RustyWater RAT
The Iranian-linked threat actor commonly known as MuddyWater has been attributed to a new spear-phishing campaign aimed at diplomatic, maritime, financial, and telecommunications organizations across the Middle East. The activity centers on a Rust-based implant dubbed RustyWater, marking another step in the group's steady evolution toward custom-built malware.
Also tracked under the names Mango Sandstorm, Static Kitten, and TA450, MuddyWater is widely assessed to operate on behalf of Iran's Ministry of Intelligence and Security (MOIS). The group has been active since at least 2017 and maintains a persistent focus on regional government and private-sector targets.
Table of Contents
Infection Vector: Weaponized Documents and Visual Deception
The attack chain is relatively simple but effective. Victims receive spear-phishing emails crafted to look like official cybersecurity guidance. These messages carry a malicious Microsoft Word attachment that leverages icon spoofing to appear legitimate.
When the document is opened, the user is prompted to 'Enable content.' Accepting this request triggers a malicious VBA macro that drops and executes the Rust-based payload. This social engineering step remains critical to the campaign's success.
Malware Capabilities: Inside the RustyWater Implant
RustyWater, also known as Archer RAT or RUSTRIC, functions as a modular remote access trojan designed for stealth and flexibility. Once deployed, it collects detailed information about the infected system, checks for installed security products, and establishes persistence through a Windows Registry key.
The implant then initiates communication with a command-and-control server at 'nomercys.it[.]com', enabling asynchronous interaction. Through this channel, operators can execute commands, manage files, and extend functionality via additional modules, supporting long-term post-compromise operations.
Tradecraft Evolution: From Living-off-the-Land to Custom Tooling
Historically, MuddyWater relied heavily on PowerShell and VBS loaders, along with legitimate remote access tools, to conduct both initial access and follow-on activity. Over time, the group has deliberately reduced that dependence in favor of a growing portfolio of bespoke malware.
This custom ecosystem includes tools such as Phoenix, UDPGangster, BugSleep (also called MuddyRot), and MuddyViper. The adoption of Rust-based implants reflects a shift toward more structured, modular, and lower-noise capabilities that are harder to analyze and detect.
Broader Activity: RUSTRIC Beyond the Middle East
In late December 2025, researchers reported the use of RUSTRIC in a related set of intrusions targeting information technology firms, managed service providers, human resources departments, and software development companies in Israel. That cluster of activity is being tracked as UNG0801 and Operation IconCat.
These findings underscore that RustyWater is not an isolated experiment but an active component of MuddyWater's expanding offensive toolkit.
Strategic Implications: A More Mature Adversary
The emergence of RustyWater highlights MuddyWater's continued investment in purpose-built malware designed for persistence, modular expansion, and evasion. This progression signals a more mature operational posture, with tooling that supports quieter, longer-term access rather than overt, script-heavy activity.
For defenders, this evolution reinforces the need to scrutinize document-based phishing lures, monitor registry-based persistence mechanisms, and closely inspect unusual outbound connections, particularly those associated with newly observed Rust malware families.
