{
	"id": "defd1bf3-3c3d-4dac-9cb3-913e61db3765",
	"created_at": "2026-04-06T00:15:29.405776Z",
	"updated_at": "2026-04-10T03:21:12.312152Z",
	"deleted_at": null,
	"sha1_hash": "32ecaa06b7f28881407071a37de20b59ab7e5900",
	"title": "RustyBuer: New Malware Loader Distributed Via Emails | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1894612,
	"plain_text": "RustyBuer: New Malware Loader Distributed Via Emails | Proofpoint\r\nUS\r\nBy Kelsey Merriman, Bryan Campbell, Selena Larson, and the Proofpoint Threat Research Team\r\nPublished: 2021-04-30 · Archived: 2026-04-05 13:06:29 UTC\r\nOverview\r\nProofpoint researchers identified a new variant of the Buer malware loader distributed via emails masquerading as shipping\r\nnotices in early April. Buer is a downloader sold on underground marketplaces that is used as a foothold in compromised\r\nnetworks to distribute other malware, including ransomware. Proofpoint first observed Buer in 2019.\r\nIn the associated campaigns, the emails purported to be from DHL Support. They contained a link to a malicious Microsoft\r\nWord or Excel document download that used macros to drop the new malware variant. Proofpoint is calling this new variant\r\nRustyBuer. The emails impacted over 200 organizations across more than 50 verticals. The new strain is completely\r\nrewritten in a coding language called Rust, a departure from the previous C programming language. It is unusual to see\r\ncommon malware written in a completely different way.\r\nKey Findings\r\nThe new Buer variant is written in Rust, an efficient and easy-to-use programming language that is becoming\r\nincreasingly popular. Proofpoint is calling this variant RustyBuer.\r\nRewriting the malware in Rust enables the threat actor to better evade existing Buer detection capabilities.\r\nProofpoint observed RustyBuer campaigns delivering Cobalt Strike Beacon as a second-stage payload in some\r\ncampaigns.\r\nResearchers assess some threat actors may be establishing a foothold with the Buer loader to then sell access to other\r\nthreat actors. This is known as “access-as-a-service.”\r\nCampaign Details\r\nProofpoint analysts observed a series of malicious campaigns that delivered the Buer malware loader. The campaigns\r\ngenerally used DHL-themed phishing emails to distribute malicious Word or Excel documents. While sharing similar email\r\nlure themes, the campaigns distributed two distinct variants of the Buer malware: one was written in C while the other was\r\nrewritten in the Rust programming language. Proofpoint dubbed this variant RustyBuer. The campaigns also used different\r\nlure techniques, with RustyBuer attachments containing more detailed content to better engage the recipient.\r\nThe rewritten malware, and the use of newer lures attempting to appear more legitimate, suggest threat actors leveraging\r\nRustyBuer are evolving techniques in multiple ways to both evade detection and attempt to increase successful click rates.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/new-variant-buer-loader-written-rust\r\nPage 1 of 7\n\nFigure 1: Emails masquerading as DHL shipping themes used to distribute RustyBuer and Buer loaders.\r\nFigure 2: Malicious Excel attachment distributing RustyBuer containing multiple security software brand logos in an\r\nattempt to add legitimacy to the document.\r\nRustyBuer was embedded directly into the document macro and required user interaction to initiate the infection. This\r\nmacro leveraged an Application Bypass (Windows Shell DLL via LOLBAS) to evade detection from endpoint security\r\nmechanisms.\r\nExample Script execution:\r\nhttps://www.proofpoint.com/us/blog/threat-insight/new-variant-buer-loader-written-rust\r\nPage 2 of 7\n\nrundll32.exe shell32.dll,ShellExec_RunDLL C:\\ProgramData\\OfficeSignCheck.exe\r\nOnce RustyBuer is dropped, it establishes persistence by using a shortcut (.LNK) file which runs at startup.\r\nAll the identified campaigns used consistent naming conventions following the inclusion of “Office” in the dropped\r\nexecutable. Both the Rust and C versions of the malware followed this same pattern including:\r\n1. OfficeVerifySign.exe (3abed86f46c8be754239f8c878f035efaae91c33b8eb8818c5bbed98c4d9a3ac)\r\n2. Office_WorkForWestBank.exe (423790a4a722f3549d1dfc1026fa627d829c6dd8c26546d45f2ca4b6d6626acb)\r\n3. OfficeReleaseFix.exe (b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209)\r\n4. OfficeConsultPlugin.exe (sha256:b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209)\r\nProofpoint researchers observed RustyBuer distributing Cobalt Strike Beacon as a second-stage payload in some instances,\r\nlike previous Buer campaigns. Cobalt Strike is a legitimate security tool used by penetration testers to emulate adversary\r\nactivity in a network that is becoming increasingly popular as a tool for threat actors.\r\nHowever, not all identified campaigns contained a second-stage payload. Researchers assess this may be due to threat actors\r\nin some specific instances operating as access-as-a-service providers. These threat actors may be attempting to establish\r\ninitial access in victim environments to then sell their access to other threat actors in underground marketplaces. Other\r\nsecurity firms have documented this behavior from threat actors using Buer loader previously.\r\nMalware Analysis\r\nProofpoint classified the new variant of Buer (RustyBuer) as a rewritten version in Rust based on present anti-analysis\r\nfeatures, strings, and encoding and format of the command and control (C2) requests.\r\nIt is unclear why the threat actors took the time and effort to rewrite the malware in a new programming language, however\r\nProofpoint researchers identify two likely reasons:\r\n1. Rust is an increasingly popular programming language that is more efficient and has a broader feature set than C.\r\n(Microsoft, for example, is increasingly using it in its products and joined the Rust Foundation in February 2021.)\r\n2. Rewriting the malware in Rust can enable the threat actor to evade existing Buer detections that are based on features\r\nof the malware written in C. The malware authors have programmed it in a way that it should maintain compatibility\r\nwith existing Buer backend C2 servers and panels.\r\nFigure 3: Example of select Rust dependencies\r\nThe following is a detailed analysis of the new variant.\r\nAnti-analysis features\r\nChecks for virtual machines (Figure 7)\r\nChecks locale to make sure the malware is not running in specific countries (Figure 8). These countries appear to be a\r\npart of the Commonwealth of Independent States (CIS).\r\nhttps://www.proofpoint.com/us/blog/threat-insight/new-variant-buer-loader-written-rust\r\nPage 3 of 7\n\nFigure 4: Virtual machine checks\r\nFigure 5: Locale check\r\nCommand and Control\r\nThe C2 requests are nearly identical to the requests used in the latest version of Buer. The C2 functions are handled via\r\nHTTP(S) POST requests. The initial POST request will be sent with POST data delimitated by the \"\u0026\" and \"=\" characters.\r\nThe POST request contains both pseudorandom characters and encrypted information about the compromised system. An\r\nexample command beacon can be seen in Figure 6:\r\nFigure 6: RustyBuer initial POST request\r\nhttps://www.proofpoint.com/us/blog/threat-insight/new-variant-buer-loader-written-rust\r\nPage 4 of 7\n\nFigure 7: Buer Loader initial POST request\r\nAn example of the plaintext parameter from Figure 8 with the pseudorandom characters removed is:\r\nYv3FHY+KQgL5YKs58+uRvGVZT8IS82xY+eij8SW/OhZd5Kk70Oryj8G4C5NB341+u9Xk8FFWvgdHoxrX68ZwZdrWO18fPzUeMJZvDfXcWKo0W\r\nThese request parameters are encrypted. They can be decrypted by:\r\n1. Base64 decoding\r\n2. Hex decoding\r\n3. RC4 decryption (the key used in the analyzed samples was “kpM5WOtfo”)\r\nThe decrypted plaintext parameter from Figure 6 is:\r\n299bc0beffe830d0871f8f6d7cadb40117208ea59f59cadd08b220b903f4e31c|e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855|W\r\n7 Ultimate|x64|4|Admin|[Computer Name]|133/238|[AD Domain]|[User Name]|1\r\nIt contains pipe-delimited data consisting of:\r\nBot ID (SHA-256 hex digest of various system parameters such as hardware profile GUID and name, computer\r\nname, volume serial number, and CPUID)\r\nAn SHA-256 hash of its own executable image\r\nWindows version\r\nArchitecture type\r\nNumber of processors\r\nUser privileges\r\nComputer name\r\nSpace used / total (suspected)\r\nhttps://www.proofpoint.com/us/blog/threat-insight/new-variant-buer-loader-written-rust\r\nPage 5 of 7\n\nAD Domain\r\nUser name\r\nThe response beacon can be decrypted similarly to the request parameter above, except that the hex-encoded bytes are\r\nseparated by dash characters. As with Buer, the JSON object returned in the beacon response contains various options on\r\nhow to download and execute a payload:\r\ntype - there are two types:\r\noptions - specifies options for the payload to download:\r\nHash - only applicable to “update” type to determine whether a new update is available\r\nx64 - whether the payload is 64-bit\r\nFileType - not used in analyzed samples\r\nAssemblyType - not used in analyzed samples\r\nAccessToken - used to download the payload\r\nExternal - indicates whether the payload is downloaded from the C\u0026C or an external URL\r\nmethod - method of execution\r\nparameters - parameters to pass on the command line\r\npathToDrop - not used in analyzed samples\r\nautorun - indicates whether to setup Registry RunOnce persistence for the payload\r\nmodules\r\ntimeout - not used in analyzed samples\r\nConclusion\r\nDespite existing since 2019, the new variant of Buer loader malware suggests threat actors continue to modify their payloads\r\nin a likely attempt to evade detection. When paired with the attempts by threat actors leveraging RustyBuer to further\r\nlegitimize their lures, it is possible the attack chain may be more effective in obtaining access and persistence. RustyBuer\r\nand the original Buer loader have been observed as a first-stage loader for additional payloads including Cobalt Strike and\r\nmultiple ransomware strains, as well as possibly providing victim access to other threat actors in the underground\r\nmarketplace. Proofpoint anticipates this activity will continue. Based on the frequency of RustyBuer campaigns observed by\r\nProofpoint, researchers anticipate we will continue to see the new variant in the future.\r\nIndicators of Compromise (IOCs)\r\nIOC IOC Type Description\r\nSerevalutinoffice[.]com Domain C\u0026C (RustyBuer)\r\norderverification-api[.]com Domain C\u0026C (RustyBuer)\r\nGerstaonycostumers[.]com Domain C\u0026C (RustyBuer)\r\nauthcert-ca[.]com Domain C\u0026C (RustyBuer)\r\ndocumentssign-api[.]com Domain C\u0026C (RustyBuer)\r\ndocusigner-api[.]com Domain C\u0026C (RustyBuer)\r\nMiyfandecompany[.]com URL C\u0026C (RustyBuer)\r\nhttps://cembank-api[.]com URL C\u0026C (RustyBuer)\r\nhttp://213.252.244[.]114/ayhtvcgcfcfrgcdxdxdrcrhj Payload Cobalt Strike Payload\r\n213.252.244[.]114 IP Cobalt Strike C\u0026C\r\nhttps://www.proofpoint.com/us/blog/threat-insight/new-variant-buer-loader-written-rust\r\nPage 6 of 7\n\nhttps://techlog[.]xyz/page.icore URL Buer Payload\r\nRussell@simpleweb-online.co[.]uk Email Sender\r\nHernandez@ubstreasury[.]biz Email Sender\r\nFoster@simpleweb-online.co[.]uk Email Sender\r\nPatterson@ubstreasury[.]biz Email Sender\r\nCampbell@rockyourstay[.]net Email Sender\r\nHenderson@fossilqwanderer[.]org Email Sender\r\nPowell@onlinefundraisingtoday[.]org Email Sender\r\nEvans@onlinefundraisingtoday[.]org Email Sender\r\nBrooks@fossilqwanderer[.]org Email Sender\r\nEdwards@sun988info[.]com Email Sender\r\nA061180b16f89099da6d34c5a3976968c19a3977c84ce0711ddfef6f7c355cac SHA256 2021-04-12 Sample\r\n3abed86f46c8be754239f8c878f035efaae91c33b8eb8818c5bbed98c4d9a3ac SHA256 2021-04-19 Sample\r\nET Signatures\r\n2848365 - RustyBuer Checkin\r\nIs your organization protected from Malware threats? Learn about Malware Prevention.\r\nSource: https://www.proofpoint.com/us/blog/threat-insight/new-variant-buer-loader-written-rust\r\nhttps://www.proofpoint.com/us/blog/threat-insight/new-variant-buer-loader-written-rust\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.proofpoint.com/us/blog/threat-insight/new-variant-buer-loader-written-rust"
	],
	"report_names": [
		"new-variant-buer-loader-written-rust"
	],
	"threat_actors": [],
	"ts_created_at": 1775434529,
	"ts_updated_at": 1775791272,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/32ecaa06b7f28881407071a37de20b59ab7e5900.pdf",
		"text": "https://archive.orkl.eu/32ecaa06b7f28881407071a37de20b59ab7e5900.txt",
		"img": "https://archive.orkl.eu/32ecaa06b7f28881407071a37de20b59ab7e5900.jpg"
	}
}