New CloudSEK research reveals how the APT group has evolved its tooling with a stealthy Rust implant to strengthen persistence, evasion, and intelligence collection across critical sectors.
CloudSEK has uncovered a sophisticated spearphishing campaign attributed to the MuddyWater advanced persistent threat (APT) group, signalling a notable evolution in the actor’s malware development strategy. The campaign, which targets diplomatic, maritime, financial, and telecommunications organisations across the Middle East, introduces a previously underreported Rust-based remote access implant dubbed RustyWater.
According to CloudSEK’s threat intelligence team TRIAD, the campaign begins with carefully crafted phishing emails impersonating legitimate government and enterprise entities in the region. Victims are lured into opening malicious Microsoft Word documents that rely on embedded VBA macros to drop and execute the next-stage payload. While MuddyWater has historically favoured PowerShell and Visual Basic-based tooling, the use of Rust marks a shift towards more structured, modular, and stealth-oriented malware.
Once executed, the RustyWater implant establishes persistence through Windows registry modifications and deploys multiple anti-analysis and anti-debugging mechanisms to evade detection. The malware encrypts all embedded strings, actively scans for more than two dozen antivirus and endpoint detection products, and leverages asynchronous execution to complicate forensic analysis. Its command-and-control communications are handled via HTTP using the Rust reqwest library, with layered encryption and randomised beaconing intervals designed to frustrate network-based detection.
CloudSEK’s analysis shows that RustyWater supports modular post-compromise capability expansion, allowing attackers to selectively enable surveillance, data collection, or credential theft without deploying additional binaries. This approach significantly reduces the operational footprint on compromised systems while increasing the longevity and flexibility of access.
The campaign has also demonstrated extensive regional targeting. Researchers identified multiple decoy documents impersonating UAE government entities, including the Ministry of Foreign Affairs, as well as lures aimed at the Middle East’s maritime and education sectors. Further investigation revealed that some phishing emails were sent using compromised legitimate accounts, increasing their credibility and success rate.
From a defensive perspective, CloudSEK warns that traditional static indicators such as IP blocking or signature-based detection may be insufficient against this threat. The report highlights the heightened risk of long-term silent persistence, reduced visibility for incident response teams, and the growing intelligence exposure for organisations operating in geopolitically sensitive sectors.
CloudSEK recommends that organisations strengthen monitoring of registry-based persistence mechanisms, focus detection efforts on behavioural indicators rather than single indicators of compromise, and closely scrutinise memory allocation and process injection activity within legitimate Windows processes.
The emergence of RustyWater underscores a broader trend among advanced threat actors towards modern programming languages and low-noise malware architectures, reinforcing the need for continuous threat intelligence, behavioural monitoring, and proactive defence strategies across the Middle East’s critical infrastructure landscape.
