RustyWater RAT adds asynchronous C2 and Windows Registry persistence
Malware Activity
Summary
Hide ▲
Show ▼
RustyWater is being used as a Rust-based RAT implant that can profile victims, maintain Windows Registry persistence, and execute commands on Windows systems. The payload's asynchronous C2 and anti-analysis features make it a more capable foothold for post-compromise control and stealth.
Related Happenings
DEEP#DOOR Python backdoor framework
Malware Activity
First: 30.04.2026 15:36
Last: 30.04.2026 15:36
Sources 1
About this happening:
**DEEP#DOOR** is a newly disclosed **Python-based backdoor framework** that can keep **persistent access** to compromised Windows hosts while stealing browser, SSH, and cloud cred...
DEEP#DOOR Python backdoor framework
Malware ActivityAbout this happening: **DEEP#DOOR** is a newly disclosed **Python-based backdoor framework** that can keep **persistent access** to compromised Windows hosts while stealing browser, SSH, and cloud cred...
GopherWhisper Go-based malware toolkit with Slack, Discord, and Outlook C2
Malware Activity
First: 23.04.2026 15:06
Last: 23.04.2026 15:06
Sources 1
About this happening:
The **GopherWhisper** malware set now combines **Go-based backdoors** and **exfiltration tools** that abuse **Slack**, **Discord**, **Microsoft 365 Outlook**, and **Microsoft Grap...
GopherWhisper Go-based malware toolkit with Slack, Discord, and Outlook C2
Malware ActivityAbout this happening: The **GopherWhisper** malware set now combines **Go-based backdoors** and **exfiltration tools** that abuse **Slack**, **Discord**, **Microsoft 365 Outlook**, and **Microsoft Grap...
VENOM closed-access PhaaS operating model limits researcher visibility
Threat Actor Meta
First: 10.04.2026 00:37
Last: 10.04.2026 00:37
Sources 1
About this happening:
**VENOM** is operating as a **closed-access phishing-as-a-service** platform, reducing researcher visibility while supporting **underground credential theft**. The service targets...
VENOM closed-access PhaaS operating model limits researcher visibility
Threat Actor MetaAbout this happening: **VENOM** is operating as a **closed-access phishing-as-a-service** platform, reducing researcher visibility while supporting **underground credential theft**. The service targets...
GPUBreach GPU Rowhammer research enables GDDR6 page-table corruption and privilege escalation
Technical Analysis
First: 07.04.2026 00:44
Last: 07.04.2026 00:44
Sources 1
About this happening:
**GPUBreach** research shows **Rowhammer** bit flips in **GDDR6** can corrupt **GPU page tables**, creating a path to **arbitrary GPU memory read/write** and potential **full syst...
GPUBreach GPU Rowhammer research enables GDDR6 page-table corruption and privilege escalation
Technical AnalysisAbout this happening: **GPUBreach** research shows **Rowhammer** bit flips in **GDDR6** can corrupt **GPU page tables**, creating a path to **arbitrary GPU memory read/write** and potential **full syst...
Handala multi-stage malware with Telegram C2 and exfiltration
Malware Activity
First: 24.03.2026 11:30
Last: 24.03.2026 11:30
Sources 1
About this happening:
The **Handala** malware package uses a **multi-stage payload** to give operators **remote access** to infected **Windows** devices, increasing the risk of stealthy data theft. The...
Handala multi-stage malware with Telegram C2 and exfiltration
Malware ActivityAbout this happening: The **Handala** malware package uses a **multi-stage payload** to give operators **remote access** to infected **Windows** devices, increasing the risk of stealthy data theft. The...
Timeline
-
10.01.2026 12:35 2 articles · 4mo ago
MuddyWater uses RustyWater against Middle East entities
Technical Analysis UpdateMuddyWater runs a spear-phishing campaign against diplomatic, maritime, financial, and telecom entities in the Middle East using the Rust-based RustyWater implant. The payload is delivered with icon spoofing and malicious Word documents that prompt victims to "Enable content" and trigger a malicious VBA macro, then deploy a RAT that supports asynchronous C2, anti-analysis, registry persistence, victim profiling, security-software detection, and file operations and command execution via nomercys.it[.]com. The group is assessed to be affiliated with Iran's Ministry of Intelligence and Security (MOIS), is operational since at least 2017, and has reduced reliance on PowerShell and VBS loaders in favor of a more modular malware set.
Show sources
- MuddyWater Launches RustyWater RAT via Spear-Phishing Across Middle East Sectors — thehackernews.com — 10.01.2026 12:35
- MuddyWater Launches RustyWater RAT via Spear-Phishing Across Middle East Sectors — thehackernews.com — 10.01.2026 12:35