MuddyWater Deploys Rust-Based RAT in Middle East Campaign

The Iranian threat actor MuddyWater has added a Rust-based remote access trojan to its arsenal, marking a departure from the group's historical reliance on PowerShell and VBS loaders. Researchers at CloudSEK identified the new implant, dubbed RustyWater, in a spear-phishing campaign targeting diplomatic, maritime, financial, and telecommunications organizations across the Middle East.

The shift to Rust represents a calculated move. The language's memory safety features reduce vulnerabilities that antivirus software might exploit for detection, and Rust binaries are notoriously difficult to reverse engineer compared to interpreted scripts.

How the Attack Works

The campaign uses spear-phishing emails masquerading as cybersecurity guidelines. One sample came from a spoofed TMCell email address—the primary mobile operator in Turkmenistan—lending credibility to the message.

Attached Word documents prompt victims to enable macros. The VBA code shares characteristics with previous MuddyWater operations, including the reuse of WriteHexToFile and love_me_ functions. These patterns feature hex-encoded payloads embedded within UserForm controls, a technique the group has used consistently.

Once macros execute, they drop and run the RustyWater binary.

RustyWater's Capabilities

The implant starts by establishing anti-debugging and anti-tampering defenses through a Vectored Exception Handler that catches debugging attempts. It then collects victim machine details—username, computer name, domain membership—before checking for security software.

CloudSEK found RustyWater scans for more than 25 antivirus and EDR products by looking for agent files, service names, and installation paths. This reconnaissance helps operators understand the defensive posture before taking further action.

Command-and-control communication employs triple-layer obfuscation: JSON data is base64 encoded, then XOR encrypted. All strings within the malware use position-independent XOR encryption, making static analysis harder.

The RAT can execute commands, perform file operations, and maintain persistence through Windows Registry modifications.

Why Rust Matters

MuddyWater historically built its initial access tooling around PowerShell scripts and VBS loaders—effective but increasingly flagged by security products. Organizations defending against Iranian APT activity have tuned their detections accordingly.

Rust changes the calculus. Compiled binaries don't rely on living-off-the-land techniques that generate telemetry. Memory safety reduces crash-inducing bugs that might alert defenders. And the relative novelty of Rust malware means fewer signatures and behavioral rules exist to catch it.

The tooling evolution follows a pattern seen across multiple threat actors. Several APT groups have adopted Rust, Go, and other compiled languages over the past two years to evade detection systems optimized for scripting attacks. We've seen similar shifts from Chinese groups like Mustang Panda deploying sophisticated kernel rootkits to maintain stealthy persistence.

Attribution Confidence

CloudSEK attributes the campaign to MuddyWater with high confidence based on VBA macro code overlaps, infrastructure patterns, and targeting consistent with the group's historical focus. MuddyWater operates under Iran's Ministry of Intelligence (MOIS) and is tracked by various organizations as Earth Vetala, MERCURY, Static Kitten, and Mango Sandstorm.

The group primarily targets organizations in the Middle East but has expanded operations in recent campaigns. CloudSEK observed indicators suggesting victims in India, the UAE, and other countries beyond the core target region of Israel.

Seqrite Labs separately flagged RustyWater (also known as RUSTRIC and Archer RAT) in attacks against IT companies, managed service providers, HR firms, and software development companies in Israel.

Defensive Recommendations

Organizations in targeted sectors should implement additional controls:

1. Block macros from internet-sourced documents using Group Policy or application controls
2. Monitor for unusual Rust binaries in user-accessible directories
3. Hunt for VBA macro patterns associated with MuddyWater, particularly WriteHexToFile function calls
4. Inspect outbound traffic for multi-layer encoded payloads typical of the C2 protocol
5. Review registry run keys for unexpected persistence entries

The campaign demonstrates that nation-state actors continue adapting their tooling to evade detection. Security teams tracking threat intelligence should expect compiled malware to become more common as interpreted script-based attacks face increasing friction from endpoint defenses.