Executive Summary

The Iranian state-sponsored advanced persistent threat group MuddyWater (also tracked as Mango Sandstorm, TA450, Seedworm, and G0069) has escalated its cyber-espionage operations in early 2026, deploying a sophisticated new malware family as geopolitical tensions in the Middle East intensify. The latest campaign is characterized by the use of a Rust-based remote access trojan, RustyWater, which demonstrates significant advancements in stealth, persistence, and evasion. The group’s operations are primarily targeting Israeli government, military, financial, and critical infrastructure sectors, with evidence of expansion into other Middle Eastern countries. This advisory provides a comprehensive technical analysis of the new malware, the tactics, techniques, and procedures (TTPs) employed, observed exploitation in the wild, and actionable mitigation strategies for organizations at risk.

Threat Actor Profile

MuddyWater is a well-documented Iranian APT group, attributed to the Iranian Ministry of Intelligence and Security (MOIS). The group has been active since at least 2017 and is known for targeting government, military, telecommunications, and critical infrastructure organizations across the Middle East, South Asia, and beyond. MuddyWater is recognized for its rapid adaptation of new malware families, use of multi-stage infection chains, and leveraging of both custom and commodity tools. The group’s campaigns often align with Iranian geopolitical interests and have been linked to intelligence collection, credential theft, and operational support for kinetic attacks. Notably, MuddyWater has demonstrated a pattern of using spear-phishing with highly tailored lures, infrastructure that mimics legitimate services, and a willingness to innovate with new programming languages and anti-analysis techniques.

Technical Analysis of Malware/TTPs

The latest MuddyWater campaign introduces RustyWater, a remote access trojan written in the Rust programming language. This marks a significant evolution from previous .NET and PowerShell-based implants, leveraging Rust’s memory safety, cross-platform capabilities, and lower detection rates.

The infection chain begins with spear-phishing emails containing malicious ZIP archives. These archives typically include a legitimate PDF and a disguised executable with a PDF icon. When the executable is launched, it displays the decoy PDF to the user while silently installing the malware. The loader establishes persistence by modifying Windows Registry Run keys, ensuring the implant executes on system startup.

RustyWater communicates with command and control (C2) servers over HTTP/HTTPS, using domains that mimic legitimate services such as Dropbox and WordPress. These domains are frequently registered via Hostinger, a provider commonly abused by the group. The implant’s C2 communications are structured as JSON, base64-encoded, and XOR-encrypted, with randomized sleep intervals to evade network detection.

The malware’s capabilities include file system enumeration, arbitrary command execution, data exfiltration, and dynamic loading of additional modules. It employs advanced anti-debugging and anti-virtualization checks, such as registering a Vectored Exception Handler (VEH) and scanning for over two dozen security products by inspecting agent files, service names, and installation paths. All strings within the binary are obfuscated using position-independent XOR encryption, and the implant can inject itself into benign processes like explorer.exe using Windows API calls such as VirtualAllocEx and WriteProcessMemory.

MuddyWater continues to use legitimate remote administration tools, including SimpleHelp, ConnectWise, and RemoteUtilities, for lateral movement and persistence. The group’s infrastructure and TTPs are mapped extensively to the MITRE ATT&CK framework, with techniques spanning initial access via spear-phishing, execution through macro-enabled documents, persistence via registry keys, defense evasion through obfuscation and disabling security tools, credential access, lateral movement, collection, exfiltration, and C2.

Exploitation in the Wild

The RustyWater campaign has been observed in active exploitation against Israeli government, military, financial, telecommunications, and maritime organizations. The group’s spear-phishing lures are highly tailored, often using Hebrew-language decoy documents related to government or military topics. There is evidence of expansion into other Middle Eastern countries, including the UAE and Turkmenistan, with similar tactics and infrastructure.

Victims have experienced credential theft, data exfiltration, and surveillance, including unauthorized access to live CCTV feeds. Notably, threat intelligence from Amazon and others has correlated MuddyWater activity with physical missile strikes, suggesting a direct operational link between cyber and kinetic operations. The group’s use of RustyWater and related implants such as MuddyViper, BugSleep, and DCHSpy demonstrates a sustained and evolving threat to regional stability and critical infrastructure.

Victimology and Targeting

MuddyWater’s primary targets in this campaign are Israeli organizations in the government, military, financial, telecommunications, and maritime sectors. The group has also targeted diplomatic and critical infrastructure entities in the UAE, Turkmenistan, and other Middle Eastern countries. The spear-phishing lures are contextually relevant, often impersonating trusted organizations or referencing current events to increase the likelihood of user interaction. The targeting aligns with Iranian strategic interests and is designed to maximize intelligence collection and operational impact.

Mitigation and Countermeasures

Organizations are advised to implement a multi-layered defense strategy to mitigate the risk posed by MuddyWater and the RustyWater implant. Key recommendations include:

Blocking and monitoring for known C2 domains and IP addresses associated with MuddyWater campaigns, as detailed in threat intelligence feeds and referenced reports. Monitoring for suspicious registry modifications, particularly Run keys referencing executables in atypical locations such as C:\ProgramData**. Detecting and alerting on the execution of unsigned executables masquerading as PDFs or other legitimate files, especially those delivered via email attachments. Monitoring for anomalous use of legitimate remote administration tools, including SimpleHelp, ConnectWise, and RemoteUtilities**, which may indicate lateral movement or persistence. Deploying endpoint detection and response (EDR) solutions capable of identifying Rust-based malware, anti-debugging techniques, and process injection behaviors. Implementing robust email security controls, disabling macro execution by default, and conducting regular security awareness training to help employees recognize and report phishing attempts. Conducting proactive threat hunting for indicators of compromise (IOCs), such as registry persistence, process injection patterns, and unusual outbound network traffic with randomized intervals and obfuscated payloads.

References

CSO Online: Iran-linked MuddyWater APT deploys Rust-based implant in latest campaign, MITRE ATT&CK: MuddyWater (G0069), CloudSEK TRIAD Team: RustyWater Analysis, CERT-IL Alert: MuddyWater 2024, Amazon Threat Intelligence: MuddyWater and Kinetic Operations, Lookout: DCHSpy Surveillanceware, Hive Pro: MuddyWater’s Rust Implants Target the Middle East, Broadcom: RustyWater Campaigns in the Middle East

About Rescana

Rescana delivers advanced third-party risk management (TPRM) solutions, empowering organizations to proactively identify, assess, and mitigate cyber risks across their extended supply chain. Our platform leverages real-time threat intelligence, automated risk scoring, and continuous monitoring to provide actionable insights and enhance organizational resilience. For questions or further information, please contact us at ops@rescana.com.