MuddyWater, an Iranian threat actor, has launched a spear-phishing campaign targeting various sectors in the Middle East, including diplomatic and financial institutions. The campaign employs a Rust-based implant known as RustyWater. Attackers use icon spoofing and malicious Word documents to deliver this malware, which features capabilities like asynchronous command and control (C2), anti-analysis measures, registry persistence, and modular post-compromise enhancements. According to Prajwal Awasthi from CloudSEK, this shift highlights MuddyWater's evolving tactics, moving away from relying on legitimate remote access tools to a more diverse arsenal of custom malware. The attack methodology is straightforward. Victims receive spear-phishing emails that appear to be cybersecurity guidelines, accompanied by a Microsoft Word document. Once the document is opened, victims are prompted to enable content, triggering a malicious VBA macro that executes the Rust implant. RustyWater, also known as Archer RAT and RUSTRIC, collects information about the victim's machine, identifies security software, ensures persistence via a Windows Registry key, and connects to a C2 server, specifically "nomercys.it[.]com," for further instructions. Recent activity linked to this malware has been identified by Seqrite Labs, particularly targeting IT firms, managed service providers, and software developers in Israel, tracked as UNG0801 and Operation IconCat. Historically, MuddyWater has favored PowerShell and VBS loaders for initial access, but the introduction of Rust-based implants marks a significant shift toward more structured and stealthy remote access tools, enhancing their operational capacity.