Rust in the Water: Iranian Hackers Deploy New “RustyWater” RAT Across Middle East

The Iranian threat collective MuddyWater has intensified its offensives against organizations across the Middle East, deploying a sophisticated novel malware strain authored in the Rust programming language. This campaign has primarily set its sights on diplomatic missions, telecommunications providers, maritime shipping enterprises, and financial institutions.

According to assessments by CloudSEK analysts, the adversaries disseminate spear-phishing missives masquerading as cybersecurity advisories. These emails harbor Microsoft Word documents embedded with deleterious macros; once the content is activated, it triggers the retrieval of a program dubbed RustyWater. This Remote Access Trojan (RAT) is meticulously engineered to evade forensic analysis, maintain persistence within the host environment, and expand its functional repertoire following the initial breach.

RustyWater—alternatively identified as Archer RAT and RUSTRIC—exfiltrates granular system telemetry, audits the presence of defensive software, and establishes Windows registry keys to ensure long-term persistence. It subsequently initiates a connection with a command-and-control server to execute arbitrary instructions and manipulate files.

The utilization of RUSTRIC was also recently corroborated by Seqrite Labs. In December, they documented incursions targeting technology firms, managed IT service providers, and departments specializing in human resources and software development within Israel. These maneuvers are tracked under the monikers UNG0801 and Operation IconCat.

Analysts observe that the group’s stratagems are achieving a new echelon of sophistication. Whereas MuddyWater previously favored conventional tools such as PowerShell and VBS scripts for initial ingress and lateral movement, they have since transitioned to bespoke solutions characterized by intricate architectures and remarkably low detection rates. Beyond RustyWater, the group’s current arsenal features malicious programs such as Phoenix, UDPGangster, BugSleep, and MuddyViper.

The collective—also known by aliases such as Mango Sandstorm, Static Kitten, and TA450—is widely believed to be affiliated with the Iranian Ministry of Intelligence and has been active since at least 2017. This shift from legitimate remote administration tools to proprietary malware underscores a calculated evolution in their operational maturity and a steadfast commitment to enhancing the efficacy of their espionage activities.