High

The malware is capable of asynchronous command-and-control (C2) communication, anti-analysis techniques, registry-based persistence, and modular post-compromise capability expansion.

RustyWater, also tracked as Archer RAT and RUSTRIC, collects detailed system information, identifies installed security products, and establishes persistence via a Windows Registry key. It connects to a hard-coded C2 domain, nomercys.it[.]com, enabling attackers to conduct file manipulation and remote command execution.

MuddyWater, also known as Mango Sandstorm, Static Kitten, and TA450, is assessed to be affiliated with Iran’s Ministry of Intelligence and Security (MOIS) and has been active since at least 2017. Historically, the group relied heavily on PowerShell and VBS-based loaders and legitimate remote access tools for post-exploitation activity. However, recent operations show a shift toward a custom malware ecosystem, including tools such as Phoenix, UDPGangster, BugSleep (MuddyRot), MuddyViper, and now RustyWater.

The use of Rust-based implants reflects a strategic move toward low-noise, modular, and more resilient remote access trojans, complicating detection and analysis. Similar RustyWater activity was previously reported by researchers in attacks against IT firms, MSPs, and software development companies, tracked as Operation IconCat.

This campaign highlights MuddyWater’s continued adaptation and growing sophistication in targeting high-value regional sectors.

Impact

• Lateral Movement
• Unauthorized Access
• Command Execution
• Operational Disruption
• Sensitive Information Theft

Indicators of Compromise

Domain Name

• nomercys.it.com

IP

• 159.198.68.25
• 161.35.228.250
• 159.198.66.153

MD5

• d2b0785b69f8578bdddf039634507f47
• 3a95186019af1943a0ea0f8eb07a288f
• c478e472f6223e7ee92cff8b459e55e2
• 47e312ecca7af098bb1c6c69188f54cf
• 74e75830252220cbbe7e3adec4340d2d
• d70ddec75de88bf4ca7cbb67b56627f6
• 404f5b1ff4ed035c6178d1789192c4d8
• 08d8ab5dd375847ce909297e59e7df00
• cd555279b6438260ec71b32e4d02cd9d
• d276b8c1660f264d64eff3474718509b

SHA-256

• 76aad2a7fa265778520398411324522c57bfd7d2ff30a5cfe6460960491bc552
• f38a56b8dc0e8a581999621eef65ef497f0ac0d35e953bd94335926f00e9464f
• 7523e53c979692f9eecff6ec760ac3df5b47f172114286e570b6bba3b2133f58
• e61b2ed360052a256b3c8761f09d185dad15c67595599da3e587c2c553e83108
• a2001892410e9f34ff0d02c8bc9e7c53b0bd10da58461e1e9eab26bdbf410c79
• c23bac59d70661bb9a99573cf098d668e9395a636dc6f6c20f92c41013c30be8
• 42ad0c70e997a268286654b792c7833fd7c6a2a6a80d9f30d3f462518036d04c
• e081bc408f73158c7338823f01455e4f5185a4365c8aad1d60d777e29166abbd
• 3d1e43682c4d306e41127ca91993c7befd6db626ddbe3c1ee4b2cf44c0d2fb43
• ddc6e6c76ac325d89799a50dffd11ec69ed3b5341740619b8e595b8068220914

SHA1

• 014c2534b99c73eb30b659c08e8b2d063f21ffc0
• b7e56f4b31f4fdbe844c3d4a4156f1d0e3b3ea97
• 326b808f4f933f20e4e8686e9a6e93454c8ed334
• ab4edcc5f568c03f7912f363259d4c105c5970e1
• b4f5555d5b934b927de4950131952e17e7194665
• 41cb80cbc998007d8e0fd004884b1e31ecbf975d
• 6bad2c491e9101796ae0530701b23f05193c7ca7
• b4e787c74dd6ba8067ce69eaea00c19866f3b138
• b9b4d3f3095cd87c634ece27f14bd59a6d425375
• 17235aff5838668e5adbfb6eb431d2a5e0da13f4

Remediation

• Disable or restrict Microsoft Office macros to prevent execution of malicious VBA payloads
• Apply email security controls to detect and block spear-phishing messages with malicious attachments
• Conduct user awareness training to reduce the risk of macro-enabled document execution
• Monitor endpoints for suspicious registry modifications used for persistence
• Block known command-and-control domains and IPs at network security controls
• Deploy endpoint detection and response (EDR) tools capable of detecting Rust-based malware
• Monitor for abnormal process execution and unauthorized command activity
• Enforce least-privilege access to limit post-compromise lateral movement
• Segment networks to restrict attacker movement across critical systems
• Regularly update detection rules and threat intelligence feeds related to MuddyWater activity