Iranian APT MuddyWater Evolves Tactics with Rust-Based RustyWater RAT in Middle East Campaign

## Opening The Iranian state-sponsored threat actor MuddyWater has significantly advanced its cyber warfare capabilities by deploying a sophisticated new remote access trojan (RAT) written in the Rust programming language. This latest campaign demonstrates a marked evolution in the group's technical sophistication and strategic targeting approach across critical Middle Eastern sectors. CloudSEK researchers have identified this new malware, dubbed RustyWater, being deployed through carefully crafted spear-phishing operations targeting diplomatic, maritime, financial, and telecommunications organizations throughout the Middle East. The campaign represents a notable shift in MuddyWater's operational methodology, moving away from their historical reliance on legitimate remote access tools toward custom-built malware solutions designed for long-term persistence and stealth operations. The timing and scope of this campaign underscores the continuing cyber tensions in the Middle East, where state-sponsored groups increasingly leverage advanced persistent threat (APT) capabilities to achieve strategic intelligence gathering objectives. MuddyWater's adoption of Rust programming language for malware development reflects broader industry trends toward more secure and efficient programming languages, ironically being weaponized for malicious purposes. This development signals a concerning escalation in the group's technical capabilities and suggests increased resources and development time being invested in their cyber operations infrastructure. ## What Happened MuddyWater, also tracked under the aliases Mango Sandstorm, Static Kitten, and TA450, launched a comprehensive spear-phishing campaign specifically targeting high-value organizations across multiple critical infrastructure sectors in the Middle East. The group, which security researchers assess as being affiliated with Iran's Ministry of Intelligence and Security (MOIS), has been actively conducting cyber espionage operations since at least 2017. The attack chain begins with meticulously crafted spear-phishing emails that masquerade as legitimate cybersecurity guidelines, exploiting the heightened security awareness environment that organizations currently operate within. These emails contain malicious Microsoft Word documents designed to appear as official security communications, complete with professional formatting and convincing content that would not immediately raise suspicion among recipients. When targets open the attached Word document, they encounter a familiar but deceptive prompt requesting them to "Enable content" to properly view the document. This seemingly innocuous request actually triggers the execution of a malicious Visual Basic for Applications (VBA) macro embedded within the document. The macro serves as the initial deployment mechanism for the RustyWater RAT binary, establishing the first foothold within the victim's network environment. CloudSEK researcher Prajwal Awasthi documented how the campaign employs sophisticated icon spoofing techniques to further enhance the legitimacy of the malicious documents, making detection by both automated security systems and human analysts significantly more challenging. The use of icon spoofing demonstrates the group's attention to social engineering details that can make or break an initial access attempt. Once successfully deployed, RustyWater immediately begins conducting comprehensive victim machine reconnaissance, systematically gathering detailed information about the compromised system's configuration, installed software, and network environment. The malware specifically focuses on detecting installed security software solutions, allowing operators to understand the defensive posture of the compromised environment and adjust their tactics accordingly. The RAT establishes persistence through Windows Registry key modifications, ensuring that the malware maintains access even after system reboots or user logoffs. This persistence mechanism is designed to be subtle and avoid detection by standard registry monitoring tools commonly deployed in enterprise environments. RustyWater then establishes communication with its command-and-control server, specifically "nomercys.it[.]com," enabling full remote access capabilities including file operations, command execution, and data exfiltration. The malware's architecture supports asynchronous command-and-control communication, anti-analysis capabilities, and modular post-compromise functionality expansion, indicating a sophisticated understanding of modern defensive technologies and techniques. Notably, Seqrite Labs independently identified similar RUSTRIC malware activity in late December, targeting information technology companies, managed service providers, human resources organizations, and software development companies specifically in Israel. This parallel campaign, tracked as UNG0801 and Operation IconCat, suggests a broader coordinated effort with multiple operational components targeting different geographic regions and sector verticals. ## Why It Matters The deployment of RustyWater represents a significant tactical evolution for MuddyWater that has profound implications for regional cybersecurity posture across the Middle East. Historically, the group relied heavily on PowerShell scripts, Visual Basic Script loaders, and legitimate remote access software for their post-exploitation activities. The transition to custom Rust-based malware demonstrates increased technical sophistication and suggests substantial investment in research and development capabilities. The choice of Rust programming language for malware development is particularly concerning from a defensive perspective. Rust offers memory safety guarantees, high performance characteristics, and cross-platform compilation capabilities that make detection and analysis significantly more challenging for security researchers and automated defense systems. The language's growing popularity in legitimate software development means that Rust-based network traffic and system behaviors may blend more effectively with normal enterprise activity. The targeted sectors in this campaign represent critical infrastructure components that underpin regional economic stability and national security interests. Diplomatic organizations possess sensitive intelligence regarding international relations and policy positions. Maritime sector targeting could provide insights into commercial shipping routes, port security measures, and naval capabilities. Financial institution compromise enables economic espionage and potential disruption of monetary systems, while telecommunications targeting offers opportunities for widespread surveillance and communication interception. The geographic focus on Middle Eastern entities aligns with Iran's broader strategic interests in the region and suggests these operations are designed to support long-term intelligence collection requirements rather than opportunistic financial gain. State-sponsored groups typically maintain persistent access to compromised networks for months or years, continuously extracting valuable intelligence while remaining undetected. The parallel targeting of Israeli organizations through the related RUSTRIC campaign indicates a coordinated multi-front approach that extends beyond traditional diplomatic and economic espionage into potential preparation for more disruptive cyber operations. The inclusion of managed service providers and software development companies in the target list suggests supply chain compromise strategies designed to gain access to multiple downstream organizations through trusted vendor relationships. ## What To Do Organizations operating in the Middle East region, particularly those in diplomatic, maritime, financial, and telecommunications sectors, should immediately implement enhanced email security measures and user awareness training programs. Deploy advanced email filtering solutions capable of detecting sophisticated spear-phishing attempts, including those using icon spoofing and document-based attack vectors. Implement strict macro execution policies across all Microsoft Office applications, defaulting to disabled macros with administrative approval required for legitimate business use cases. Configure Group Policy settings to prevent automatic macro execution and require explicit user confirmation with clear warnings about potential security risks. Organizations should also consider implementing Microsoft Office 365 Safe Attachments and Safe Links features to provide additional layers of protection against malicious documents. Network security teams should monitor for communication attempts to known MuddyWater command-and-control infrastructure, specifically including "nomercys.it[.]com" and related domains. Implement DNS filtering to block access to known malicious domains and establish monitoring for suspicious outbound connections that could indicate compromise. Consider implementing network segmentation to limit lateral movement capabilities if initial access is achieved. Enhance endpoint detection and response (EDR) capabilities with specific focus on detecting Rust-based malware execution and registry persistence mechanisms commonly employed by RustyWater. Configure monitoring for unusual registry modifications, particularly those affecting startup locations and system configuration keys. Deploy behavioral analysis tools capable of identifying the asynchronous command-and-control communication patterns characteristic of modern RATs. Conduct regular security awareness training sessions focused specifically on spear-phishing recognition, emphasizing the sophisticated social engineering techniques employed by state-sponsored groups. Include examples of legitimate-appearing cybersecurity communications that may actually be malicious, helping users develop critical evaluation skills for unexpected documents and requests. ## Closing The emergence of RustyWater represents a concerning escalation in MuddyWater's technical capabilities and operational sophistication. Organizations in the Middle East must recognize this campaign as part of a broader strategic cyber offensive targeting regional critical infrastructure and economic interests. The group's evolution toward custom Rust-based malware indicates substantial resource investment and suggests future attacks will become increasingly difficult to detect and defend against. Security teams should treat this threat intelligence as actionable and immediately assess their defensive posture against sophisticated spear-phishing campaigns and custom malware deployment. The parallel campaigns targeting both regional Middle Eastern organizations and Israeli entities suggest a coordinated effort that may expand to additional geographic regions and sector verticals in coming months.