Threats Feed

The report analyzes the evolution of RustyStealer (also referenced as RustyWater or Archer RAT), a Rust-based post-compromise implant observed in MuddyWater-attributed activity. By correlating build artefacts, compiler metadata, dependency drift, TLSH similarity, and API-level changes, the analysis reconstructs a development timeline from early baseline builds to a more mature v2.0 architecture. Rather than linear feature growth, the samples reveal experimentation, rollback, and consolidation. A short-lived asynchronous I/O refactor was abandoned in favor of improved stability, while later versions emphasize stealth through native NT API usage, runtime string obfuscation, and restored host fingerprinting.

The report analyzes a newly observed MuddyWater malware sample that exposes extensive build and development artifacts due to improper binary stripping. Delivered via a malicious Word document containing VBA macros, the payload reconstructs and executes a Rust-based executable on disk. Analysis of leftover strings reveals detailed insights into the actor’s development environment, including a Windows-based build host, MSVC Rust toolchain, local Cargo usage, and a recurring username embedded in build paths. These artifacts indicate locally compiled tooling with minimal release hardening and weak OPSEC. The findings highlight how developer mistakes can provide durable fingerprints for clustering, campaign tracking, and long-term threat hunting, beyond traditional infrastructure indicators.

CloudSEK identified a spearphishing campaign attributed to the MuddyWater APT group targeting diplomatic, maritime, financial, telecom, education, and shipping sectors across the Middle East, including Turkmenistan, the UAE, and regional maritime organizations. The operation uses impersonated government and telecom emails to deliver malicious Word documents embedding obfuscated VBA macros. These macros drop and execute a Rust-based implant dubbed RustyWater, which provides asynchronous HTTP C2, registry persistence, anti-analysis features, and modular post-compromise capabilities. The shift from PowerShell and VBS loaders to a Rust RAT marks a significant evolution in MuddyWater’s tooling toward stealthier, long-term espionage operations.

CloudSEK identified a spearphishing campaign attributed to the MuddyWater APT group targeting diplomatic, maritime, financial, telecom, education, and shipping sectors across the Middle East, including Turkmenistan, the UAE, and regional maritime organizations. The operation uses impersonated government and telecom emails to deliver malicious Word documents embedding obfuscated VBA macros. These macros drop and execute a Rust-based implant dubbed RustyWater, which provides asynchronous HTTP C2, registry persistence, anti-analysis features, and modular post-compromise capabilities. The shift from PowerShell and VBS loaders to a Rust RAT marks a significant evolution in MuddyWater’s tooling toward stealthier, long-term espionage operations.

CloudSEK identified a spearphishing campaign attributed to the MuddyWater APT group targeting diplomatic, maritime, financial, telecom, education, and shipping sectors across the Middle East, including Turkmenistan, the UAE, and regional maritime organizations. The operation uses impersonated government and telecom emails to deliver malicious Word documents embedding obfuscated VBA macros. These macros drop and execute a Rust-based implant dubbed RustyWater, which provides asynchronous HTTP C2, registry persistence, anti-analysis features, and modular post-compromise capabilities. The shift from PowerShell and VBS loaders to a Rust RAT marks a significant evolution in MuddyWater’s tooling toward stealthier, long-term espionage operations.

SEQRITE Labs tracked a threat cluster dubbed UNG0801 (Operation IconCat) targeting organizations in Israel during November 2025. The actor relied on Hebrew-language spear-phishing and heavy antivirus icon spoofing, abusing branding from Check Point and SentinelOne to appear legitimate. Two infection chains were identified. The first delivered a PyInstaller-packed Python implant (PYTRIC) masquerading as a security scanner and capable of destructive, wiper-like actions. The second used malicious Word macros to drop a Rust implant (RUSTRIC) focused on system discovery, antivirus enumeration, and command-and-control. Targets included IT and managed service providers, human resources and staffing firms, and software and technology companies.

UDPGangster is a UDP-based backdoor used in recent MuddyWater cyber espionage campaigns targeting Turkey, Israel, and Azerbaijan. The attacks rely on phishing emails delivering malicious macro-enabled Word documents that decode and execute the payload. Once installed, the malware establishes persistence, performs extensive anti-analysis and sandbox evasion checks, and communicates with its C2 over non-standard UDP channels to execute commands, exfiltrate files, and deploy additional payloads. Related samples and shared infrastructure, including overlap with the Phoenix backdoor, confirm MuddyWater attribution across these regionally focused intrusions.

ESET researchers uncovered a new MuddyWater campaign targeting organizations in Israel and one in Egypt, primarily within the telecommunications, government, oil and energy, and manufacturing sectors. The Iran-aligned group deployed a suite of newly developed tools, including the Fooder reflective loader and MuddyViper, a C/C++ backdoor capable of credential theft, system reconnaissance, and file operations. Additional stealers such as CE-Notes, LP-Notes, and Blub, along with customized go-socks5 reverse tunnels, enhanced persistence and defense evasion. The campaign also revealed operational overlap with Lyceum, indicating MuddyWater’s role as an initial access broker. Activity ran from September 30, 2024 to March 18, 2025.

ESET researchers uncovered a new MuddyWater campaign targeting organizations in Israel and one in Egypt, primarily within the telecommunications, government, oil and energy, and manufacturing sectors. The Iran-aligned group deployed a suite of newly developed tools, including the Fooder reflective loader and MuddyViper, a C/C++ backdoor capable of credential theft, system reconnaissance, and file operations. Additional stealers such as CE-Notes, LP-Notes, and Blub, along with customized go-socks5 reverse tunnels, enhanced persistence and defense evasion. The campaign also revealed operational overlap with Lyceum, indicating MuddyWater’s role as an initial access broker. Activity ran from September 30, 2024 to March 18, 2025.

Amazon’s threat intelligence team has identified a growing trend in which nation-state actors integrate cyber operations directly into kinetic warfare. The research highlights Imperial Kitten and MuddyWater, two Iranian-linked groups that used cyber intrusions to support physical attacks. Imperial Kitten compromised AIS maritime systems and CCTV feeds to track vessels later targeted by Houthi missile strikes. MuddyWater accessed live CCTV streams in Jerusalem, providing real-time intelligence ahead of Iran’s June 2025 missile attacks. These cases show a shift toward cyber-enabled kinetic targeting, where digital reconnaissance directly informs physical military objectives, reshaping modern conflict across the Middle East’s maritime and urban environments.

Group-IB uncovered a global phishing campaign by the Iran-linked APT MuddyWater, targeting international and humanitarian organizations across the Middle East, Europe, Africa, and North America. The group used a compromised mailbox accessed via NordVPN to send phishing emails with malicious Word documents containing VBA macros that deployed the Phoenix backdoor v4 through the FakeUpdate injector. The malware achieved persistence via Winlogon registry keys and COM hijacking, while a custom browser credential stealer and RMM tools (PDQ, Action1) facilitated remote access and credential harvesting. The campaign reflects MuddyWater’s evolving espionage capabilities and integration of custom and legitimate tools for stealth operations.

APT MuddyWater has launched a multi-stage spear-phishing campaign targeting CFOs and finance executives across Europe, North America, South America, Africa, and Asia. Disguised as recruiters from Rothschild & Co, the attackers use Firebase-hosted phishing pages with CAPTCHA lures and malicious ZIP/VBS payloads to deploy legitimate remote-access tools like NetBird and OpenSSH for persistent control. The infection chain creates hidden admin accounts, enables RDP, and automates persistence via scheduled tasks. Infrastructure analysis reveals overlaps with earlier MuddyWater operations, confirming attribution and highlighting the group’s evolving phishing toolkit and adaptive use of trusted cloud services for global financial espionage.

Iranian APT group MuddyWater deployed new versions of its Android surveillanceware DCHSpy amid the Israel-Iran conflict, targeting individuals via politically themed lures such as fake Starlink VPN apps. Distributed through Telegram and disguised as legitimate VPN or banking apps, DCHSpy harvests sensitive data including WhatsApp messages, SMS, call logs, contacts, device location, and audio. The malware compresses and encrypts exfiltrated data before uploading it to an attacker-controlled SFTP server. DCHSpy shares infrastructure with SandStrike, a tool previously used to target Baháʼí practitioners. Sectors targeted include telecommunications, defense, local government, and oil and gas across the Middle East, Asia, Africa, Europe, and North America.

A sophisticated spear-phishing campaign targeted CFOs and finance executives in banking, energy, insurance, and investment sectors across the UK, Canada, South Africa, Norway, South Korea, Singapore, Switzerland, France, Egypt, Saudi Arabia, and Brazil. Disguised as a Rothschild & Co recruiter, the attackers used Firebase-hosted phishing pages protected by custom CAPTCHAs to deliver multi-stage payloads. Victims who executed malicious VBS scripts unknowingly installed NetBird and OpenSSH, granting attackers persistent, encrypted remote access through hidden admin accounts and RDP activation. Trellix researchers identified infrastructure overlaps with previous nation-state campaigns but withheld attribution.

A phishing campaign impersonating Avast targeted Israeli individuals and businesses—likely in the real estate and commercial sectors—through fraudulent antivirus receipts containing malware download links. The attack used multiple URL redirections and GitHub for payload delivery, culminating in the stealthy installation of the legitimate remote access tool ScreenConnect. Once installed, the malware achieved persistence via Windows services, modified authentication packages to access credentials, and established encrypted command and control connections. Evidence suggests similarities with tactics used by the MuddyWater APT group, though attribution remains inconclusive. The campaign’s infrastructure and system language checks confirm its Israeli focus.

A phishing campaign impersonating Avast targeted Israeli individuals and businesses—likely in the real estate and commercial sectors—through fraudulent antivirus receipts containing malware download links. The attack used multiple URL redirections and GitHub for payload delivery, culminating in the stealthy installation of the legitimate remote access tool ScreenConnect. Once installed, the malware achieved persistence via Windows services, modified authentication packages to access credentials, and established encrypted command and control connections. Evidence suggests similarities with tactics used by the MuddyWater APT group, though attribution remains inconclusive. The campaign’s infrastructure and system language checks confirm its Israeli focus.

A phishing campaign impersonating Avast targeted Israeli individuals and businesses—likely in the real estate and commercial sectors—through fraudulent antivirus receipts containing malware download links. The attack used multiple URL redirections and GitHub for payload delivery, culminating in the stealthy installation of the legitimate remote access tool ScreenConnect. Once installed, the malware achieved persistence via Windows services, modified authentication packages to access credentials, and established encrypted command and control connections. Evidence suggests similarities with tactics used by the MuddyWater APT group, though attribution remains inconclusive. The campaign’s infrastructure and system language checks confirm its Israeli focus.

The MuddyWater APT group has been observed using malicious macro-enabled Microsoft Word documents to compromise targets. Upon opening these documents and enabling macros, a VBScript backdoor is deployed, establishing communication with attacker-controlled command and control (C2) servers via HTTP. The VBScript backdoor receives and executes remote commands and sends results back to the C2 servers. Identified infrastructure includes domains and IP addresses employing HTTPS over port 443 for covert communication, aiding in firewall evasion.

In 2024, the Iranian-linked threat group MuddyWater significantly advanced its operational capabilities, conducting large-scale spear-phishing and broad phishing campaigns worldwide with a strong focus on Israel and the Middle East. The group abused legitimate file-sharing platforms and remote management tools to gain initial access, while increasingly deploying custom-developed malware such as BugSleep, Blackout, AnchorRat, CannonRat, and BlackPearl. Operations leveraged persistence mechanisms including COM hijacking, DLL side-loading, registry modifications, and Windows services. MuddyWater relied on encrypted HTTP, DNS, and SOCKS5-based C2 channels, targeting aviation, healthcare, telecommunications, IT, and small and medium-sized businesses for long-term intelligence collection.

Sophos MDR has identified a targeted phishing campaign, with moderate confidence attributed to the Iranian-linked threat actor group MuddyWater (TA450), which targeted organisations in Israel. The campaign involved phishing emails that tricked users into downloading a ZIP file containing an installer for the legitimate remote management tool Atera. After gaining access, the threat actors misused Atera, using a trial account believed to be compromised, to install the Atera Agent and run a PowerShell script for credential dumping and creating a backup of the SYSTEM registry hive, which Sophos behavioural rules detected and blocked. Post-compromise activities included domain enumeration commands, establishing an SSH tunnel to a remote IP address, and downloading another remote management tool, Level RMM, via an obfuscated PowerShell command. This campaign's tactics align with previously reported activity by TA450 and highlights the tactic of abusing legitimate software for malicious purposes.

A recent phishing campaign has targeted Armenian individuals through a benign Word document containing a link that directs users to a fake CAPTCHA page. Victims who follow the prompts inadvertently activate a "PasteJacking" technique, where malicious PowerShell code is silently copied and executed in the system's Run box. This script installs PDQ RMM, a legitimate remote management tool, granting attackers remote access without relying on traditional malware. Indicators point to possible attribution to MuddyWater, based on specific social engineering tactics, PowerShell usage, and open-source adaptations, although a definitive link remains unconfirmed. The incident underscores the use of targeted social engineering attacks against Armenian-speaking users, with potential geopolitical implications.

MuddyWater has ramped up cyber activities targeting Israel, Saudi Arabia, Turkey, Azerbaijan, India, and Portugal amid the Israel-Hamas war. Their campaigns utilize phishing emails from compromised accounts, deploying RMM tools like Atera Agent and the new BugSleep backdoor. BugSleep, under continuous development, executes commands and transfers files to C&C servers. The group targets various sectors, including Israeli municipalities, airlines, and journalists. They exploit platforms like Egnyte for phishing and use techniques such as sandbox evasion and process injection. Over 50 spear phishing emails have targeted multiple sectors since February 2024.

The MuddyWater group has updated its tactics in targeting entities in Turkey, Azerbaijan, Jordan, Saudi Arabia, and Israel. The group shifted from using the Atera RMM tool to deploying a new implant called MuddyRot. Recent campaigns involved spear phishing with PDF-embedded links, leading to malware downloads. MuddyRot features reverse shell capabilities, dynamic API loading, and obfuscated communication over port 443. It establishes persistence via scheduled tasks and exploits public-facing applications for initial access. This campaign primarily targets sectors involving Western and Middle Eastern entities.