- MuddyWater has deployed a Rust-based implant called RustyWater against Middle East diplomatic, maritime, financial, and telecom targets.
- Attackers use spear-phishing with malicious Word documents and VBA macros that prompt victims to “Enable content.”
- RustyWater (also tracked as Archer RAT and RUSTRIC) supports asynchronous C2, anti-analysis, registry persistence, and modular expansion.
- The activity marks a shift from PowerShell/VBS loaders and legitimate remote-access tools toward structured Rust implants; the group is linked to Iran’s Ministry of Intelligence and Security (MOIS).
The Iranian-linked actor MuddyWater has been observed running a spear-phishing campaign that delivers a Rust-based implant called RustyWater to targets in the Middle East. According to Prajwal Awasthi at CloudSEK, the campaign began this period and focuses on diplomatic, maritime, financial, and telecom organizations.
The emails impersonate Cybersecurity guidance and include Microsoft Word attachments. When opened, the documents instruct victims to "Enable content." That action runs a VBA macro that drops the Rust binary on the host system.
RustyWater — also known as Archer RAT and RUSTRIC — collects system information, checks for security software, and creates persistence via a Windows Registry key. The implant contacts a command-and-control server at nomercys.it[.]com to receive commands and transfer files.
CloudSEK described the toolset as low-noise and modular, stating that, "The campaign uses icon spoofing and malicious Word documents to deliver Rust based implants capable of asynchronous C2, anti-analysis, registry persistence, and modular post-compromise capability expansion." This marks an evolution from the group’s earlier reliance on PowerShell and VBS loaders.
The actor, tracked under names including Mango Sandstorm, Static Kitten, and TA450, has operated since at least 2017 and is assessed to be affiliated with Iran’s Ministry of Intelligence and Security (MOIS). Separate reporting noted that RUSTRIC activity was flagged by Seqrite Labs in attacks against IT firms, managed service providers, human resources, and software development companies in Israel.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
