A sophisticated phishing campaign delivered a new type of malware, called RustyWater, to targets across the Middle East. This malware is used to spy on victim systems and maintain long-term access.

Who is behind the attack?

The campaign has been attributed to Muddy Water, a known state-backed hacking group linked to Iran. They are also known as Static Kitten or Mango Sandstorm.

What was the goal of the attack?

The primary goal appears to be espionage — silently collecting information from diplomatic, telecom, maritime, and financial entities, as well as maintaining long-term system access.

How was the attack carried out?

Attackers used fake emails impersonating official institutions. Victims who opened the attached Word file unknowingly executed malicious code that installed the RustyWater malware.

What makes this malware different?

Unlike earlier tools used by this group, RustyWater is written in Rust, making it stealthier and more modular. It can expand its spying capabilities over time without being easily detected.

Organizations in UAE, Turkmenistan, and other Middle Eastern countries were targeted, including financial institutions, government agencies, and telecom providers.

Why were these entities targeted?

These sectors often hold sensitive geopolitical, economic, or diplomatic data, making them valuable targets for state-backed cyber operations.

How can organizations protect themselves?

Be cautious with unexpected email attachments, especially from unknown senders. Implement endpoint monitoring, watch for suspicious registry changes, and inspect unusual network activity like repeated failed connections or encrypted traffic from unknown processes.

Is this a widespread threat?

It’s a targeted campaign focused on specific high-value sectors, but the techniques used can potentially be reused elsewhere, making wider vigilance necessary.

Threats Feed|MuddyWater|Last Updated 28/01/2026|AuthorCertfa Radar|Publish Date08/01/2026

MuddyWater Adopts Rust-Based RustyWater Implant in Middle East Espionage Campaign

Actor Motivations: Espionage
Attack Vectors: Backdoor,Malicious Macro,RAT,Trojan,Spear Phishing
Attack Complexity: Medium
Threat Risk: High Impact/Low Probability

Threat Overview

CloudSEK identified a spearphishing campaign attributed to the MuddyWater APT group targeting diplomatic, maritime, financial, telecom, education, and shipping sectors across the Middle East, including Turkmenistan, the UAE, and regional maritime organizations. The operation uses impersonated government and telecom emails to deliver malicious Word documents embedding obfuscated VBA macros. These macros drop and execute a Rust-based implant dubbed RustyWater, which provides asynchronous HTTP C2, registry persistence, anti-analysis features, and modular post-compromise capabilities. The shift from PowerShell and VBS loaders to a Rust RAT marks a significant evolution in MuddyWater’s tooling toward stealthier, long-term espionage operations.

Reference and Credit: CloudSEK - January 2026

Reborn in Rust: Muddy Water Evolves Tooling with RustyWater Implant

Detected Targets

Type	Description	Confidence
Sector	Financial	Verified
Sector	Education	Verified
Sector	Political	Verified
Sector	Telecommunication	Verified
Sector	Transportation	Verified
Region	Israel	High
Region	Turkmenistan	Verified
Region	United Arab Emirates	Verified
Region	Middle East Countries	Verified

Extracted IOCs

bootcamptg[.]org
stratioai[.]org
nomercys.it[.]com
3d1e43682c4d306e41127ca91993c7befd6db626ddbe3c1ee4b2cf44c0d2fb43
42ad0c70e997a268286654b792c7833fd7c6a2a6a80d9f30d3f462518036d04c
7523e53c979692f9eecff6ec760ac3df5b47f172114286e570b6bba3b2133f58
76aad2a7fa265778520398411324522c57bfd7d2ff30a5cfe6460960491bc552
a2001892410e9f34ff0d02c8bc9e7c53b0bd10da58461e1e9eab26bdbf410c79
c23bac59d70661bb9a99573cf098d668e9395a636dc6f6c20f92c41013c30be8
ddc6e6c76ac325d89799a50dffd11ec69ed3b5341740619b8e595b8068220914
e081bc408f73158c7338823f01455e4f5185a4365c8aad1d60d777e29166abbd
e61b2ed360052a256b3c8761f09d185dad15c67595599da3e587c2c553e83108
f38a56b8dc0e8a581999621eef65ef497f0ac0d35e953bd94335926f00e9464f
159[.]198.66.153
159[.]198.68.25
161[.]35.228.250

download

Tip: 16 related IOCs (3 IP, 3 domain, 0 URL, 0 email, 10 file hash) to this threat have been found.

Overlaps

MuddyWaterRustyStealer’s Evolution: Tracking MuddyWater’s Rust Implant from Experimentation to Stealth

Source: Synaptic Systems - January 2026

Detection (five cases): 7523e53c979692f9eecff6ec760ac3df5b47f172114286e570b6bba3b2133f58, a2001892410e9f34ff0d02c8bc9e7c53b0bd10da58461e1e9eab26bdbf410c79, ddc6e6c76ac325d89799a50dffd11ec69ed3b5341740619b8e595b8068220914, e081bc408f73158c7338823f01455e4f5185a4365c8aad1d60d777e29166abbd, e61b2ed360052a256b3c8761f09d185dad15c67595599da3e587c2c553e83108

MuddyWaterMuddyWater Malware Exposes Developer Build Artifacts Through Poor OPSEC

Source: Synaptic Systems - January 2026

Detection (two cases): 7523e53c979692f9eecff6ec760ac3df5b47f172114286e570b6bba3b2133f58, f38a56b8dc0e8a581999621eef65ef497f0ac0d35e953bd94335926f00e9464f

UNG0801UNG0801 Operation IconCat Targets Israeli Organizations via AV Icon Spoofing

Source: Seqrite - December 2025

Detection (two cases): 159[.]198.68.25, stratioai[.]org

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

FAQs

What is RustyWater and Who is Behind It?

: A sophisticated phishing campaign delivered a new type of malware, called RustyWater, to targets across the Middle East. This malware is used to spy on victim systems and maintain long-term access.
: The campaign has been attributed to Muddy Water, a known state-backed hacking group linked to Iran. They are also known as Static Kitten or Mango Sandstorm.
: The primary goal appears to be espionage — silently collecting information from diplomatic, telecom, maritime, and financial entities, as well as maintaining long-term system access.
: Attackers used fake emails impersonating official institutions. Victims who opened the attached Word file unknowingly executed malicious code that installed the RustyWater malware.
: Unlike earlier tools used by this group, RustyWater is written in Rust, making it stealthier and more modular. It can expand its spying capabilities over time without being easily detected.
: Organizations in UAE, Turkmenistan, and other Middle Eastern countries were targeted, including financial institutions, government agencies, and telecom providers.
: These sectors often hold sensitive geopolitical, economic, or diplomatic data, making them valuable targets for state-backed cyber operations.
: Be cautious with unexpected email attachments, especially from unknown senders. Implement endpoint monitoring, watch for suspicious registry changes, and inspect unusual network activity like repeated failed connections or encrypted traffic from unknown processes.
: It’s a targeted campaign focused on specific high-value sectors, but the techniques used can potentially be reused elsewhere, making wider vigilance necessary.

About Affiliation

MuddyWater

Associate threats