18/69 Monday, January 12, 2026
The threat group MuddyWater has launched attacks against diplomatic, financial, telecommunications, and maritime transportation organizations in the Middle East using the RustyWater malware. The campaign relies on spear-phishing emails disguised as cybersecurity safety guidance, with a malicious Microsoft Word document attached. When victims open the document and click “Enable Content,” a VBA macro is executed to install a Rust-based client-side malware known as RustyWater, also referred to as Archer RAT.
According to CloudSEK, RustyWater supports a wide range of espionage and remote-control capabilities. These include asynchronous command-and-control (C2) communications, anti-analysis techniques, persistence through Windows Registry keys, and support for additional modules that can be deployed after initial compromise. The malware collects host environment details, checks for installed security software, and connects to the C2 domain nomercys.it[.]com to receive commands, manage files, and execute arbitrary instructions.
MuddyWater-also known as Mango Sandstorm or Static Kitten-has traditionally relied on tools such as PowerShell, VBScript, and legitimate remote-access software. In recent operations, however, the group has increasingly adopted more specialized malware toolsets, including Phoenix, UDPGangster, BugSleep (MuddyRot), and MuddyViper. The addition of RustyWater/RUSTRIC reflects a shift toward a more structured, modular RAT with a low operational footprint, making it harder to detect in enterprise environments.
Source https://thehackernews.com/2026/01/muddywater-launches-rustywater-rat-via.html
