S9037: RustyWater
RustyWater is a Rust-based implant used by MuddyWater. Historically, MuddyWater has used PowerShell-based tools and RustyWater reflects a shift in tooling, demonstrating better techniques for defense evasion and reverse engineering.[1]
Analyst context for executives and security teams
RustyWater matters because ATT&CK describes it as a Windows, Rust-based implant used by MuddyWater and as a shift from historically PowerShell-based tooling toward stronger defense-evasion and reverse-engineering resistance. For leaders, the decision value is not just the malware name: it is whether Windows endpoint, email, identity, and network monitoring can still expose an intrusion when the payload is obfuscated, delayed, encoded/encrypted in transit, and designed to discover users, domain accounts, system details, and security tools.
Executive priority
Prioritize RustyWater as a readiness test for targeted intrusion defense on Windows: phishing attachment controls, endpoint visibility for persistence and process injection, and SOC ability to investigate encoded web-based command-and-control. Because the ATT&CK object has no official detection guidance, executives should ask for evidence of coverage against the related behaviors rather than a vendor claim that the malware family is “detected.” This is especially relevant for organizations where government, telecom, finance, defense, or oil and natural gas exposure influences threat-informed control prioritization, based on the related MuddyWater context supplied by ATT&CK.
Technical view
Validate controls around the behaviors ATT&CK relates to RustyWater: spearphishing attachment and malicious file execution; obfuscated, encrypted, or encoded files; deobfuscation; debugger evasion and delayed execution; Windows persistence through Run keys or Startup folder; PE injection; native API and COM-based execution; user, system, domain account, and security software discovery; and web-protocol C2 using standard encoding and symmetric cryptography. Treat the official Windows platform as the scope for RustyWater-specific validation, even though some related techniques are cross-platform in ATT&CK.
Likely telemetry
- Email security logs and attachment detonation results for spearphishing attachments and malicious files
- Windows endpoint process creation, parent-child process, command-line, module, and memory-related telemetry relevant to PE injection, native API use, COM execution, and delayed execution
- Windows Registry and Startup folder monitoring for Run key or startup persistence
- File creation, rename, path, entropy, encoding, and deobfuscation indicators for obfuscated or encoded payloads
- User, domain account, system information, and security software discovery events from endpoints and directory services
Detection direction
- Build coverage around the related ATT&CK techniques rather than relying only on static malware signatures, because the official detection field is not provided.
- Correlate phishing attachment execution with follow-on Windows discovery, persistence, process injection, and outbound web traffic instead of treating each event independently.
- Tune for false positives around legitimate admin discovery, COM usage, Run keys, and encoded web traffic; prioritize alerts when these occur from newly delivered files, unusual user contexts, or uncommon process lineage.
- Check blind spots in sandboxing and malware analysis workflows for delayed execution and debugger evasion, since ATT&CK relates RustyWater to those behaviors.
- Confirm that web-protocol monitoring can retain enough metadata to investigate encoded or encrypted C2 patterns without assuming payload visibility.
Mitigation priorities
- Reduce likelihood of initial execution with attachment filtering, user-reporting workflows, and controls for malicious file handling.
- Harden Windows persistence paths by monitoring and controlling Registry Run keys and Startup folders, especially for non-standard or user-writable locations.
- Strengthen endpoint prevention and detection for process injection, suspicious native API behavior, and COM-based execution.
- Improve least-privilege and directory monitoring so domain account discovery and user discovery are visible and actionable.
- Ensure security tooling inventory and tamper-aware monitoring are in place, since related behavior includes discovery of security software.
Analyst notes and limits
The supplied ATT&CK object identifies RustyWater as a Windows malware implant, cites CloudSEK reporting, and states that it is used by MuddyWater. The strongest defensive value comes from the relationship set: phishing-based initial access, Windows execution and persistence, host and account discovery, evasion, and encoded/encrypted web C2. Glexia would use this object to drive a behavior-based validation exercise across email, endpoint, identity, and network telemetry.
ATT&CK provides no official detection text, no aliases, no explicit malware tactics, and no guaranteed indicators in the supplied fields. Relationship technique platform lists include non-Windows platforms, but the RustyWater object itself is scoped to Windows. Local prevalence, active exploitation, specific IOCs, and control effectiveness must be established from the customer environment and approved intelligence sources, not inferred from this object alone.
RustyWater
RustyWater is a Rust-based implant used by MuddyWater. Historically, MuddyWater has used PowerShell-based tools and RustyWater reflects a shift in tooling, demonstrating better techniques for defense evasion and reverse engineering.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1684.001 | Impersonation Sub-technique | RustyWater has impersonated TMCell (Altyn Asyr CJSC), the primary mobile operator in Turkmenistan, sending phishing emails with the email domain `info@tmcell`.CitationCloudSEK_RustyWater_Jan2026 |
| Enterprise | T1033 | System Owner/User Discovery | RustyWater has gathered the victim machine’s username.CitationCloudSEK_RustyWater_Jan2026 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | RustyWater has encrypted all strings in the code using position independent XOR encryption.CitationCloudSEK_RustyWater_Jan2026 |
| Enterprise | T1082 | System Information Discovery | RustyWater has gathered the victim machine’s computer name.CitationCloudSEK_RustyWater_Jan2026 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | RustyWater has used the Rust request library for HTTP C2 communication.CitationCloudSEK_RustyWater_Jan2026 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | RustyWater has encoded collected data with Base64.CitationCloudSEK_RustyWater_Jan2026 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | RustyWater has sent spearphishing emails with the attachment Cybersecurity.doc, which served as the primary payload for the next stage.CitationCloudSEK_RustyWater_Jan2026 |
| Enterprise | T1106 | Native API | RustyWater has used `CreateObject` to instantiate a WScript.Shell Component Object Model (COM) object.CitationCloudSEK_RustyWater_Jan2026 Additionally, RustyWater has used `VirtualAllocEx` and `WriteProcessMemory` to inject shellcode into explorer.exe.CitationCloudSEK_RustyWater_Jan2026 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | RustyWater has encrypted encoded data with XOR before sending it to the C2 server.CitationCloudSEK_RustyWater_Jan2026 |
| Enterprise | T1055.002 | Portable Executable Injection Sub-technique | RustyWater has injected its shellcode into explorer.exe by allocating memory via `VirtualAllocEx`, then by writing the payload via `WriteProcessMemory`.CitationCloudSEK_RustyWater_Jan2026 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | RustyWater has established persistence by adding `C:\ProgramData\CertificationKit.ini` to a Windows startup Registry key or to a Run or RunOnce Registry key.CitationCloudSEK_RustyWater_Jan2026 |
| Enterprise | T1678 | Delay Execution | RustyWater has generated random sleep intervals between C2 communication.CitationCloudSEK_RustyWater_Jan2026 |
| Enterprise | T1087.002 | Domain Account Sub-technique | RustyWater has gathered the domain membership of the victim machine’s user.CitationCloudSEK_RustyWater_Jan2026 |
| Enterprise | T1027 | Obfuscated Files or Information | RustyWater has an obfuscated function (i.e. love_me__()) that dynamically reconstructs the string WScript.Shell using hard-coded ASCII values and the Chr() function.CitationCloudSEK_RustyWater_Jan2026 |
| Enterprise | T1622 | Debugger Evasion | RustyWater has registered a Vectored Exception Handler (VEH) to catch debugging efforts.CitationCloudSEK_RustyWater_Jan2026 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | RustyWater has attempted to detect more than 25 antivirus and EDR tools.CitationCloudSEK_RustyWater_Jan2026 |
| Enterprise | T1559.001 | Component Object Model Sub-technique | RustyWater has used a WScript.Shell COM object to execute the CertificationKit.ini file.CitationCloudSEK_RustyWater_Jan2026 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | RustyWater has used the WriteHexToFile function to transform an embedded hex string to the payload CertificationKit.ini.CitationCloudSEK_RustyWater_Jan2026 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | RustyWater has used reddit.exe as its file name and a Cloudflare logo.CitationCloudSEK_RustyWater_Jan2026 |
| Enterprise | T1204.002 | Malicious File Sub-technique | RustyWater has used a Word document with a malicious Visual Basic for Applications (VBA) macro; when enabled, the CertificationKit.ini payload is constructed and executed.CitationCloudSEK_RustyWater_Jan2026 |
Groups, software, and campaigns
G0069: MuddyWater
MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).[1] Since at least 2017, MuddyWater has targeted a range of government and private organizations across sectors, including telecommunications, local government, finance, defense, and oil and natural gas organizations, in the Middle East (specifically the UAE and Saudi Arabia), Asia, Africa, Europe, and North America. MuddyWater has reused domains dating back to October 2025, and has a preference for NameCheap and Hosterdaddy Private Limited (AS136557). In late 2025 and early 2026, MuddyWater used commercial satellite internet (i.e., Starlink) for command and control (C2) communication. [2][3][4][5][6][7][8][9][10][11][12][13]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b2f1d9afe31b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
CloudSEK_RustyWater_Jan2026
Awasthi, P. (2026, January 8). Reborn in Rust: Muddy Water Evolves Tooling with RustyWater Implant. Retrieved March 19, 2026.
Open source URL -
[2]
Archer RAT / RUSTRIC
(Citation: CloudSEK_RustyWater_Jan2026)
-
[3]
mitre-attack S9037Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.