Threats

MuddyWater Escalates Espionage Campaigns With New Rust-Based Malware “RustyWater”

Zero Day Wire

2 min read
MuddyWater Escalates Espionage Campaigns With New Rust-Based Malware “RustyWater”

An Iran-linked threat actor known as MuddyWater has been linked to a newly identified spear-phishing campaign targeting diplomatic, maritime, financial, and telecommunications organizations across the Middle East. The operation deploys a Rust-based remote access trojan (RAT) dubbed RustyWater, signaling a continued evolution in the group’s malware development strategy.

According to a recent report by CloudSEK researcher Prajwal Awasthi, the campaign relies on icon spoofing and malicious Microsoft Word documents to trick victims into enabling macros. Once activated, a malicious VBA macro installs the Rust-based implant, granting attackers persistent and stealthy access to compromised systems.

RustyWater is designed with asynchronous command-and-control (C2) communication, anti-analysis techniques, Windows Registry–based persistence, and a modular architecture that allows attackers to expand capabilities after initial compromise. This marks a shift away from MuddyWater’s historical dependence on legitimate remote access tools and lightweight scripting-based loaders.

Tracked by the security community under multiple aliases — including Mango Sandstorm, Static Kitten, and TA450 — MuddyWater is believed to operate on behalf of Iran’s Ministry of Intelligence and Security (MOIS) and has been active since at least 2017. Over time, the group has built a diverse custom malware ecosystem, incorporating tools such as Phoenix, UDPGangster, BugSleep (MuddyRot), and MuddyViper.

The RustyWater infection chain begins with spear-phishing emails disguised as cybersecurity advisories. Attached Word documents prompt users to “Enable Content,” triggering the macro that drops the Rust payload. Once installed, the malware collects system information, enumerates installed security products, and connects to a remote C2 server at nomercys[.]it[.]com to receive commands, execute payloads, and manage files.

RustyWater — also known as Archer RAT or RUSTRIC — was previously flagged by Seqrite Labs in late 2024 during attacks aimed at IT firms, managed service providers (MSPs), HR departments, and software development companies in Israel. Seqrite tracks this activity as UNG0801, referring to the broader operation as Operation IconCat.

Security researchers note that MuddyWater’s adoption of Rust reflects a deliberate move toward more resilient, low-noise malware that is harder to analyze and detect. As CloudSEK highlighted, this transition represents a notable upgrade in the group’s operational maturity and long-term espionage capabilities.

Read more

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

Elastic Security Labs has disclosed a new ClickFix campaign that leverages compromised legitimate websites as delivery infrastructure to deploy a previously undocumented remote access trojan dubbed MIMICRAT (also tracked as AstarionRAT). The campaign, discovered earlier this month, demonstrates significant operational sophistication — from multi-stage PowerShell chains that bypass Windows security controls

By Zero Day Wire
ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

A new wave of attacks is combining voice phishing (vishing) with OAuth 2.0 device authorization abuse to compromise Microsoft Entra accounts at technology, manufacturing, and financial organizations — bypassing traditional phishing infrastructure entirely. Sources told BleepingComputer they believe the ShinyHunters extortion gang is behind the campaigns, which the threat actors

By Zero Day Wire