Iran-linked advanced persistent threat group MuddyWater has deployed a Rust-based implant in an ongoing espionage campaign targeting organizations in Israel and other Middle Eastern countries, according to CloudSEK.

CloudSEK’s TRIAD team said it identified the spear-phishing campaign targeting diplomatic, maritime, financial, and telecom entities across the Middle East. The campaign uses icon spoofing and malicious Word documents to deliver RustyWater, which the researchers described as “a Rust-based implant representing a significant upgrade to their traditional toolkit.”

“Historically, Muddy Water has relied on PowerShell and VBS loaders for initial access and post-compromise operations,” the cybersecurity firm wrote in a blog post. “The introduction of Rust-based implants represents a notable tooling evolution toward more structured, modular, and low noise RAT capabilities.”

MuddyWater, which Microsoft tracks as Mango Sandstorm and ProofPoint identifies as TA450, operates under Iran’s Ministry of Intelligence and Security, according to the US cybersecurity agency CISA. The group has been active since at least 2017, targeting government agencies, telecommunications providers, and critical infrastructure across the Middle East, Asia, and Europe, according to security firms.

The research comes amid continued activity by MuddyWater throughout 2024 and into early 2025. ESET researchers published findings in December 2024 showing the group deployed the MuddyViper backdoor against Israeli organizations between September 2024 and March 2025. Security firms have also documented MuddyWater deploying BugSleep implants and using legitimate remote monitoring and management tools in recent campaigns.

Spear-phishing delivery

The attack chain begins with spear-phishing emails containing malicious ZIP archives, according to the blog post. The archives include a legitimate PDF document and a disguised executable file bearing a PDF icon. When victims execute the file, it displays the decoy PDF while executing the malware, the researchers wrote.

They wrote that the initial loader establishes persistence through Windows Registry modifications and deploys RustyWater as a secondary payload. The implant communicates with command-and-control infrastructure using HTTP/HTTPS protocols and supports file system enumeration, command execution, and data exfiltration.

CloudSEK identified command-and-control domains mimicking legitimate services, including infrastructure posing as Dropbox and WordPress platforms. Several domains were registered through Hostinger, a hosting provider the cybersecurity firm said has been frequently abused by threat actors.

Rust offers evasion advantages

CloudSEK researchers said RustyWater was developed in Rust, which they said is increasingly used by malware authors for its memory safety features and cross-platform capabilities, according to the blog post. Other state-sponsored groups, including Russia’s Gossamer Bear and China-linked actors, have also deployed Rust-based malware in recent campaigns, according to security researchers.

The implant incorporates checks for virtual machine environments, debugging tools, and sandbox systems. “RustyWater begins execution by establishing anti-debugging and anti-tampering mechanisms,” the researchers wrote. “It registers a Vectored Exception Handler (VEH) to catch debugging attempts and systematically gathers victim machine information, including username, computer name, and domain membership.”

RustyWater also uses string obfuscation and multi-stage payload delivery, the researchers said. The malware encrypts all strings using position-independent XOR encryption and implements randomized sleep intervals between command-and-control callbacks to avoid detection, according to the blog post.

Broader targeting

CloudSEK said its investigation primarily focused on targeting within Israel, but the researchers observed indicators suggesting MuddyWater may have expanded operations to include victims in India, the UAE, and other countries in the region.

The campaign targeting Israeli entities used Hebrew-language decoy documents related to government agencies and the Israel Defense Forces, the blog post added.

MuddyWater has focused on espionage operations aimed at collecting government and military intelligence, according to security researchers. Previous campaigns attributed to the group used various remote access tools and custom malware families, including the PhonyC2 command-and-control framework and legitimate remote administration tools like SimpleHelp.

In November 2024, Amazon Threat Intelligence correlated MuddyWater activity with subsequent missile strikes, showing the group accessed compromised servers containing live CCTV feeds prior to attacks in Israel and the Red Sea. CloudSEK recommended organizations implement email security controls, conduct security awareness training to help employees identify phishing attempts, and deploy endpoint detection and response solutions capable of identifying suspicious process behavior and network communications patterns.