The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

RustyWater: Muddy Water’s Rust-Based Implant

Jan 16, 2026 1:42:59 PM / by The Hivemind

MUDDYWATERVerticals Targeted: Diplomatic, Maritime, Financial, Telecom
Regions Targeted: Middle East
Related Families: Archer RAT / RUSTRIC

Executive Summary

A spear-phishing campaign linked to the Muddy Water APT group was observed deploying a new Rust-based implant called RustyWater against organizations in the Middle East. This evolution from legacy PowerShell and VBS tooling introduces enhanced modularity, anti-analysis features, and asynchronous command-and-control capabilities. 

Key Takeaways

  • Muddy Water leverages icon spoofing and malicious Word documents with VBA macros to deliver the RustyWater implant.
  • The implant, compiled in Rust, incorporates anti-debugging, extensive AV and EDR detection, registry persistence, and HTTP-based C2 using the reqwest library with multi-layered encryption.
  • Attribution relies on macro code reuse, targeting patterns, and tactical overlaps with prior Muddy Water operations.
  • The campaign impersonates legitimate entities, including Turkmenistan’s primary mobile operator and UAE government offices, exploiting leaked credentials for spear-phishing.

What is RustyWater?

Researchers at CloudSEK’s TRIAD have detailed a recent spear-phishing operation attributed to Muddy Water, an Iran-nexus threat actor group known for espionage activities. The campaign targets diplomatic, maritime, financial, and telecommunications entities across the Middle East, employing deceptive emails to deliver a Rust-compiled remote access implant designated as RustyWater.

Initial access occurs through targeted emails impersonating trusted sources. One observed lure, titled “Cybersecurity Guidelines,” originates from an address mimicking the official contact for TMCell,, Turkmenistan’s primary mobile operator. The attached document contains VBA macros that extract and execute a multi-stage payload.

Oletools analysis confirms the presence of macros. The primary macro function, WriteHexToFile, processes a hex-encoded byte stream embedded in a UserForm TextBox control. After removing formatting artifacts and validating length, it decodes the stream into a binary PE file written to disk in the C:\ProgramData\ directory. A secondary obfuscated function reconstructs strings via Chr() calls to instantiate a WScript.Shell object, ultimately executing the dropped file via cmd.exe.

The dropped PE file, disguised with a Cloudflare logo but presenting as reddit.exe, is a Rust-compiled binary aligned with limited prior reporting on Archer RAT (also known as RUSTRIC). Execution begins with anti-analysis measures, including registration of a Vectored Exception Handler to detect debugging attempts, followed by collection of system metadata such as username, computer name, and domain details.

All strings employ position-independent XOR encryption. Decrypted indicators include paths like C:\ProgramData\, registry locations under SOFTWARE\Microsoft\Windows\CurrentVersion\Run, user-agent strings referencing reqwest/0.12.23 (Rust’s HTTP client library), and JSON content-type headers. The malware enumerates over 25 antivirus and EDR products by scanning for known files, services, and paths.

Persistence is achieved by adding an entry to the current user’s Run registry key, pointing to the CertificationKit.ini file in ProgramData. C2 communication occurs over HTTP using the reqwest library, with configured timeouts, connection pooling, retry logic, and randomized jitter via waitable timers to complicate detection. Victim data is structured as JSON, base64-encoded, and encrypted with XOR in a multi-layered approach before exfiltration.

The implant leverages Rust’s tokio async runtime for concurrent handling of C2, file operations, and command execution. Post-compromise capabilities include process injection into explorer.exe using classic techniques, such as launching the target in a suspended state, retrieving thread context, allocating executable memory remotely with VirtualAllocEx, writing shellcode via WriteProcessMemory, and resuming execution.

Attribution to Muddy Water rests on high-confidence indicators, including near-identical VBA macro patterns reused from previous campaigns, as well as consistent targeting and lures impersonating regional governments and organizations. Additional pivots revealed similar decoys aimed at UAE financial and education sectors, as well as maritime entities in the Middle East.

This shift to Rust-based tooling marks a meaningful advancement for Muddy Water, enhancing resilience through modularity, reduced noise, and expanded post-exploitation potential while maintaining familiar initial access vectors.

Who is Muddy Water?

Muddy Water, also known as Earth Vetala, MERCURY, Static Kitten, Seedworm, TEMP.Zagros, Mango Sandstorm, and TA450, is an Iranian cyber espionage group. The group has been active since at least 2017.

Muddy Water commonly employs spearphishing with malicious attachments such as Word documents containing macros, PDFs, and executables to gain initial access, often prompting users to enable content. It leverages PowerShell, VBScript, JavaScript, and Python for execution and payload delivery, establishes persistence through Registry Run keys, scheduled tasks, and Word templates, and conducts credential access using tools like Mimikatz and LaZagne. The group exploits publicly known vulnerabilities, uses living-off-the-land techniques with legitimate remote management tools, communicates with C2 servers over HTTP, and exfiltrates data via file-sharing services while applying obfuscation methods such as Base64 and AES encryption to evade detection. In recent campaigns, it has deployed custom backdoors including BugSleep, Phoenix, UDPGangster, and RustyWater.

Muddy Water primarily targets government organizations, telecommunications, defense, local government, oil and natural gas, and critical infrastructure sectors. Its operations span the MENA region, including Israel, Saudi Arabia, UAE, Iraq, Turkey, Egypt, and others, with additional activity observed in Asia, Europe, and North America. The group is assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS), conducting cyber espionage in support of Iranian government objectives. 

IOCs

PolySwarm has multiple samples of RustyWater.

 

76aad2a7fa265778520398411324522c57bfd7d2ff30a5cfe6460960491bc552

f38a56b8dc0e8a581999621eef65ef497f0ac0d35e953bd94335926f00e9464f

7523e53c979692f9eecff6ec760ac3df5b47f172114286e570b6bba3b2133f58

e61b2ed360052a256b3c8761f09d185dad15c67595599da3e587c2c553e83108

a2001892410e9f34ff0d02c8bc9e7c53b0bd10da58461e1e9eab26bdbf410c79

c23bac59d70661bb9a99573cf098d668e9395a636dc6f6c20f92c41013c30be8

42ad0c70e997a268286654b792c7833fd7c6a2a6a80d9f30d3f462518036d04c

e081bc408f73158c7338823f01455e4f5185a4365c8aad1d60d777e29166abbd

3d1e43682c4d306e41127ca91993c7befd6db626ddbe3c1ee4b2cf44c0d2fb43

ddc6e6c76ac325d89799a50dffd11ec69ed3b5341740619b8e595b8068220914


Click here to view all samples of RustyWater in our PolySwarm portal.

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, APT, Muddy Water, Spear Phishing, Rust Malware, Middle East targeting, RustyWater, RUSTRIC, Rust implant, Archer RAT

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More