top of page
perceptive_background_267k.jpg

MuddyWater Launches RustyWater RAT via Spear-Phishing Across Middle East Sectors

Published:

10 January 2026 at 10:35:00

Alert date:

10 January 2026 at 11:01:12

Source:

thehackernews.com

Click to open the original link from this advisory

Ransomware & Malware, Email & Messaging, Data Breach & Exfiltration

Iranian threat actor MuddyWater launched a spear-phishing campaign targeting diplomatic, maritime, financial, and telecom entities in the Middle East. The campaign deploys a new Rust-based implant called RustyWater RAT through malicious Word documents with icon spoofing. The malware features asynchronous C2 communication, anti-analysis capabilities, registry persistence, and modular architecture. This represents an active campaign by a known state-sponsored threat group targeting critical infrastructure sectors.

Technical details

MuddyWater is conducting spear-phishing campaigns using malicious Word documents with icon spoofing. The attack chain involves emails masquerading as cybersecurity guidelines with attached Word documents that prompt victims to 'Enable content' to activate VBA macros. These macros deploy the RustyWater (also called Archer RAT and RUSTRIC) Rust-based implant. The malware performs victim machine reconnaissance, detects security software, establishes persistence via Windows Registry keys, and communicates with C2 servers for file operations and command execution. The implant features asynchronous C2 communication, anti-analysis capabilities, registry persistence, and modular post-compromise expansion capabilities.

Mitigation steps:

Monitor for spear-phishing emails masquerading as cybersecurity guidelines with Word document attachments. Implement controls to prevent VBA macro execution from untrusted documents. Monitor Windows Registry for unauthorized persistence mechanisms. Implement network monitoring for communications to suspicious domains. Deploy anti-malware solutions capable of detecting Rust-based implants.

Affected products:

Microsoft Word

Related links:

https://thehackernews.com/2025/10/iran-linked-muddywater-targets-100.html
https://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant
https://thehackernews.com/2026/01/threatsday-bulletin-rustfs-flaw-iranian.html#iranian-group-evolves
https://thehackernews.com/2025/12/muddywater-deploys-udpgangster-backdoor.html
https://thehackernews.com/2025/12/iran-linked-hackers-hits-israeli_2.html
https://thehackernews.com/2024/06/hackers-use-ms-excel-macro-to-launch.html
https://thehackernews.com/2025/12/threatsday-bulletin-stealth-loaders-ai.html#israel-targeted-phishing

Related CVE's:

Related threat actors:

IOC's:

nomercys.it[.]com, RustyWater, Archer RAT, RUSTRIC

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page