{"description": "Enterprise techniques used by RustyWater, ATT&CK software S9037 (v1.0)", "name": "RustyWater (S9037)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.002", "comment": "[RustyWater](https://attack.mitre.org/software/S9037) has gathered the domain membership of the victim machine\u2019s user.(Citation: CloudSEK_RustyWater_Jan2026)\u202f\u202f\u202f", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[RustyWater](https://attack.mitre.org/software/S9037) has used the Rust request library for HTTP C2 communication.(Citation: CloudSEK_RustyWater_Jan2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[RustyWater](https://attack.mitre.org/software/S9037) has established persistence by adding `C:\\ProgramData\\CertificationKit.ini` to a Windows startup Registry key or to a Run or RunOnce Registry key.(Citation: CloudSEK_RustyWater_Jan2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[RustyWater](https://attack.mitre.org/software/S9037) has encoded collected data with Base64.(Citation: CloudSEK_RustyWater_Jan2026)\u202f\u202f\u202f", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1622", "comment": "[RustyWater](https://attack.mitre.org/software/S9037) has registered a Vectored Exception Handler (VEH) to catch debugging efforts.(Citation: CloudSEK_RustyWater_Jan2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1678", "comment": "[RustyWater](https://attack.mitre.org/software/S9037) has generated random sleep intervals between C2 communication.(Citation: CloudSEK_RustyWater_Jan2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[RustyWater](https://attack.mitre.org/software/S9037) has used the WriteHexToFile function to transform an embedded hex string to the payload CertificationKit.ini.(Citation: CloudSEK_RustyWater_Jan2026)\u202f\u202f\u202f", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[RustyWater](https://attack.mitre.org/software/S9037) has encrypted encoded data with XOR before sending it to the C2 server.(Citation: CloudSEK_RustyWater_Jan2026)\u202f\u202f\u202f", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1559", "showSubtechniques": true}, {"techniqueID": "T1559.001", "comment": "[RustyWater](https://attack.mitre.org/software/S9037) has used a WScript.Shell COM object to execute the CertificationKit.ini file.(Citation: CloudSEK_RustyWater_Jan2026)\u202f\u202f\u202f", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[RustyWater](https://attack.mitre.org/software/S9037) has used reddit.exe as its file name and a Cloudflare logo.(Citation: CloudSEK_RustyWater_Jan2026)\u202f\u202f\u202f ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[RustyWater](https://attack.mitre.org/software/S9037) has used `CreateObject` to instantiate a WScript.Shell Component Object Model (COM) object.(Citation: CloudSEK_RustyWater_Jan2026)\u202f\u202fAdditionally, [RustyWater](https://attack.mitre.org/software/S9037) has used `VirtualAllocEx` and `WriteProcessMemory` to inject shellcode into explorer.exe.(Citation: CloudSEK_RustyWater_Jan2026)\u202f\u202f\u202f\u202f\u202f\u202f", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[RustyWater](https://attack.mitre.org/software/S9037) has an obfuscated function (i.e. love_me__()) that dynamically reconstructs the string WScript.Shell using hard-coded ASCII values and the Chr() function.(Citation: CloudSEK_RustyWater_Jan2026)\u202f\u202f\u202f  ", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[RustyWater](https://attack.mitre.org/software/S9037) has encrypted all strings in the code using position independent XOR encryption.(Citation: CloudSEK_RustyWater_Jan2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[RustyWater](https://attack.mitre.org/software/S9037) has sent\u202fspearphishing\u202femails\u202fwith the attachment Cybersecurity.doc, which served as the primary payload for the next\u202fstage.(Citation: CloudSEK_RustyWater_Jan2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.002", "comment": "[RustyWater](https://attack.mitre.org/software/S9037) has injected its shellcode into explorer.exe by allocating memory via `VirtualAllocEx`, then by writing the payload via `WriteProcessMemory`.(Citation: CloudSEK_RustyWater_Jan2026)\u202f\u202f\u202f\u202f\u202f\u202f ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1684", "showSubtechniques": true}, {"techniqueID": "T1684.001", "comment": "[RustyWater](https://attack.mitre.org/software/S9037) has\u202fimpersonated\u202fTMCell\u202f(Altyn\u202fAsyr\u202fCJSC), the primary mobile operator in Turkmenistan,\u202fsending\u202fphishing emails\u202fwith the email domain `info@tmcell`.(Citation: CloudSEK_RustyWater_Jan2026)\u202f ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[RustyWater](https://attack.mitre.org/software/S9037) has attempted to detect more than 25 antivirus and EDR tools.(Citation: CloudSEK_RustyWater_Jan2026)\u202f\u202f\u202f ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[RustyWater](https://attack.mitre.org/software/S9037) has gathered the victim machine\u2019s computer name.(Citation: CloudSEK_RustyWater_Jan2026)\u202f\u202f\u202f ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[RustyWater](https://attack.mitre.org/software/S9037) has gathered the victim machine\u2019s username.(Citation: CloudSEK_RustyWater_Jan2026)\u202f\u202f\u202f", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[RustyWater](https://attack.mitre.org/software/S9037) has\u202fused a Word document with\u202fa\u202fmalicious\u202fVisual Basic for Applications (VBA)\u202fmacro; when enabled, the CertificationKit.ini payload is\u202fconstructed\u202fand\u202fexecuted.(Citation: CloudSEK_RustyWater_Jan2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by RustyWater", "color": "#66b1ff"}]}