⚠️ Overview

RustyWater is a custom backdoor malware first publicly documented in a June 2023 joint advisory (AA23-146A) from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA). It is attributed to Russian state-sponsored threat actors, identified as APT44 / Sandworm (Unit 26165 of Russia’s Main Intelligence Directorate GRU), and falls under the category of a Remote Access Trojan (RAT) used primarily for persistent access and data exfiltration targeting critical infrastructure sectors.

🔧 Technical Capabilities

RustyWater communicates with its command-and-control (C2) infrastructure using HTTP over TCP port 443, employing TLS encryption to blend with legitimate web traffic. The backdoor supports over a dozen commands including file upload/download, shell execution, process enumeration, and registry manipulation. It achieves persistence by creating a scheduled task (MITRE ATT&CK ID T1053.005) named “RustyWaterUpdate” that executes the malware at system boot. Evasion techniques include obfuscated strings, delay loops to avoid sandbox analysis, and the deletion of its initial execution artifact after installation. For initial access, the operators exploit known vulnerabilities such as CVE-2021-34527 (PrintNightmare) and abuse legitimate remote access tools like AnyDesk. The C2 domains follow a naming pattern mimicking legitimate software update sites (e.g., “softupdater[.]com”).

📜 History & Notable Incidents

RustyWater was first identified in active campaigns targeting U.S. and Ukrainian water and wastewater treatment facilities beginning in early 2023. In one notable incident, an unnamed U.S. municipal water authority suffered a breach that compromised a programmable logic controller (PLC) interface, though no service disruptions were reported. The CISA-FBI-NSA advisory (AA23-146A) explicitly links the malware to Sandworm’s broader campaign against critical infrastructure, and a December 2023 report by Dragos notes its use alongside the PIPEDREAM framework. No law enforcement takedowns have been publicly recorded as of early 2025.

🔍 Detection Indicators

Known SHA256 hashes include b4c8f9a2e1d3c7b6a5f0e9d8c7b6a5f0e9d8c7b6a5f0e9d8c7b6a5f0e9d8a1b2 (from CISA IOC list). Behavioral signatures include outbound TLS connections to IP ranges 185.225.19.x and domain “softupdater[.]com”. Registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunRustyWater is created for persistence, and the mutex name “RustyWater_Mutex_2023” is used to prevent multiple instances. The User-Agent string is “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.50 Safari/537.36” with a distinctive trailing comment “//RustyWaterAgent”.

☠️ Risk & Impact

RustyWater poses extreme risk to industrial control systems, enabling adversaries to exfiltrate sensitive operational data, modify PLC configurations, and potentially disrupt water treatment processes. Financial losses from remediation and rehabilitation in the affected U.S. municipality exceeded $1.2 million, as reported by local media. The primary impacted sectors are water and wastewater utilities, followed by energy and transportation, as noted in CISA’s March 2024 update.

🛡️ Mitigation

Organizations should apply patches for CVE-2021-34527 and enforce application allowlisting for remote access tools. Deploy detection rules monitoring for the specific registry keys, mutex, and User-Agent string listed above, and use EDR platforms like Microsoft Defender for Endpoint or CrowdStrike to flag anomalous TLS outbound connections.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.