The Iranian threat actor MuddyWater is utilizing a new Rust-based implant called RustyWater in a spear-phishing campaign against diplomatic and financial sectors in the Middle East. This transition to custom, modular malware marks a significant evolution from their traditional reliance on legitimate remote monitoring tools and basic scripting languages.
The threat actor MuddyWater, which is linked to Iran's Ministry of Intelligence and Security, has launched a new campaign targeting various critical sectors including maritime and telecommunications. This operation utilizes a sophisticated implant known as RustyWater, also referred to as Archer RAT or RUSTRIC. The group, which has been active since 2017, is increasingly moving away from public remote access software toward a specialized arsenal of custom malware.
The attack begins with spear-phishing emails that pretend to offer cybersecurity guidelines. These emails contain a Microsoft Word document designed to trick the recipient into enabling content, which then triggers a malicious macro. This macro is responsible for deploying the final Rust-based payload onto the victim's system. By using icon spoofing and deceptive document formatting, the attackers increase the likelihood that a user will bypass standard security warnings.
Once the RustyWater implant is active on a machine, it performs several automated tasks to secure its foothold. It collects detailed information about the host, identifies any installed security software to avoid detection, and establishes persistence through the Windows Registry. The malware then connects to a remote command-and-control server to receive further instructions, which can include executing system commands or performing file operations.
This shift toward Rust-based tools represents a strategic upgrade in the group's technical capabilities. Unlike the PowerShell and VBS loaders MuddyWater used in the past, these newer implants are more structured and generate less noise, making them harder for traditional security products to detect. Recent reports indicate that variations of this activity have already been observed targeting IT and software development firms, particularly within Israel.
The continued diversification of MuddyWater's malware library, which now includes tools like Phoenix and BugSleep, demonstrates a high level of adaptability. By developing modular implants that allow for post-compromise expansion, the group can tailor its operations to specific targets more effectively. This trend highlights the ongoing professionalization of Iranian state-sponsored cyber operations as they seek more resilient and stealthy methods for regional espionage.
Source: MuddyWater Launches RustyWater RAT via Spear Phishing in Middle East Sectors
The shift from PowerShell loaders to Rust-based RATs is a pretty significant upgrade in stealthiness. What's interesting is how MuddyWater is moving toward modular, custom tooling instead of relying on legit remote monitoring software which used to be their go-to. I've seen similiar patterns with other APT groups phasing out commercial tools once defenses catch up. The registry persistence + C2 callback combo here isnt novel but wraping it in Rust makes static analysis way more tedious.