{ "id": "4b2ab850-17d4-4024-ba82-7a6762dc2750", "created_at": "2026-04-06T01:32:24.169693Z", "updated_at": "2026-04-10T13:12:44.128174Z", "deleted_at": null, "sha1_hash": "47804a05c731fdd30a525565c1a23950ce6ea412", "title": "Reborn in Rust: Muddy Water Evolves Tooling with RustyWater Implant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5831825, "plain_text": "Reborn in Rust: Muddy Water Evolves Tooling with RustyWater\r\nImplant\r\nBy Prajwal Awasthi\r\nPublished: 2026-03-17 · Archived: 2026-04-06 00:50:11 UTC\r\nWe value your privacy\r\nWe use cookies to enhance your browsing experience, serve personalised ads or content, and analyse our traffic. By\r\nclicking \"Accept All\", you consent to our use of cookies.\r\nBack\r\nAdversary Intelligence\r\nCloudSEK's TRIAD recently identified a spear-phishing campaign attributed to the Muddy Water APT group\r\ntargeting multiple sectors across the Middle East, including diplomatic, maritime, financial, and telecom entities.\r\nThe campaign uses icon spoofing and malicious Word documents to deliver \"RustyWater,\" a Rust-based implant\r\nrepresenting a significant upgrade to their traditional toolkit\r\nJanuary 8, 2026\r\n6\r\nmin\r\nhttps://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant\r\nPage 1 of 18\n\nSubscribe to CloudSEK Resources\r\nGet the latest industry news, threats and resources.\r\nExecutive Summary\r\nCloudSEK’s TRIAD recently identified a spearphishing campaign attributed to the Muddy Water APT group\r\ntargeting multiple sectors across the Middle East, including diplomatic, maritime, financial, and telecom entities.\r\nThe campaign uses icon spoofing and malicious Word documents to deliver Rust based implants capable of\r\nasynchronous C2, anti-analysis, registry persistence, and modular post-compromise capability expansion.\r\nHistorically, Muddy Water has relied on PowerShell and VBS loaders for initial access and post-compromise\r\noperations. The introduction of Rust-based implants represents a notable tooling evolution toward more structured,\r\nmodular, and low noise RAT capabilities. \r\nAlthough this Rust-based implant has appeared in limited reporting under names like Archer RAT / RUSTRIC, it\r\nremains far less documented than Muddy Water’s legacy PowerShell/VBS tooling. To avoid name collisions and\r\nfor sanity, we refer to this variant as RustyWater throughout this report\r\nKill Chain\r\nhttps://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant\r\nPage 2 of 18\n\nInitial Access Vector \r\nMalicious email\r\nThe email titled “Cybersecurity Guidelines” was sent from the email domain “info@tmcell” which looks to be an\r\nofficial contact email for TMCell (Altyn Asyr CJSC), the primary mobile operator in Turkmenistan. There is also a\r\ndocument attached called Cybersecurity.doc which serves as the primary payload for the next stage.\r\nhttps://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant\r\nPage 3 of 18\n\nCybersecurity.doc\r\nTechnical Analysis\r\nStage - 1 : Cybersecurity.doc\r\nhttps://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant\r\nPage 4 of 18\n\nOletools detects Macros\r\nWe can run oleid to identify if any macros are present in the document and dump them further using tools like\r\noledump.\r\nWriteHexToFile\r\nWriteHexToFile reads a hex-encoded byte stream embedded in UserForm1.TextBox1.Text, removes all formatting\r\ncharacters, validates the data length, and decodes it into raw binary. It then writes the reconstructed payload to disk\r\nas CertificationKit.ini in C:\\ProgramData\\\r\nThe next love_me_function is primarily an obfuscated execution wrapper. It begins by dynamically\r\nreconstructing the string WScript.Shell using hard-coded ASCII values and the Chr() function.\r\nOnce reconstructed, the function validates the string and uses CreateObject to instantiate a WScript.Shell COM\r\nobject to build a second obfuscated string that resolves to cmd.exe and executes CertificationKit.ini, the file written\r\nearlier by WriteHexToFile function.\r\nhttps://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant\r\nPage 5 of 18\n\nRunning CertificationKit.ini\r\nWe can directly take the hex string directly from UserForm1 and convert it. We can confirm it’s a PE file from the\r\nmagic 4D5A header.\r\nStage - 2 : CertificationKit.ini\r\nhttps://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant\r\nPage 6 of 18\n\nThe extracted PE file presents itself as reddit.exe despite having a Cloudflare logo.Static analysis reveals the binary\r\nis compiled in Rust which aligns with previously documented samples of Archer RAT (also tracked as\r\nRUSTRIC), an implant attributed to the Muddy Water APT group.\r\nreddit.exe\r\nRustyWater begins execution by establishing anti debugging and anti tampering mechanisms. It registers a\r\nVectored Exception Handler (VEH) to catch debugging attempts and systematically gathers victim machine\r\ninformation including username, computer name, and domain membership.All strings in the malware are encrypted\r\nusing position independent XOR encryption. Some of the decrypted strings found in binary were \r\n\"C:\\\\ProgramData\"\r\n\"SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\"\r\n\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\"\r\n\"reqwest/0.12.23\"  // Rust HTTP library\r\n\"Content-Type: application/json\"\r\nRustyWater attempts to detect a wide range of antivirus and EDR tools by scanning for agent files, service names,\r\nand installation paths of more than 25 AV products.\r\nhttps://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant\r\nPage 7 of 18\n\nRegistry Setup\r\nThe malware sets up persistence by writing itself to a Windows startup registry key. It first decrypts the key path\r\nand then opens the Run registry location under the current user. If that fails, it crashes with a Rust error message.\r\nNext, it decrypts another short string that becomes the name of the startup entry, The value points to a file at\r\nC:\\ProgramData\\CertificationKit.ini, which is our payload.\r\nThe malware establishes HTTP based command and control using the Rust reqwest library. It configures timeouts,\r\nconnection pooling, headers, and implements retry logic for reliable C2.Before transmission, the binary encodes\r\ncollected data using base64 and encrypts it. The payload is structured as JSON and includes system information,\r\nfile listings, and metadata. The entire encryption is done with 3 layers of obfuscation(JSON -\u003e Base64 -\u003e XOR). To\r\navoid detection, the binary implements randomized sleep intervals between C2 callbacks. It uses waitable timers\r\nand random number generation to create jitter, making traffic analysis difficult\r\nhttps://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant\r\nPage 8 of 18\n\nC2 Setup\r\nThe binary also uses Rust's async runtime (tokio) with multiple threads to handle C2 communication, file\r\noperations, and command execution concurrently without blocking\r\nC2 Beaconing\r\nhttps://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant\r\nPage 9 of 18\n\nThe shellcode is executed using a classic technique called Process Injection.The routine begins by verifying the\r\npresence of explorer.exe, which is later used as the target process. The binary is launched in suspended state and the\r\nmalware retrieves the initial thread context. Further it allocates executable memory inside the remote process via\r\nVirtualAllocEx and writes the payload via WriteProcessMemory.\r\nPivoting\r\nThis campaign has been covered wonderfully by other security researchers as well but was not attributed.Based on\r\nthe technical artifacts, targeting patterns, and tactical similarities observed in this campaign, we assess with high\r\nconfidence that this activity can be attributed to Muddy Water APT (also tracked as Earth Vetala, MERCURY,\r\nStatic Kitten, Mango Sandstorm). Several key indicators support this attribution:\r\nVBA Macro Code Reuse: The macro code extracted from Cybersecurity.doc exhibits striking similarities to\r\npreviously documented Muddy Water campaigns. Specifically, the WriteHexToFile and love_me_ function\r\npatterns, including the distinctive use of hex encoded payload embedding within UserForm controls.\r\nThe campaign analysed in this report shares significant overlap with another report.Similar TTPs can be observed\r\nin that chain too where the initial email was impersonating the L.M. Group, a legitimate Israeli HR company.\r\n Also we validated how the threat actor was able to use legitimate emails impersonating the government of\r\nTurkmenistan, UAE etc. We found leaked credentials for these email addresses which led to the spear phishing\r\nemails. \r\nUpon further pivoting we’re able to find many similar lures targeting UAE and Middle East.\r\nhttps://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant\r\nPage 10 of 18\n\nUAE MOFA Decoy\r\nWe were able to find 5 more lures targeting UAE’s Financial and Education sectors.\r\nhttps://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant\r\nPage 11 of 18\n\nUAE MOFA Decoy 2\r\nIn other campaign around November we found similar lures targeting the Middle East Maritime Industry\r\nhttps://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant\r\nPage 12 of 18\n\nMiddle East and Maritime Economy\r\nImpact\r\nHigh risk of long-term silent persistence: Registry-based autostart and delayed beaconing enable the Rust\r\nimplant to remain operational across reboots with minimal forensic artifacts on disk.\r\nDynamic post-access capability expansion: Modular implants allow the operator to enable new functions\r\n(collection, C2 tasking, credential theft) without delivering additional binaries or regaining access.\r\nWeak effectiveness of static network countermeasures: Tiered C2 failover, request jitter, and protocol\r\nswitching reduce detection efficacy of domain/IP blocking and signature-based filters.\r\nLimited visibility for incident response teams: In memory execution and asynchronous task handling\r\ncomplicate timeline reconstruction, memory capture, and precise attribution during IR.\r\nhttps://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant\r\nPage 13 of 18\n\nIncreased targeting and intelligence collection risk: On demand module deployment allows tailored\r\nsurveillance aligned with the victim role (diplomatic, maritime, telecom), expanding data exposure scope.\r\nRecommendations\r\nMonitor registry persistence mechanisms:\r\nTrack anomalous Run key writes referencing .ini or PE artifacts in C:\\ProgramData\\* and flag user-context\r\nprocesses modifying autostart locations.\r\nDetect layered C2 behavior rather than single indicators:\r\nAlert on retry-heavy outbound HTTP, randomized callback intervals, fallback domains, and multi-step\r\ntransform patterns (JSON → Base64 → XOR).\r\nInstrument memory allocation and thread manipulation events:\r\nHunt for VirtualAllocEx + WriteProcessMemory + thread context modification inside benign Windows\r\nprocesses such as explorer.exe.\r\nCorrelate signer trust with execution locality:\r\nFlag signed binaries executed from writable paths (Downloads, Temp, ProgramData) followed by non-signed module loads or remote thread creation.\r\nTreat late-stage RAT capability activation as malicious:\r\nMonitor transitions from passive beaconing to active collection behaviors such as file listing, keylogging\r\ncalls, credential harvesting, or tasking execution\r\nAppendix\r\nIOCs\r\nIndicator\r\nType\r\nIndicator Comments\r\nSHA256\r\nHash\r\n76aad2a7fa265778520398411324522c57bfd7d2ff30a5cfe6460960491bc552 Email\r\nSHA256\r\nHash\r\nf38a56b8dc0e8a581999621eef65ef497f0ac0d35e953bd94335926f00e9464f Cybersecurity.doc\r\nSHA256\r\nHash\r\n7523e53c979692f9eecff6ec760ac3df5b47f172114286e570b6bba3b2133f58 reddit.exe\r\nSHA256\r\nHash\r\ne61b2ed360052a256b3c8761f09d185dad15c67595599da3e587c2c553e83108 art.exe\r\nSHA256\r\nHash\r\na2001892410e9f34ff0d02c8bc9e7c53b0bd10da58461e1e9eab26bdbf410c79 art.exe\r\nhttps://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant\r\nPage 14 of 18\n\nIndicator\r\nType\r\nIndicator Comments\r\nSHA256\r\nHash\r\nc23bac59d70661bb9a99573cf098d668e9395a636dc6f6c20f92c41013c30be8 art.exe\r\nSHA256\r\nHash\r\n42ad0c70e997a268286654b792c7833fd7c6a2a6a80d9f30d3f462518036d04c art.exe\r\nSHA256\r\nHash\r\ne081bc408f73158c7338823f01455e4f5185a4365c8aad1d60d777e29166abbd cloud.exe\r\nSHA256\r\nHash\r\n3d1e43682c4d306e41127ca91993c7befd6db626ddbe3c1ee4b2cf44c0d2fb43 cloud.exe\r\nSHA256\r\nHash\r\nddc6e6c76ac325d89799a50dffd11ec69ed3b5341740619b8e595b8068220914 nginx.exe\r\nIP 159.198.68.25\r\nResolution from\r\nstratioai[.]org\r\nIP 161.35.228.250\r\nResolution from\r\nbootcamptg[.]org\r\nIP 159.198.66.153\r\nResolution from\r\nnomercys[.]it[.]com\r\nMITRE Mapping\r\nATT\u0026CK\r\nTactic\r\nTechnique\r\nID\r\nTechnique Name Evidence from Report\r\nInitial\r\nAccess\r\nT1566.001\r\nPhishing:\r\nSpearphishing\r\nAttachment\r\nMalicious email with Cybersecurity.doc\r\nattachment\r\nInitial\r\nAccess\r\nT1204.002\r\nUser Execution:\r\nMalicious File\r\nUser opens Doc leading to payload drop and\r\nexecution\r\nExecution T1059.005\r\nCommand and\r\nScripting Interpreter\r\nVBA Macro in Word Document\r\nExecution T1106 Native API Use of RegOpenKeyExW, GetUserNameW,\r\nGetComputerNameExW,\r\nhttps://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant\r\nPage 15 of 18\n\nATT\u0026CK\r\nTactic\r\nTechnique\r\nID\r\nTechnique Name Evidence from Report\r\nCreateWaitableTimerExW\r\nExecution T1047\r\nWindows Management\r\nInstrumentation\r\nWMI used to execute CertificationKit.ini via\r\nWin32_Process.Create\r\nExecution T1620\r\nReflective Code\r\nLoading\r\nHex coded PE payload decode in memory and\r\ndropped\r\nReferences\r\n*Intelligence source and information reliability - Wikipedia\r\n#Traffic Light Protocol - Wikipedia\r\nhttps://nsfocusglobal.com/new-apt-group-actor240524-a-closer-look-at-its-cyber-tactics-against-azerbaijan-and-israel/\r\nhttps://www.seqrite.com/blog/ung0801-tracking-threat-clusters-obsessed-with-av-icon-spoofing-targeting-israel/\r\nhttps://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant\r\nPage 16 of 18\n\nPrajwal Awasthi\r\nPrajwal is a Malware Analyst at Cloudsek, specializing in reverse engineering and threat intelligence. He focuses\r\non uncovering new threats through malware research, with a background in Offensive Security and Windows\r\nInternals.\r\nNo items found.\r\nSubscribe to CloudSEK Resources\r\nGet the latest industry news, threats and resources.\r\nPredict  Cyber Threats against your organization\r\nhttps://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant\r\nPage 17 of 18\n\nSource: https://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant\r\nhttps://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant\r\nPage 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant" ], "report_names": [ "reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant" ], "threat_actors": [ { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "57202244-bc71-4bf5-820b-588f06be0fa1", "created_at": "2024-09-20T02:00:04.570865Z", "updated_at": "2026-04-10T02:00:03.692646Z", "deleted_at": null, "main_name": "Actor240524", "aliases": [], "source_name": "MISPGALAXY:Actor240524", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439144, "ts_updated_at": 1775826764, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/47804a05c731fdd30a525565c1a23950ce6ea412.pdf", "text": "https://archive.orkl.eu/47804a05c731fdd30a525565c1a23950ce6ea412.txt", "img": "https://archive.orkl.eu/47804a05c731fdd30a525565c1a23950ce6ea412.jpg" } }