RustyStealer sample was disguised as a video-themed executable, persisted itself under %ProgramData% using one of 20 legitimate-sounding executable names, and exposed development artifacts including a PDB path of launcher.pdb and a Rust cargo path under C:\Users\dev.cargo, indicating a Windows-based Rust development environment.

High-confidence behaviors directly stated in the content include credential harvesting, theft of browser sessions and cryptocurrency wallets, delivery of additional malware, and use as a precursor to broader post-compromise activity. Targeting reflected in the content includes enterprise victims in ransomware intrusion chains and Chinese-speaking individuals in SilverFox social-engineering campaigns. No stable family-wide IOC set is provided in the content, but directly mentioned artifacts include the alias "RustyStealer 2," the PDB path "launcher.pdb," persistence under %ProgramData% using legitimate-sounding filenames, and the Rust cargo development path under C:\Users\dev.cargo.