MuddyWater Deploys RustyWater RAT in Middle East Spear-Phishing Campaign

MuddyWater Launches RustyWater RAT via Spear-Phishing Across Middle East Sectors

The Iranian threat actor MuddyWater is now utilizing RustyWater, a Remote Access Trojan (RAT) written in Rust, in a spear-phishing campaign targeting organizations in the Middle East. The campaign leverages malicious Word documents with embedded VBA macros to deploy the RAT, impacting diplomatic, maritime, financial, and telecom sectors.

Current threat models often assume reliance on established tools like PowerShell; however, MuddyWater’s shift to custom, Rust-based malware demonstrates a move towards stealthier and more sophisticated tactics, increasing the difficulty and cost of detection and response. This evolution highlights the need for continuous threat hunting and adaptation of security measures.

Key Insights

• MuddyWater has been active since at least 2017, linked to Iran’s Ministry of Intelligence and Security (MOIS).
• Rust offers memory safety and performance benefits, making it attractive for malware development, reducing the likelihood of crashes and facilitating evasion.
• Previous MuddyWater malware includes Phoenix, UDPGangster, and MuddyViper, showcasing a history of custom tool development.

Working Example

(No code provided in context)

Practical Applications

• Use Case: MuddyWater targets organizations in the Middle East to gather intelligence and potentially disrupt operations.
• Pitfall: Relying solely on signature-based detection can be ineffective against custom malware like RustyWater, requiring behavioral analysis and threat hunting.

References:

• https://thehackernews.com/2026/01/muddywater-launches-rustywater-rat-via.html