Iranian threat actor MuddyWater is conducting spear-phishing campaigns against Middle Eastern organizations using a new Rust-based remote access trojan called RustyWater, signaling a shift toward more sophisticated custom malware.
Iranian state-sponsored threat group MuddyWater (also known as TA450 or Mango Sandstorm) has launched a new spear-phishing campaign targeting diplomatic, maritime, financial, and telecommunications organizations across the Middle East. The attacks deploy a previously undocumented Rust-based remote access trojan dubbed RustyWater, marking a significant evolution in the group's offensive capabilities.
According to CloudSEK researcher Prajwal Awasthi, the campaign uses malicious Word documents disguised as cybersecurity guidelines. When victims enable document content, VBA macros execute to deliver the RustyWater payload. The malware employs icon spoofing techniques to appear legitimate and includes advanced capabilities:
- Asynchronous command-and-control communication
- Anti-analysis features to evade detection
- Registry-based persistence mechanisms
- Modular architecture for post-compromise capability expansion
RustyWater (also called Archer RAT or RUSTRIC) collects system information, detects security software, establishes persistence via Windows Registry keys, and communicates with the C2 server nomercys.it[.]com for file operations and command execution. Seqrite Labs previously observed this malware targeting Israeli IT, MSP, HR, and software development companies in late 2025.
CloudSEK's analysis highlights MuddyWater's strategic shift: "Historically, MuddyWater has relied on PowerShell and VBS loaders for initial access and post-compromise operations. The introduction of Rust-based implants represents a notable tooling evolution toward more structured, modular, and stealthy RAT capabilities." This transition reduces their dependence on legitimate remote access tools in favor of custom malware like Phoenix, UDPGangster, BugSleep, and MuddyViper.
Defense Recommendations
Security teams in targeted sectors should implement these measures:
Email Filtering: Deploy advanced email security solutions that analyze attachment behavior rather than relying solely on signature detection
Macro Restrictions: Enforce Group Policy settings to block Office macros from the internet (GPO:
Disable all macros except digitally signed macros)Endpoint Monitoring: Use EDR solutions with behavioral detection for registry modification patterns (e.g.,
HKCU\Software\Microsoft\Windows\CurrentVersion\Run)Network Security: Block traffic to known malicious domains like
nomercys.it[.]comand monitor for Rust-specific network signaturesSecurity Training: Conduct regular phishing simulations focusing on document-based attacks with realistic lures
Organizations should prioritize these mitigations given MuddyWater's history of sustained operations and their affiliation with Iran's Ministry of Intelligence and Security. The group's adoption of Rust—a memory-safe language that complicates reverse engineering—demonstrates their continued investment in operational security and payload sophistication.
Comments
Please log in or register to join the discussion