Cybersecurity researchers have uncovered a new spear phishing campaign linked to the Iranian threat actor MuddyWater, also known by multiple aliases, targeting critical sectors across the Middle East. The operation delivers a Rust based remote access trojan called RustyWater, signaling a continued shift toward more advanced and stealthy malware frameworks.
Campaign Overview
According to a recent report by CloudSEK researcher Prajwal Awasthi, the campaign relies on carefully crafted spear phishing emails that impersonate official cybersecurity guidance. These emails carry malicious Microsoft Word documents that use icon spoofing to appear legitimate.
Once the document is opened, the victim is prompted to enable content. This action activates a malicious VBA macro that deploys the RustyWater implant on the compromised system. The infection chain is designed to be simple yet effective, reducing user suspicion while ensuring successful execution.
Technical Capabilities of RustyWater
RustyWater, also referred to as Archer RAT or RUSTRIC, is a Rust based implant equipped with multiple post exploitation capabilities. These include asynchronous command and control communication, anti analysis techniques, registry based persistence, and modular expansion for additional functionality after compromise.
The malware collects detailed system information, identifies installed security solutions, and establishes persistence through a Windows Registry key. It then connects to a command and control server, identified as nomercys.it[.]com, enabling attackers to execute commands and manage files remotely.
Evolution of MuddyWater Tradecraft
Historically, MuddyWater relied heavily on PowerShell and VBS loaders for both initial access and post compromise activity. In recent years, the group has gradually reduced its dependence on legitimate remote access tools and shifted toward a custom malware ecosystem. This toolkit includes known components such as Phoenix, UDPGangster, BugSleep (also called MuddyRot), and MuddyViper.
The adoption of Rust based implants reflects a clear evolution toward more structured, modular, and low noise tooling, making detection and analysis more challenging for defenders.
Attribution and Related Activity
MuddyWater is also tracked under names such as Mango Sandstorm, Static Kitten, and TA450. The group is widely assessed to be affiliated with Iran’s Ministry of Intelligence and Security and has been active since at least 2017.
Seqrite Labs recently reported similar use of RUSTRIC in attacks against IT firms, managed service providers, human resources departments, and software development companies in Israel. That activity is being monitored under the identifiers UNG0801 and Operation IconCat.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
