Executive Summary

CloudSEK’s TRIAD recently identified a spearphishing campaign attributed to the Muddy Water APT group targeting multiple sectors across the Middle East, including diplomatic, maritime, financial, and telecom entities. The campaign uses icon spoofing and malicious Word documents to deliver Rust based implants capable of asynchronous C2, anti-analysis, registry persistence, and modular post-compromise capability expansion.

Historically, Muddy Water has relied on PowerShell and VBS loaders for initial access and post-compromise operations. The introduction of Rust-based implants represents a notable tooling evolution toward more structured, modular, and low noise RAT capabilities. 

Although this Rust-based implant has appeared in limited reporting under names like Archer RAT / RUSTRIC, it remains far less documented than Muddy Water’s legacy PowerShell/VBS tooling. To avoid name collisions and for sanity, we refer to this variant as RustyWater throughout this report

Kill Chain

Initial Access Vector 

The email titled “Cybersecurity Guidelines” was sent from the email domain “info@tmcell” which looks to be an official contact email for TMCell (Altyn Asyr CJSC), the primary mobile operator in Turkmenistan. There is also a document attached called Cybersecurity.doc which serves as the primary payload for the next stage.

Technical Analysis

Stage - 1 : Cybersecurity.doc

We can run oleid to identify if any macros are present in the document and dump them further using tools like oledump.

WriteHexToFile reads a hex-encoded byte stream embedded in UserForm1.TextBox1.Text, removes all formatting characters, validates the data length, and decodes it into raw binary. It then writes the reconstructed payload to disk as CertificationKit.ini in C:\ProgramData\

The next love_me_function is primarily an obfuscated execution wrapper. It begins by dynamically reconstructing the string WScript.Shell using hard-coded ASCII values and the Chr() function.

Once reconstructed, the function validates the string and uses CreateObject to instantiate a WScript.Shell COM object to build a second obfuscated string that resolves to cmd.exe and executes CertificationKit.ini, the file written earlier by WriteHexToFile function.

We can directly take the hex string directly from UserForm1 and convert it. We can confirm it’s a PE file from the magic 4D5A header.

Stage - 2 : CertificationKit.ini

The extracted PE file presents itself as reddit.exe despite having a Cloudflare logo.Static analysis reveals the binary is compiled in Rust which aligns with previously documented samples of Archer RAT (also tracked as RUSTRIC), an implant attributed to the Muddy Water APT group.

‍

RustyWater begins execution by establishing anti debugging and anti tampering mechanisms. It registers a Vectored Exception Handler (VEH) to catch debugging attempts and systematically gathers victim machine information including username, computer name, and domain membership.All strings in the malware are encrypted using position independent XOR encryption. Some of the decrypted strings found in binary were 

• "C:\\ProgramData"
• "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
• "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
• "reqwest/0.12.23"  // Rust HTTP library
• "Content-Type: application/json"

RustyWater attempts to detect a wide range of antivirus and EDR tools by scanning for agent files, service names, and installation paths of more than 25 AV products.

The malware sets up persistence by writing itself to a Windows startup registry key. It first decrypts the key path and then opens the Run registry location under the current user. If that fails, it crashes with a Rust error message. Next, it decrypts another short string that becomes the name of the startup entry, The value points to a file at C:\ProgramData\CertificationKit.ini, which is our payload.

The malware establishes HTTP based command and control using the Rust reqwest library. It configures timeouts, connection pooling, headers, and implements retry logic for reliable C2.Before transmission, the binary encodes collected data using base64 and encrypts it. The payload is structured as JSON and includes system information, file listings, and metadata. The entire encryption is done with 3 layers of obfuscation(JSON -> Base64 -> XOR). To avoid detection, the binary implements randomized sleep intervals between C2 callbacks. It uses waitable timers and random number generation to create jitter, making traffic analysis difficult

The binary also uses Rust's async runtime (tokio) with multiple threads to handle C2 communication, file operations, and command execution concurrently without blocking

The shellcode is executed using a classic technique called Process Injection.The routine begins by verifying the presence of explorer.exe, which is later used as the target process. The binary is launched in suspended state and the malware retrieves the initial thread context. Further it allocates executable memory inside the remote process via VirtualAllocEx and writes the payload via WriteProcessMemory.

Pivoting

This campaign has been covered wonderfully by other security researchers as well but was not attributed.Based on the technical artifacts, targeting patterns, and tactical similarities observed in this campaign, we assess with high confidence that this activity can be attributed to Muddy Water APT (also tracked as Earth Vetala, MERCURY, Static Kitten, Mango Sandstorm). Several key indicators support this attribution:

VBA Macro Code Reuse: The macro code extracted from Cybersecurity.doc exhibits striking similarities to previously documented Muddy Water campaigns. Specifically, the WriteHexToFile and love_me_ function patterns, including the distinctive use of hex encoded payload embedding within UserForm controls.

The campaign analysed in this report shares significant overlap with another report.Similar TTPs can be observed in that chain too where the initial email was impersonating the L.M. Group, a legitimate Israeli HR company.

 Also we validated how the threat actor was able to use legitimate emails impersonating the government of Turkmenistan, UAE etc. We found leaked credentials for these email addresses which led to the spear phishing emails. 

Upon further pivoting we’re able to find many similar lures targeting UAE and Middle East.

We were able to find 5 more lures targeting UAE’s Financial and Education sectors.

In other campaign around November we found similar lures targeting the Middle East Maritime Industry

Impact

• High risk of long-term silent persistence: Registry-based autostart and delayed beaconing enable the Rust implant to remain operational across reboots with minimal forensic artifacts on disk.
• Dynamic post-access capability expansion: Modular implants allow the operator to enable new functions (collection, C2 tasking, credential theft) without delivering additional binaries or regaining access.
• Weak effectiveness of static network countermeasures: Tiered C2 failover, request jitter, and protocol switching reduce detection efficacy of domain/IP blocking and signature-based filters.
• Limited visibility for incident response teams: In memory execution and asynchronous task handling complicate timeline reconstruction, memory capture, and precise attribution during IR.
• Increased targeting and intelligence collection risk: On demand module deployment allows tailored surveillance aligned with the victim role (diplomatic, maritime, telecom), expanding data exposure scope.

Recommendations

• Monitor registry persistence mechanisms:
  Track anomalous Run key writes referencing .ini or PE artifacts in C:\ProgramData\* and flag user-context processes modifying autostart locations.
• Detect layered C2 behavior rather than single indicators:
  Alert on retry-heavy outbound HTTP, randomized callback intervals, fallback domains, and multi-step transform patterns (JSON → Base64 → XOR).
• Instrument memory allocation and thread manipulation events:
  Hunt for VirtualAllocEx + WriteProcessMemory + thread context modification inside benign Windows processes such as explorer.exe.
• Correlate signer trust with execution locality:
  Flag signed binaries executed from writable paths (Downloads, Temp, ProgramData) followed by non-signed module loads or remote thread creation.
• Treat late-stage RAT capability activation as malicious:
  Monitor transitions from passive beaconing to active collection behaviors such as file listing, keylogging calls, credential harvesting, or tasking execution

Appendix

IOCs

‍

‍

MITRE Mapping

‍

References

• *Intelligence source and information reliability - Wikipedia
• ^#Traffic Light Protocol - Wikipedia
• https://nsfocusglobal.com/new-apt-group-actor240524-a-closer-look-at-its-cyber-tactics-against-azerbaijan-and-israel/
• https://www.seqrite.com/blog/ung0801-tracking-threat-clusters-obsessed-with-av-icon-spoofing-targeting-israel/