{
  "name": "Reborn in Rust: MuddyWater Evolves Tooling with RustyWater Implant",
  "slug": "reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant",
  "description": "MuddyWater APT group has launched a spearphishing campaign targeting various sectors in the Middle East, including diplomatic, maritime, financial, and telecom entities. The campaign employs icon spoofing and malicious Word documents to deliver a Rust-based implant dubbed 'RustyWater'. This new tool represents a significant upgrade from their traditional PowerShell and VBS loaders, offering capabilities such as asynchronous C2, anti-analysis features, registry persistence, and modular post-compromise expansion. The attack chain involves a malicious email with an attached document that triggers a multi-stage process, ultimately leading to the deployment of the RustyWater implant. This evolution in MuddyWater's toolkit demonstrates their adaptation to more sophisticated, structured, and stealthy attack methods.",
  "published": "2026-01-08T17:12:01+00:00",
  "created_at": "2026-01-08T17:12:01+00:00",
  "modified_at": "2026-01-09T09:06:32+00:00",
  "created_at_opencti": "2026-01-08T17:12:01+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-01-08",
    "archer rat",
    "icon spoofing",
    "implant",
    "rust",
    "rustywater",
    "spearphishing"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "159.198.66.153"
      },
      {
        "id": "",
        "name": "159.198.68.25"
      },
      {
        "id": "",
        "name": "f38a56b8dc0e8a581999621eef65ef497f0ac0d35e953bd94335926f00e9464f"
      },
      {
        "id": "",
        "name": "e61b2ed360052a256b3c8761f09d185dad15c67595599da3e587c2c553e83108"
      },
      {
        "id": "",
        "name": "76aad2a7fa265778520398411324522c57bfd7d2ff30a5cfe6460960491bc552"
      },
      {
        "id": "",
        "name": "7523e53c979692f9eecff6ec760ac3df5b47f172114286e570b6bba3b2133f58"
      },
      {
        "id": "",
        "name": "c23bac59d70661bb9a99573cf098d668e9395a636dc6f6c20f92c41013c30be8"
      },
      {
        "id": "",
        "name": "3d1e43682c4d306e41127ca91993c7befd6db626ddbe3c1ee4b2cf44c0d2fb43"
      },
      {
        "id": "",
        "name": "e081bc408f73158c7338823f01455e4f5185a4365c8aad1d60d777e29166abbd"
      },
      {
        "id": "",
        "name": "ddc6e6c76ac325d89799a50dffd11ec69ed3b5341740619b8e595b8068220914"
      },
      {
        "id": "",
        "name": "42ad0c70e997a268286654b792c7833fd7c6a2a6a80d9f30d3f462518036d04c"
      },
      {
        "id": "",
        "name": "a2001892410e9f34ff0d02c8bc9e7c53b0bd10da58461e1e9eab26bdbf410c79"
      }
    ],
    "malware": [
      {
        "id": "b18adf30-3aba-4f77-9b00-ac0e2ca057a3",
        "name": "RUSTRIC",
        "slug": "rustric"
      },
      {
        "id": "8f6712df-2c3a-42b8-bc12-96ed34ff08a8",
        "name": "Archer RAT",
        "slug": "archer-rat"
      },
      {
        "id": "legacy:malware:7bf78fd6937825ad",
        "name": "RustyWater",
        "slug": "rustywater"
      }
    ],
    "intrusion_sets": [
      {
        "id": "98b7af71-8465-4bc4-9526-3bd1a8ac5f59",
        "name": "MuddyWater",
        "slug": "muddywater"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Israel"
      },
      {
        "id": "",
        "name": "Turkmenistan"
      },
      {
        "id": "",
        "name": "Finance"
      },
      {
        "id": "",
        "name": "Education"
      },
      {
        "id": "",
        "name": "Telecommunications"
      },
      {
        "id": "",
        "name": "Maritime transport"
      },
      {
        "id": "",
        "name": "Government and administrations"
      }
    ]
  },
  "external_refs": [
    "https://otx.alienvault.com/pulse/695ff3711e6444224d87f246",
    "https://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant"
  ]
}