RustyWater RAT adds asynchronous C2 and Windows Registry persistence
Malware Activity
Summary
Hide ▲
Show ▼
RustyWater is being used as a Rust-based RAT implant that can profile victims, maintain Windows Registry persistence, and execute commands on Windows systems. The payload's asynchronous C2 and anti-analysis features make it a more capable foothold for post-compromise control and stealth.
Related Happenings
GigaWiper / BLUERABBIT destructive Windows backdoor activity
Malware Activity
H score31
First: 09.07.2026 21:08
Last: 09.07.2026 21:08
Sources 1
About this happening:
The **GigaWiper / BLUERABBIT** malware activity now combines **disk wiping**, **fake ransomware**, and **spyware backdoor** functions on **Windows**, increasing the chance that on...
GigaWiper / BLUERABBIT destructive Windows backdoor activity
Malware ActivityAbout this happening: The **GigaWiper / BLUERABBIT** malware activity now combines **disk wiping**, **fake ransomware**, and **spyware backdoor** functions on **Windows**, increasing the chance that on...
TonRAT Node.js implant with TON blockchain C2
Malware Activity
H score24
First: 26.06.2026 12:27
Last: 26.06.2026 12:27
Sources 1
About this happening:
**TonRAT** is using a **Node.js implant** to hide command-and-control lookups behind the **TON blockchain API**, increasing the chance that blocking and detection will fail. The a...
TonRAT Node.js implant with TON blockchain C2
Malware ActivityAbout this happening: **TonRAT** is using a **Node.js implant** to hide command-and-control lookups behind the **TON blockchain API**, increasing the chance that blocking and detection will fail. The a...
Gentlemen ransomware EDR-killer tooling
Malware Activity
H score35
First: 19.06.2026 01:31
Last: 19.06.2026 01:31
Sources 1
About this happening:
**Gentlemen ransomware-as-a-service (RaaS)** is actively maintaining a suite of **EDR killers** led by **GentleKiller** to disable endpoint defenses before encryption. ESET says t...
Gentlemen ransomware EDR-killer tooling
Malware ActivityAbout this happening: **Gentlemen ransomware-as-a-service (RaaS)** is actively maintaining a suite of **EDR killers** led by **GentleKiller** to disable endpoint defenses before encryption. ESET says t...
GhostTree and GhostBranch NTFS junction loops that evade recursive folder scanning
Technical Analysis
H score23
First: 16.06.2026 17:17
Last: 16.06.2026 17:17
Sources 1
About this happening:
**GhostTree** and **GhostBranch** use recursive **NTFS junction** loops to generate effectively unlimited paths, allowing files in the same folder to evade **EDR** and **Windows D...
GhostTree and GhostBranch NTFS junction loops that evade recursive folder scanning
Technical AnalysisAbout this happening: **GhostTree** and **GhostBranch** use recursive **NTFS junction** loops to generate effectively unlimited paths, allowing files in the same folder to evade **EDR** and **Windows D...
DEEP#DOOR Python backdoor framework
Malware Activity
H score28
First: 30.04.2026 15:36
Last: 30.04.2026 15:36
Sources 1
About this happening:
**DEEP#DOOR** is a newly disclosed **Python-based backdoor framework** that can keep **persistent access** to compromised Windows hosts while stealing browser, SSH, and cloud cred...
DEEP#DOOR Python backdoor framework
Malware ActivityAbout this happening: **DEEP#DOOR** is a newly disclosed **Python-based backdoor framework** that can keep **persistent access** to compromised Windows hosts while stealing browser, SSH, and cloud cred...
Timeline
-
10.01.2026 12:35 2 articles · 6mo ago
MuddyWater uses RustyWater against Middle East entities
Technical Analysis UpdateMuddyWater runs a spear-phishing campaign against diplomatic, maritime, financial, and telecom entities in the Middle East using the Rust-based RustyWater implant. The payload is delivered with icon spoofing and malicious Word documents that prompt victims to "Enable content" and trigger a malicious VBA macro, then deploy a RAT that supports asynchronous C2, anti-analysis, registry persistence, victim profiling, security-software detection, and file operations and command execution via nomercys.it[.]com. The group is assessed to be affiliated with Iran's Ministry of Intelligence and Security (MOIS), is operational since at least 2017, and has reduced reliance on PowerShell and VBS loaders in favor of a more modular malware set.
Show sources
- MuddyWater Launches RustyWater RAT via Spear-Phishing Across Middle East Sectors — thehackernews.com — 10.01.2026 12:35
- MuddyWater Launches RustyWater RAT via Spear-Phishing Across Middle East Sectors — thehackernews.com — 10.01.2026 12:35