MuddyWater, also known as TA450, Mango Sandstorm, and Static Kitten, is an Iranian state-affiliated threat actor active since at least 2017. Recently, they have deployed a new Remote Access Trojan (RAT) named RustyWater (also called Archer RAT or RUSTRIC), written in Rust, marking a significant evolution in their malware tooling. The attack chain begins with spear-phishing emails impersonating cybersecurity guidelines, containing malicious Microsoft Word documents that use icon spoofing to appear legitimate. When victims open these documents and enable macros, a VBA macro executes to deploy the RustyWater implant binary. RustyWater is designed for stealth and persistence: it performs asynchronous C2 communications to avoid detection, employs anti-analysis techniques to hinder forensic investigation, and establishes persistence via Windows Registry keys. The RAT is modular, allowing the attacker to expand capabilities post-compromise, including file operations and command execution. It also gathers detailed victim machine information and detects installed security software to adapt its behavior. The C2 infrastructure includes domains such as "nomercys.it[.]com". This campaign targets sensitive sectors in the Middle East, including diplomatic, maritime, financial, and telecom organizations, with additional activity noted against Israeli IT, MSPs, HR, and software development firms. The shift to Rust-based implants indicates MuddyWater's intent to develop more structured, efficient, and low-noise malware, reducing reliance on previously used PowerShell and VBS loaders. No public exploits or widespread infections have been reported yet, but the campaign demonstrates advanced persistent threat (APT) capabilities focused on cyber espionage and information gathering.

For European organizations, the direct impact of this threat is currently limited due to its primary targeting of Middle Eastern sectors. However, European diplomatic missions, maritime companies, financial institutions, and telecom providers with ties or operations in the Middle East could be at risk of spillover attacks or secondary targeting. The RustyWater RAT’s capabilities for stealthy persistence, modular expansion, and asynchronous C2 communications enable attackers to maintain long-term access, potentially leading to data exfiltration, espionage, and disruption of critical services. The use of spear-phishing with convincing social engineering increases the likelihood of initial compromise. If European organizations are targeted, especially those involved in geopolitical or economic relations with Iran or the Middle East, the threat could compromise sensitive information and intellectual property. Additionally, Managed Service Providers (MSPs) and IT companies in Europe servicing Middle Eastern clients could be leveraged as attack vectors. The modular nature of RustyWater means attackers can adapt payloads to specific targets, increasing the risk of tailored attacks against high-value European assets.

European organizations should implement targeted defenses against spear-phishing campaigns, including advanced email filtering that detects icon spoofing and malicious macros. User awareness training must emphasize the risks of enabling macros in unsolicited documents, especially those purporting to be cybersecurity guidelines. Endpoint detection and response (EDR) solutions should be tuned to detect Rust-based malware behaviors, such as asynchronous network communications and registry persistence mechanisms. Network monitoring should include anomaly detection for unusual C2 traffic patterns, particularly to suspicious domains like "nomercys.it". Organizations should conduct threat hunting exercises focusing on indicators of compromise related to MuddyWater’s known tactics, techniques, and procedures (TTPs). Restricting macro execution through group policies and application whitelisting can reduce the attack surface. For MSPs and IT service providers, strict segmentation and monitoring of client environments are critical to prevent lateral movement. Incident response plans should be updated to address Rust-based implants and modular RATs. Collaboration with regional cybersecurity information sharing groups can provide timely intelligence on emerging MuddyWater activities.