Threats Feed

APT42 utilizes TAMECAT, a modular PowerShell-based backdoor, to target high-value senior defense and government officials. Israel’s National Digital Agency reports that the group employs social engineering to gain initial access. The infection chain begins with a VBScript that profiles antivirus software via WMI to determine whether to deploy PowerShell or Command Shell downloaders. TAMECAT features sophisticated capabilities, including screen capture, Chrome data collection, and Microsoft Edge remote debugging. It leverages legitimate services like Telegram and Discord for Command and Control (C2). Data is encrypted via AES and exfiltrated to domains such as glitch[.]me, demonstrating APT42's focus on stealth and persistent espionage operations.

The report analyzes the evolution of RustyStealer (also referenced as RustyWater or Archer RAT), a Rust-based post-compromise implant observed in MuddyWater-attributed activity. By correlating build artefacts, compiler metadata, dependency drift, TLSH similarity, and API-level changes, the analysis reconstructs a development timeline from early baseline builds to a more mature v2.0 architecture. Rather than linear feature growth, the samples reveal experimentation, rollback, and consolidation. A short-lived asynchronous I/O refactor was abandoned in favor of improved stability, while later versions emphasize stealth through native NT API usage, runtime string obfuscation, and restored host fingerprinting.

The report analyzes a newly observed MuddyWater malware sample that exposes extensive build and development artifacts due to improper binary stripping. Delivered via a malicious Word document containing VBA macros, the payload reconstructs and executes a Rust-based executable on disk. Analysis of leftover strings reveals detailed insights into the actor’s development environment, including a Windows-based build host, MSVC Rust toolchain, local Cargo usage, and a recurring username embedded in build paths. These artifacts indicate locally compiled tooling with minimal release hardening and weak OPSEC. The findings highlight how developer mistakes can provide durable fingerprints for clustering, campaign tracking, and long-term threat hunting, beyond traditional infrastructure indicators.

CloudSEK identified a spearphishing campaign attributed to the MuddyWater APT group targeting diplomatic, maritime, financial, telecom, education, and shipping sectors across the Middle East, including Turkmenistan, the UAE, and regional maritime organizations. The operation uses impersonated government and telecom emails to deliver malicious Word documents embedding obfuscated VBA macros. These macros drop and execute a Rust-based implant dubbed RustyWater, which provides asynchronous HTTP C2, registry persistence, anti-analysis features, and modular post-compromise capabilities. The shift from PowerShell and VBS loaders to a Rust RAT marks a significant evolution in MuddyWater’s tooling toward stealthier, long-term espionage operations.