Reborn in Rust: Muddy Water Evolves Tooling with RustyWater Implant www.cloudsek.com/blog/rebo…
CloudSEK’s TRIAD recently identified a spearphishing campaign attributed to the Muddy Water APT group targeting multiple sectors across the Middle East, including diplomatic, maritime, financial, and telecom entities. The campaign uses icon spoofing and malicious Word documents to deliver Rust based implants capable of asynchronous C2, anti-analysis, registry persistence, and modular post-compromise capability expansion.
Historically, Muddy Water has relied on PowerShell and VBS loaders for initial access and post-compromise operations. The introduction of Rust-based implants represents a notable tooling evolution toward more structured, modular, and low noise RAT capabilities.
Although this Rust-based implant has appeared in limited reporting under names like Archer RAT / RUSTRIC, it remains far less documented than Muddy Water’s legacy PowerShell/VBS tooling. To avoid name collisions and for sanity, we refer to this variant as RustyWater throughout this report
