Security researchers at CloudSEK have identified a new spear-phishing campaign by the Iranian threat actor MuddyWater, deploying a previously unseen Rust-based implant dubbed RustyWater. The malware represents a significant upgrade to the group’s capabilities, incorporating advanced anti-analysis techniques.
Campaign overview
| Attribute | Details |
|---|---|
| Threat actor | MuddyWater (MERCURY, Static Kitten, Seedworm, Mango Sandstorm, Earth Vetala, TA450) |
| Attribution | Iranian Ministry of Intelligence and Security (MOIS) |
| Campaign period | December 2025 – January 2026 |
| Primary targets | Middle East diplomatic, maritime, financial, telecom |
| Initial vector | Spear-phishing with malicious Word documents |
| Payload | RustyWater Rust-based implant |
| Also known as | Archer RAT, RUSTRIC |
Target profile
MuddyWater is targeting organizations of strategic interest to Iranian intelligence:
| Sector | Target Examples |
|---|---|
| Diplomatic | Embassies, foreign ministries, international organizations |
| Maritime | Shipping companies, port authorities, logistics firms |
| Financial | Banks, investment firms, payment processors |
| Telecommunications | ISPs, mobile carriers, infrastructure providers |
| IT services | MSPs, software development companies |
| Human resources | HR organizations with personnel data |
Geographic targeting
| Region | Status |
|---|---|
| Israel | Primary focus |
| India | Expanded targeting observed |
| UAE | Regional targeting |
| Turkmenistan | Observed lure impersonation |
| Middle East (general) | Consistent with historical patterns |
Geographic focus remains the Middle East, consistent with MuddyWater’s historical targeting patterns aligned with Iranian regional interests.
Parallel campaign: Operation IconCat
Seqrite Labs independently identified similar RUSTRIC malware activity in late December 2025:
| Attribute | Details |
|---|---|
| Campaign name | Operation IconCat |
| Tracking ID | UNG0801 |
| Target geography | Israel |
| Target sectors | IT companies, MSPs, HR organizations, software developers |
| Timeframe | Late December 2025 |
This parallel campaign suggests a broader coordinated effort across multiple targeting vectors.
Attack chain
Stage 1: Spear-phishing
Emails are tailored to each target organization:
- Sender spoofing — Impersonates known contacts or relevant organizations
- Relevant lures — Documents themed to victim’s industry or current events
- Icon spoofing — Word documents display legitimate-looking icons
Observed lure: One campaign used a document titled “Cybersecurity Guidelines” originating from an address mimicking the official contact for TMCell, Turkmenistan’s primary mobile operator.
Stage 2: Macro execution
When victims open the document and “enable content”:
- VBA macro executes
- Macro extracts and executes multi-stage payload
- RustyWater payload deployed
- Persistence mechanism established
- Implant begins C2 communication
Stage 3: RustyWater deployment
The Rust-based implant establishes foothold and awaits commands from operators.
RustyWater technical analysis
Why Rust?
MuddyWater’s adoption of Rust reflects a broader APT trend toward the language:
| Benefit | Explanation |
|---|---|
| Memory safety | Fewer crashes, more reliable implant |
| Cross-platform | Same codebase compiles for Windows, Linux |
| Reverse engineering difficulty | Rust binaries are harder to analyze |
| Modern tooling | Better development experience |
| Detection evasion | Less familiar to AV signatures |
CloudSEK notes: “Historically, Muddy Water has relied on PowerShell and VBS loaders for initial access and post-compromise operations. The introduction of Rust-based implants represents a notable tooling evolution toward more structured, modular, and low noise RAT capabilities.”
Anti-analysis techniques
RustyWater incorporates multiple evasion mechanisms:
Anti-debugging:
- Registers a Vectored Exception Handler (VEH) to catch debugging attempts
- Timing checks to detect single-stepping
- API hooking detection
Anti-VM:
- Hardware fingerprinting
- VM-specific artifact detection
- Resource usage analysis
Security tool detection:
CloudSEK found that RustyWater scans for more than 25 AV/EDR products by checking:
- Agent files
- Service names
- Installation paths
| Detection method | Target |
|---|---|
| File presence | AV agent executables |
| Service enumeration | Security service names |
| Path checking | Installation directories |
String obfuscation:
- Position-independent XOR encryption
- Encrypted strings decrypted at runtime
- No plaintext C2 addresses in binary
Capabilities
| Function | Description |
|---|---|
| System reconnaissance | OS version, hostname, username, domain membership, network config |
| Persistence | Registry modification, scheduled tasks |
| File operations | Upload, download, delete |
| Command execution | Shell command execution |
| Data exfiltration | Encrypted transfer to C2 |
| Security evasion | Detects and adapts to security tools |
Command and control
C2 server identified:
nomercys.it[.]comCommunication uses HTTPS to blend with legitimate traffic. The implant implements custom encryption for C2 payloads beyond TLS.
Detection
AV detection rate: At time of analysis, RustyWater was detected by 25+ antivirus engines—indicating security vendors have developed signatures.
Indicators of compromise
Network IOCs:
nomercys.it[.]com (C2 server)Behavioral indicators:
- Office application spawning PowerShell or cmd.exe
- Rust binaries in user temp directories
- Unusual HTTPS traffic patterns to unfamiliar domains
- Registry modifications for persistence
- Processes checking for 25+ security products
YARA rules: CloudSEK has published detection rules for RustyWater. Security teams should incorporate these into endpoint and network monitoring.
MuddyWater background
MuddyWater has been active since at least 2017, primarily conducting cyber espionage operations supporting Iranian intelligence objectives.
Known aliases:
- MERCURY (Microsoft)
- Mango Sandstorm (Microsoft - current)
- Static Kitten (CrowdStrike)
- Seedworm (Symantec)
- TEMP.Zagros (FireEye/Mandiant)
- Earth Vetala (Trend Micro)
- TA450 (Proofpoint)
Attribution: Linked to Iran’s Ministry of Intelligence and Security (MOIS), distinct from the Islamic Revolutionary Guard Corps (IRGC) cyber units.
Historical operations:
- Targeting government entities across Middle East
- Campaigns against Turkey, Pakistan, UAE, Saudi Arabia
- Focus on intelligence gathering rather than destructive attacks
Recent activity context
| Date | Activity |
|---|---|
| September 2024 – March 2025 | MuddyViper backdoor deployed against Israeli organizations (ESET) |
| December 2024 | ESET publishes MuddyViper research |
| Late December 2025 | Operation IconCat identified (Seqrite Labs) |
| January 2026 | RustyWater campaign documented (CloudSEK) |
The timing of this campaign, emerging in early 2026, underscores the persistent geopolitical tensions in the region where cyber espionage serves as a proxy for broader conflicts.
Toolkit evolution
RustyWater represents the latest evolution in MuddyWater’s malware arsenal:
| Year | Tool | Language | Notes |
|---|---|---|---|
| 2017-2019 | POWERSTATS | PowerShell | Early operations |
| 2019-2020 | KOADIC | Python/JScript | Open-source RAT |
| 2021-2023 | Small Sieve | Python | Custom backdoor |
| 2024-2025 | PhonyC2 | Go | Golang-based framework |
| 2024-2025 | MuddyViper | N/A | Backdoor targeting Israel |
| 2026 | RustyWater | Rust | Current campaign |
The shift from interpreted languages (PowerShell, Python) to compiled languages (Go, Rust) reflects increasing operational security awareness.
Recommendations
For targeted sectors:
| Control | Implementation |
|---|---|
| Macro policies | Disable macros from internet-sourced documents |
| Email security | Block executable attachments, scan for malicious macros |
| Endpoint detection | Deploy EDR with behavioral analysis |
| Network monitoring | Monitor for C2 communication patterns |
| User training | Spear-phishing awareness for high-risk roles |
| Geographic alerting | Flag communications from high-risk regions |
Detection priorities:
- Office applications spawning child processes
- Rust binaries in unexpected locations
- Registry persistence mechanisms
- C2 traffic to known MuddyWater infrastructure
- Processes enumerating security products
Threat intelligence:
- Subscribe to CloudSEK, Seqrite, and other vendor reporting on MuddyWater
- Integrate IOCs into security tooling
- Monitor for infrastructure overlap with known campaigns
Context
MuddyWater’s adoption of Rust follows similar moves by other sophisticated threat actors. The language’s combination of performance, safety, and analysis difficulty makes it attractive for implant development.
Organizations in targeted sectors should assume they are of interest to Iranian intelligence and implement defenses accordingly. MuddyWater’s persistent focus on diplomatic and critical infrastructure targets makes them a significant threat to regional stability.
| Evolution pattern | Implication |
|---|---|
| From PowerShell/VBS | To compiled Rust |
| From noisy operations | To low-noise modular RAT |
| From regional focus | To expanded geographic targeting |
| From known tools | To custom development |
The campaign’s timing—coinciding with ongoing regional tensions—suggests intelligence collection in support of Iranian policy objectives. The parallel identification by multiple research teams (CloudSEK, Seqrite Labs) indicates MuddyWater is conducting broad, coordinated operations across the region.