MuddyWater Deploys “RustyWater” RAT via Spear-Phishing, Targeting Websites and Web-Connected Systems in the Middle East

The state-linked hacking group MuddyWater has launched a new cyber-espionage campaign deploying a previously undocumented remote access trojan (RAT) known as “RustyWater,” according to recent threat intelligence findings.

The campaign, delivered through spear-phishing emails, has targeted organisations across the Middle East, affecting websites, internal web applications, and internet-facing systems used by government agencies, telecommunications firms, energy companies, and critical infrastructure providers.

Spear-Phishing Leads to Compromise of Web-Connected Environments

Attackers initiate the intrusion by sending highly targeted phishing emails that impersonate legitimate business or government communications. The emails contain malicious document attachments, which, when opened, execute embedded payloads that install the RustyWater malware.

Once deployed, the malware enables attackers to gain remote access to systems that manage websites, web portals, and internal web applications, allowing deeper movement across connected environments.

RustyWater RAT Enables Access to Web and Application Infrastructure

Analysis shows that RustyWater is designed for stealthy, persistent access, particularly within environments that support web services and application hosting.

Capabilities observed include:

• Remote command execution on compromised servers
• Access to files used by websites and web applications
• System and network reconnaissance
• Long-term persistence with minimal detection

Security researchers note that RustyWater’s low footprint makes it difficult to detect using basic website monitoring or traditional antivirus tools.

Web-Facing Sectors Among Primary Targets

Affected and targeted organisations include:

• Government websites and internal portals
• Telecommunications web platforms
• Energy and oil & gas web-based systems
• Critical infrastructure management applications

The campaign underscores the growing risk to website security and web application security, particularly in sectors where public-facing systems are closely tied to internal networks.

MuddyWater Continues to Exploit Web-Based Attack Surfaces

MuddyWater is known for leveraging email-based social engineering to gain initial access, followed by lateral movement toward web servers, application backends, and administrative panels.

The introduction of RustyWater demonstrates the group’s continued focus on custom malware capable of blending into normal web and application traffic, making detection more challenging.

Ongoing Threat Activity

Threat intelligence teams report that the campaign remains active, with new phishing attempts and infrastructure continuing to emerge. Organisations operating websites or web applications connected to Middle Eastern networks remain at elevated risk.

Security analysts warn that website and web application environments are increasingly being targeted as entry points for long-term cyber-espionage operations.

About Entivel
Entivel develops secure websites, web applications, and custom software solutions, providing cybersecurity, threat intelligence, and penetration testing services for businesses and critical infrastructure operators.