Find notable cyber news and cases, enriched with sources, timelines, and signals.

RustyWater RAT adds asynchronous C2 and Windows Registry persistence

Malware Activity
First reported
Last updated
Happening score
H score 22
1 unique sources, 1 articles

Summary

Hide ▲

RustyWater is being used as a Rust-based RAT implant that can profile victims, maintain Windows Registry persistence, and execute commands on Windows systems. The payload's asynchronous C2 and anti-analysis features make it a more capable foothold for post-compromise control and stealth.

Related Happenings

GigaWiper / BLUERABBIT destructive Windows backdoor activity

Malware Activity
H score31 First: 09.07.2026 21:08 Last: 09.07.2026 21:08 Sources 1

About this happening: The **GigaWiper / BLUERABBIT** malware activity now combines **disk wiping**, **fake ransomware**, and **spyware backdoor** functions on **Windows**, increasing the chance that on...

TonRAT Node.js implant with TON blockchain C2

Malware Activity
H score24 First: 26.06.2026 12:27 Last: 26.06.2026 12:27 Sources 1

About this happening: **TonRAT** is using a **Node.js implant** to hide command-and-control lookups behind the **TON blockchain API**, increasing the chance that blocking and detection will fail. The a...

Gentlemen ransomware EDR-killer tooling

Malware Activity
H score35 First: 19.06.2026 01:31 Last: 19.06.2026 01:31 Sources 1

About this happening: **Gentlemen ransomware-as-a-service (RaaS)** is actively maintaining a suite of **EDR killers** led by **GentleKiller** to disable endpoint defenses before encryption. ESET says t...

GhostTree and GhostBranch NTFS junction loops that evade recursive folder scanning

Technical Analysis
H score23 First: 16.06.2026 17:17 Last: 16.06.2026 17:17 Sources 1

About this happening: **GhostTree** and **GhostBranch** use recursive **NTFS junction** loops to generate effectively unlimited paths, allowing files in the same folder to evade **EDR** and **Windows D...

DEEP#DOOR Python backdoor framework

Malware Activity
H score28 First: 30.04.2026 15:36 Last: 30.04.2026 15:36 Sources 1

About this happening: **DEEP#DOOR** is a newly disclosed **Python-based backdoor framework** that can keep **persistent access** to compromised Windows hosts while stealing browser, SSH, and cloud cred...

Timeline

  1. 10.01.2026 12:35 2 articles · 6mo ago

    MuddyWater uses RustyWater against Middle East entities

    Technical Analysis Update

    MuddyWater runs a spear-phishing campaign against diplomatic, maritime, financial, and telecom entities in the Middle East using the Rust-based RustyWater implant. The payload is delivered with icon spoofing and malicious Word documents that prompt victims to "Enable content" and trigger a malicious VBA macro, then deploy a RAT that supports asynchronous C2, anti-analysis, registry persistence, victim profiling, security-software detection, and file operations and command execution via nomercys.it[.]com. The group is assessed to be affiliated with Iran's Ministry of Intelligence and Security (MOIS), is operational since at least 2017, and has reduced reliance on PowerShell and VBS loaders in favor of a more modular malware set.

    Show sources