Reborn in Rust: Muddy Water Evolves Tooling with RustyWater Implant dlvr.it/TQsBYF #cyber #threathunting #infosec

🚨 #RustyWater: How Word Macros Still Enable Initial Access Macros execution blends into normal document use and often runs before security tools raise alerts. In this case, the attack chain starts with a malicious Word document whose macros drops and executes the RustyWater implant. The activity is linked to a #MuddyWater spearphishing campaign aimed at high-risk sectors. ⚠️ The implant launches from ProgramData via cmd[.]exe, bypassing static detection pushing defenders straight into incident response phase. Execution pattern breakdown: 1️⃣ Document_Open The macros trigger WriteHexToFile and love_me__ once the document is opened. 2️⃣ WriteHexToFile Hex data from UserForm1.TextBox1 is cleaned, converted to bytes, and written to C:\ProgramData\CertificationKit[.]ini. This function acts as a dropper for the implant. 3️⃣ love_me__ The macros dynamically constructs WScript[.]Shell using Chr() and creates the object. It then builds and runs the command: cmd.exe /c C:\ProgramData\CertificationKit[.]ini. The implant runs without a visible window. 4️⃣ Strings, object names, and commands are obfuscated to complicate static inspection and signature-based detection. 👨‍💻 See live execution and download actionable report: app.any.run/tasks/6f60427a-5… ❗️ Why macros-based initial access still works? Macros execute payloads before actionable alerts appear. The delayed visibility forces teams to investigate after execution has already occurred. Earlier behavioral visibility helps contain threats before escalation, reducing investigation time and business impact. 🔍 Find similar Word macros-on-open cases and pivot from #IOCs in TI Lookup: intelligence.any.run/analysi… IOCs: f38a56b8dc0e8a581999621eef65ef497f0ac0d35e953bd94335926f00e9464f 7523e53c979692f9eecff6ec760ac3df5b47f172114286e570b6bba3b2133f58 nomercys[.]it[.]com 🚀 Speed up detection and gain full visibility into complex threats with #ANYRUN. Sign up: app.any.run/?utm_source=twit… #ExploreWithANYRUN

Something unique to focus on the dropper, that is, MuddyWater likes to be extra kind on its victim, by adding sentences like “Hi! Have a nice day!” inside the macro, dropping Rustric/RustyWater. 😄

#100DaysofYARA – Day 18 YARA rule to detect the Nebulous Werewolf (MuddyWater) RustyWater RAT 👇 github.com/t3ft3lb/2026-100D…

A spear-phishing campaign linked to the #MuddyWater #APT group was observed deploying a new implant, #RustyWater, against organizations in the Middle East. @cloudsek recently reported on it. Check out our blog for more info & PolySwarm’s related samples. blog.polyswarm.io/rustywater…

🚩 MuddyWater Launches “RustyWater” RAT via Fake Toolchain Installer news4hackers.com/muddywater-… Researchers report that the MuddyWater APT group is distributing a custom remote-access Trojan dubbed RustyWater by bundling it inside a fake developer toolchain installer. Once executed, the malicious installer deploys RustyWater, which establishes persistence, steals credentials, captures screenshots, and enables remote command execution. The campaign targets developers and IT professionals via spoofed toolchain binaries shared on forums and code-sharing platforms. #APT #RustyWater #ThreatIntel #ThreatHunting

#ThreatProtection #MuddyWater deploys a Rust-based implant (“#RustyWater”) in recent activity targeting organizations across the Middle East. Read more about our protections: broadcom.com/support/securit… #malware

イラン系APT MuddyWaterがPowerShellを捨て、Rust製ステルスインプラント「RustyWater」へ移行。ネイティブバイナリで検知を回避し長期潜伏を狙う。防御は言語依存から行動分析へ。#APT #MuddyWater #rustappen securityonline.info/rustywat…

🚨 RustyWater RAT: MuddyWater Deploys New Rust Backdoor Targeting Middle East Iranian APT group MuddyWater deploys RustyWater, a new RAT written in Rust, via sophisticated spear-phishing campaigns. 🔗 anavem.com/cybersecurity/rus…

Reborn in Rust: Muddy Water Evolves Tooling with RustyWater Implant cloudsek.com/blog/reborn-in-…

MuddyWater Launches RustyWater RAT via Spear-Phishing Across Middle East Sectors thehackernews.com/2026/01/mu…

Iran-linked MuddyWater is running a new spear-phishing campaign using a Rust-based implant called RustyWater. The activity hits diplomatic, maritime, finance, and telecom targets in the Middle East, delivered via Word files that push victims to enable macros. 🔗 Details → thehackernews.com/2026/01/mu…

MuddyWater Launches RustyWater RAT via Spear-Phishing Across Middle East Sectors thehackernews.com/2026/01/mu…

MuddyWater Launches RustyWater RAT via Spear-Phishing Across Middle East Sectors thehackernews.com/2026/01/mu…

#Malware_analysis 1⃣ Reborn in Rust: Muddy Water Evolves Tooling with RustyWater Implant cloudsek.com/blog/reborn-in-… 2⃣ Revisiting LoJax: Supplementary Analysis and Research Notes malwareanalysisspace.blogspo… 3⃣ GoBruteforcer/GoBrut modular botnet research.checkpoint.com/2026…

CloudSEK TRIAD reports a MuddyWater spear-phishing campaign targeting Middle Eastern diplomatic, maritime, financial and telecom sectors. The chain uses icon spoofing and malicious Word documents to deliver RustyWater. cloudsek.com/blog/reborn-in-…

CloudSEK TRIAD identifies #MuddyWater leveraging spearphishing & icon spoofing to deliver #RustyWater—a new Rust-based implant targeting Middle East diplomatic & industrial sectors. Sustained activity seen across financial & maritime sectors. Report: cloudsek.com/blog/reborn-in-…

Reborn in Rust MuddyWater evolves tooling with RustyWater implant -- cloudsek.com/blog/reborn-in-…

Having some leftover chicken biryani for lunch to be thrifty was an error. #rustywater #verylittlenotice

🤣🤣🤣 Moon Beam Trance Parties presents DJ Rustywater