Reborn in Rust: Muddy Water Evolves Tooling with RustyWater
Implant
By Prajwal Awasthi
Published: 2026-03-17 · Archived: 2026-04-06 00:50:11 UTC
We value your privacy
We use cookies to enhance your browsing experience, serve personalised ads or content, and analyse our traffic. By
clicking "Accept All", you consent to our use of cookies.
Back
Adversary Intelligence
CloudSEK's TRIAD recently identified a spear-phishing campaign attributed to the Muddy Water APT group
targeting multiple sectors across the Middle East, including diplomatic, maritime, financial, and telecom entities.
The campaign uses icon spoofing and malicious Word documents to deliver "RustyWater," a Rust-based implant
representing a significant upgrade to their traditional toolkit
January 8, 2026
6
min
https://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant
Page 1 of 18

Subscribe to CloudSEK Resources
Get the latest industry news, threats and resources.
Executive Summary
CloudSEK’s TRIAD recently identified a spearphishing campaign attributed to the Muddy Water APT group
targeting multiple sectors across the Middle East, including diplomatic, maritime, financial, and telecom entities.
The campaign uses icon spoofing and malicious Word documents to deliver Rust based implants capable of
asynchronous C2, anti-analysis, registry persistence, and modular post-compromise capability expansion.
Historically, Muddy Water has relied on PowerShell and VBS loaders for initial access and post-compromise
operations. The introduction of Rust-based implants represents a notable tooling evolution toward more structured,
modular, and low noise RAT capabilities. 
Although this Rust-based implant has appeared in limited reporting under names like Archer RAT / RUSTRIC, it
remains far less documented than Muddy Water’s legacy PowerShell/VBS tooling. To avoid name collisions and
for sanity, we refer to this variant as RustyWater throughout this report
Kill Chain
https://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant
Page 2 of 18

Initial Access Vector 
Malicious email
The email titled “Cybersecurity Guidelines” was sent from the email domain “info@tmcell” which looks to be an
official contact email for TMCell (Altyn Asyr CJSC), the primary mobile operator in Turkmenistan. There is also a
document attached called Cybersecurity.doc which serves as the primary payload for the next stage.
https://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant
Page 3 of 18

Cybersecurity.doc
Technical Analysis
Stage - 1 : Cybersecurity.doc
https://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant
Page 4 of 18

Oletools detects Macros
We can run oleid to identify if any macros are present in the document and dump them further using tools like
oledump.
WriteHexToFile
WriteHexToFile reads a hex-encoded byte stream embedded in UserForm1.TextBox1.Text, removes all formatting
characters, validates the data length, and decodes it into raw binary. It then writes the reconstructed payload to disk
as CertificationKit.ini in C:\ProgramData\
The next love_me_function is primarily an obfuscated execution wrapper. It begins by dynamically
reconstructing the string WScript.Shell using hard-coded ASCII values and the Chr() function.
Once reconstructed, the function validates the string and uses CreateObject to instantiate a WScript.Shell COM
object to build a second obfuscated string that resolves to cmd.exe and executes CertificationKit.ini, the file written
earlier by WriteHexToFile function.
https://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant
Page 5 of 18

Running CertificationKit.ini
We can directly take the hex string directly from UserForm1 and convert it. We can confirm it’s a PE file from the
magic 4D5A header.
Stage - 2 : CertificationKit.ini
https://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant
Page 6 of 18

The extracted PE file presents itself as reddit.exe despite having a Cloudflare logo.Static analysis reveals the binary
is compiled in Rust which aligns with previously documented samples of Archer RAT (also tracked as
RUSTRIC), an implant attributed to the Muddy Water APT group.
reddit.exe
RustyWater begins execution by establishing anti debugging and anti tampering mechanisms. It registers a
Vectored Exception Handler (VEH) to catch debugging attempts and systematically gathers victim machine
information including username, computer name, and domain membership.All strings in the malware are encrypted
using position independent XOR encryption. Some of the decrypted strings found in binary were 
"C:\\ProgramData"
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
"reqwest/0.12.23"  // Rust HTTP library
"Content-Type: application/json"
RustyWater attempts to detect a wide range of antivirus and EDR tools by scanning for agent files, service names,
and installation paths of more than 25 AV products.
https://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant
Page 7 of 18

Registry Setup
The malware sets up persistence by writing itself to a Windows startup registry key. It first decrypts the key path
and then opens the Run registry location under the current user. If that fails, it crashes with a Rust error message.
Next, it decrypts another short string that becomes the name of the startup entry, The value points to a file at
C:\ProgramData\CertificationKit.ini, which is our payload.
The malware establishes HTTP based command and control using the Rust reqwest library. It configures timeouts,
connection pooling, headers, and implements retry logic for reliable C2.Before transmission, the binary encodes
collected data using base64 and encrypts it. The payload is structured as JSON and includes system information,
file listings, and metadata. The entire encryption is done with 3 layers of obfuscation(JSON -> Base64 -> XOR). To
avoid detection, the binary implements randomized sleep intervals between C2 callbacks. It uses waitable timers
and random number generation to create jitter, making traffic analysis difficult
https://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant
Page 8 of 18

C2 Setup
The binary also uses Rust's async runtime (tokio) with multiple threads to handle C2 communication, file
operations, and command execution concurrently without blocking
C2 Beaconing
https://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant
Page 9 of 18

The shellcode is executed using a classic technique called Process Injection.The routine begins by verifying the
presence of explorer.exe, which is later used as the target process. The binary is launched in suspended state and the
malware retrieves the initial thread context. Further it allocates executable memory inside the remote process via
VirtualAllocEx and writes the payload via WriteProcessMemory.
Pivoting
This campaign has been covered wonderfully by other security researchers as well but was not attributed.Based on
the technical artifacts, targeting patterns, and tactical similarities observed in this campaign, we assess with high
confidence that this activity can be attributed to Muddy Water APT (also tracked as Earth Vetala, MERCURY,
Static Kitten, Mango Sandstorm). Several key indicators support this attribution:
VBA Macro Code Reuse: The macro code extracted from Cybersecurity.doc exhibits striking similarities to
previously documented Muddy Water campaigns. Specifically, the WriteHexToFile and love_me_ function
patterns, including the distinctive use of hex encoded payload embedding within UserForm controls.
The campaign analysed in this report shares significant overlap with another report.Similar TTPs can be observed
in that chain too where the initial email was impersonating the L.M. Group, a legitimate Israeli HR company.
 Also we validated how the threat actor was able to use legitimate emails impersonating the government of
Turkmenistan, UAE etc. We found leaked credentials for these email addresses which led to the spear phishing
emails. 
Upon further pivoting we’re able to find many similar lures targeting UAE and Middle East.
https://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant
Page 10 of 18

UAE MOFA Decoy
We were able to find 5 more lures targeting UAE’s Financial and Education sectors.
https://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant
Page 11 of 18

UAE MOFA Decoy 2
In other campaign around November we found similar lures targeting the Middle East Maritime Industry
https://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant
Page 12 of 18

Middle East and Maritime Economy
Impact
High risk of long-term silent persistence: Registry-based autostart and delayed beaconing enable the Rust
implant to remain operational across reboots with minimal forensic artifacts on disk.
Dynamic post-access capability expansion: Modular implants allow the operator to enable new functions
(collection, C2 tasking, credential theft) without delivering additional binaries or regaining access.
Weak effectiveness of static network countermeasures: Tiered C2 failover, request jitter, and protocol
switching reduce detection efficacy of domain/IP blocking and signature-based filters.
Limited visibility for incident response teams: In memory execution and asynchronous task handling
complicate timeline reconstruction, memory capture, and precise attribution during IR.
https://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant
Page 13 of 18

Increased targeting and intelligence collection risk: On demand module deployment allows tailored
surveillance aligned with the victim role (diplomatic, maritime, telecom), expanding data exposure scope.
Recommendations
Monitor registry persistence mechanisms:
Track anomalous Run key writes referencing .ini or PE artifacts in C:\ProgramData\* and flag user-context
processes modifying autostart locations.
Detect layered C2 behavior rather than single indicators:
Alert on retry-heavy outbound HTTP, randomized callback intervals, fallback domains, and multi-step
transform patterns (JSON → Base64 → XOR).
Instrument memory allocation and thread manipulation events:
Hunt for VirtualAllocEx + WriteProcessMemory + thread context modification inside benign Windows
processes such as explorer.exe.
Correlate signer trust with execution locality:
Flag signed binaries executed from writable paths (Downloads, Temp, ProgramData) followed by non-signed module loads or remote thread creation.
Treat late-stage RAT capability activation as malicious:
Monitor transitions from passive beaconing to active collection behaviors such as file listing, keylogging
calls, credential harvesting, or tasking execution
Appendix
IOCs
Indicator
Type
Indicator Comments
SHA256
Hash
76aad2a7fa265778520398411324522c57bfd7d2ff30a5cfe6460960491bc552 Email
SHA256
Hash
f38a56b8dc0e8a581999621eef65ef497f0ac0d35e953bd94335926f00e9464f Cybersecurity.doc
SHA256
Hash
7523e53c979692f9eecff6ec760ac3df5b47f172114286e570b6bba3b2133f58 reddit.exe
SHA256
Hash
e61b2ed360052a256b3c8761f09d185dad15c67595599da3e587c2c553e83108 art.exe
SHA256
Hash
a2001892410e9f34ff0d02c8bc9e7c53b0bd10da58461e1e9eab26bdbf410c79 art.exe
https://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant
Page 14 of 18

Indicator
Type
Indicator Comments
SHA256
Hash
c23bac59d70661bb9a99573cf098d668e9395a636dc6f6c20f92c41013c30be8 art.exe
SHA256
Hash
42ad0c70e997a268286654b792c7833fd7c6a2a6a80d9f30d3f462518036d04c art.exe
SHA256
Hash
e081bc408f73158c7338823f01455e4f5185a4365c8aad1d60d777e29166abbd cloud.exe
SHA256
Hash
3d1e43682c4d306e41127ca91993c7befd6db626ddbe3c1ee4b2cf44c0d2fb43 cloud.exe
SHA256
Hash
ddc6e6c76ac325d89799a50dffd11ec69ed3b5341740619b8e595b8068220914 nginx.exe
IP 159.198.68.25
Resolution from
stratioai[.]org
IP 161.35.228.250
Resolution from
bootcamptg[.]org
IP 159.198.66.153
Resolution from
nomercys[.]it[.]com
MITRE Mapping
ATT&CK
Tactic
Technique
ID
Technique Name Evidence from Report
Initial
Access
T1566.001
Phishing:
Spearphishing
Attachment
Malicious email with Cybersecurity.doc
attachment
Initial
Access
T1204.002
User Execution:
Malicious File
User opens Doc leading to payload drop and
execution
Execution T1059.005
Command and
Scripting Interpreter
VBA Macro in Word Document
Execution T1106 Native API Use of RegOpenKeyExW, GetUserNameW,
GetComputerNameExW,
https://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant
Page 15 of 18

ATT&CK
Tactic
Technique
ID
Technique Name Evidence from Report
CreateWaitableTimerExW
Execution T1047
Windows Management
Instrumentation
WMI used to execute CertificationKit.ini via
Win32_Process.Create
Execution T1620
Reflective Code
Loading
Hex coded PE payload decode in memory and
dropped
References
*Intelligence source and information reliability - Wikipedia
#Traffic Light Protocol - Wikipedia
https://nsfocusglobal.com/new-apt-group-actor240524-a-closer-look-at-its-cyber-tactics-against-azerbaijan-and-israel/
https://www.seqrite.com/blog/ung0801-tracking-threat-clusters-obsessed-with-av-icon-spoofing-targeting-israel/
https://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant
Page 16 of 18

Prajwal Awasthi
Prajwal is a Malware Analyst at Cloudsek, specializing in reverse engineering and threat intelligence. He focuses
on uncovering new threats through malware research, with a background in Offensive Security and Windows
Internals.
No items found.
Subscribe to CloudSEK Resources
Get the latest industry news, threats and resources.
Predict  Cyber Threats against your organization
https://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant
Page 17 of 18

Source: https://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant
https://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant
Page 18 of 18