Reborn in Rust: Muddy Water Evolves Tooling with RustyWater Implant

    Friday, January 16, 2026 In: Threat Research Print

    Date: 01/16/2026

    Severity: High

    Summary

    The Muddy Water APT has launched a spearphishing campaign targeting diplomatic, maritime, financial, and telecom sectors across the Middle East, delivering malicious Word documents with icon spoofing. Marking a clear tooling evolution, the group has shifted from its traditional PowerShell and VBS loaders to a Rust-based implant, dubbed RustyWater, which supports asynchronous C2, anti-analysis features, registry-based persistence, and modular post-compromise expansion. This move reflects Muddy Water’s transition toward more structured, low-noise, and harder-to-detect RAT capabilities compared to its legacy tooling.

    Indicators of Compromise (IOC) List

    IP Address

    159.198.68.25

    161.35.228.250

    159.198.66.153

    Hash

    76aad2a7fa265778520398411324522c57bfd7d2ff30a5cfe6460960491bc552

    f38a56b8dc0e8a581999621eef65ef497f0ac0d35e953bd94335926f00e9464f

    7523e53c979692f9eecff6ec760ac3df5b47f172114286e570b6bba3b2133f58

    e61b2ed360052a256b3c8761f09d185dad15c67595599da3e587c2c553e83108

    a2001892410e9f34ff0d02c8bc9e7c53b0bd10da58461e1e9eab26bdbf410c79

    c23bac59d70661bb9a99573cf098d668e9395a636dc6f6c20f92c41013c30be8

    42ad0c70e997a268286654b792c7833fd7c6a2a6a80d9f30d3f462518036d04c

    e081bc408f73158c7338823f01455e4f5185a4365c8aad1d60d777e29166abbd

    3d1e43682c4d306e41127ca91993c7befd6db626ddbe3c1ee4b2cf44c0d2fb43

    ddc6e6c76ac325d89799a50dffd11ec69ed3b5341740619b8e595b8068220914

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    dstipaddress IN ("159.198.68.25","161.35.228.250","159.198.66.153") or srcipaddress IN ("159.198.68.25","161.35.228.250","159.198.66.153")

    Detection Query 2 :

    sha256hash IN ("7523e53c979692f9eecff6ec760ac3df5b47f172114286e570b6bba3b2133f58","f38a56b8dc0e8a581999621eef65ef497f0ac0d35e953bd94335926f00e9464f","ddc6e6c76ac325d89799a50dffd11ec69ed3b5341740619b8e595b8068220914","3d1e43682c4d306e41127ca91993c7befd6db626ddbe3c1ee4b2cf44c0d2fb43","e61b2ed360052a256b3c8761f09d185dad15c67595599da3e587c2c553e83108","a2001892410e9f34ff0d02c8bc9e7c53b0bd10da58461e1e9eab26bdbf410c79","76aad2a7fa265778520398411324522c57bfd7d2ff30a5cfe6460960491bc552","c23bac59d70661bb9a99573cf098d668e9395a636dc6f6c20f92c41013c30be8","42ad0c70e997a268286654b792c7833fd7c6a2a6a80d9f30d3f462518036d04c","e081bc408f73158c7338823f01455e4f5185a4365c8aad1d60d777e29166abbd")

    Reference:

    https://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant#executive-summary


    Tags

    MalwareThreat ActorAPTMuddyWaterSpear PhishingGovernment Services and FacilitiesTransportation SystemsFinancial ServicesCommunicationsThe Middle EastRust MalwareRAT

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.