An Iranian threat actor known as ‘MuddyWater’ has launched a new spear-phishing campaign targeting diplomatic, maritime, financial, and telecommunications organizations across the Middle East. The attack delivered a Rust-based remote access implant dubbed ‘RustyWater,’ according to a report from CloudSEK.
According to the researchers, the campaign uses icon spoofing and malicious Word documents to deliver Rust-based implants capable of asynchronous C2, anti-analysis, registry persistence, and modular post-compromise capability expansion. It relies on phishing emails posing as cybersecurity guidelines, with attached Microsoft Word documents that prompt victims to enable macros, triggering the deployment of the Rust implant.
RustyWater (aka Archer RAT or RUSTRIC) collects system information, identifies installed security software, establishes persistence through Windows Registry keys, and communicates with a command-and-control (C&C) server to enable file manipulation and command execution.
Tracked as Mango Sandstorm, Static Kitten, and TA450, MuddyWater is believed to be affiliated with Iran’s Ministry of Intelligence and Security and has been active since at least 2017.
“Historically, Muddy Water has relied on PowerShell and VBS loaders for initial access and post-compromise operations. The introduction of Rust-based implants represents a notable tooling evolution toward more structured, modular, and low noise RAT capabilities,” the researchers noted in the report.