An Iranian-linked hacking group known as MuddyWater has been connected to a new spear-phishing operation aimed at organizations in the diplomatic, maritime, financial, and telecommunications sectors across the Middle East. The activity centers on a Rust-based malware implant researchers have dubbed RustyWater.
According to a recent report from CloudSEK, the attackers rely on carefully crafted phishing emails that use deceptive icons and weaponized Microsoft Word documents. Once opened, the documents prompt victims to enable content, triggering a malicious macro that installs the Rust-based implant. The malware supports asynchronous command-and-control communication, includes anti-analysis features, maintains persistence through Windows Registry modifications, and allows additional capabilities to be added after compromise.
Security analysts say this campaign highlights MuddyWater’s steady shift in tactics. Over time, the group has moved away from using legitimate remote access tools after intrusion and has instead built a broader collection of custom malware. This toolkit includes previously observed tools such as Phoenix, UDPGangster, BugSleep (also known as MuddyRot), and MuddyViper.
The threat actor, also tracked under names such as Mango Sandstorm, Static Kitten, and TA450, is believed to be tied to Iran’s Ministry of Intelligence and Security. Its operations have been documented since at least 2017.
The RustyWater infection chain itself is relatively simple but effective. Phishing emails posing as cybersecurity guidance deliver a Word file that urges users to enable macros. Once activated, the macro drops the RustyWater payload, giving attackers a foothold on the system.
Also known as Archer RAT or RUSTRIC, the malware collects system details, checks for installed security products, and establishes persistence via registry keys. It then connects to a remote command-and-control server to enable file manipulation and remote command execution.
Notably, similar RUSTRIC activity was reported late last month by Seqrite Labs in attacks against IT firms, managed service providers, human resources departments, and software development companies in Israel. That activity is being tracked as UNG0801 and dubbed Operation IconCat.
Researchers note that MuddyWater has historically leaned on PowerShell and VBS loaders during early stages of an attack. The adoption of Rust-based implants marks a clear evolution toward more modular, structured, and quieter remote access tools, making detection and analysis more challenging for defenders.