├── Katsushika-Hokusai-Crab-and-Flowers-resize-border.jpg └── README.md /Katsushika-Hokusai-Crab-and-Flowers-resize-border.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/decoderloop/rust-malware-gallery/HEAD/Katsushika-Hokusai-Crab-and-Flowers-resize-border.jpg -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # 🦀💮 Rust Malware Sample Gallery 2 | 3 | ![Hokusai's Crab and Flowers Ukiyo-e woodblock print](Katsushika-Hokusai-Crab-and-Flowers-resize-border.jpg) 4 | 5 | _[Hokusai - Crab and Flowers](https://harvardartmuseums.org/collections/object/100101)_ 6 | 7 | ## About 8 | 9 | The intention of this page is to collect and highlight malware written in the Rust programming language, so that malware reverse engineers have a collection of Rust samples to practice reversing on. Malware written in Rust is rapidly becoming a significant problem, especially with the advent of high-impact ransomware families such as BlackCat. However, the knowledge in the malware reverse engineering community on how to reverse Rust binaries is still very poor. 10 | 11 | I have collected at least one publicly available sample for each family. Definitive identification of malware families is hard, and I am not personally familiar with every malware family here, so I have tried to stick to sample hashes that are directly mentioned in the linked writeups. For each sample mentioned, a download link for that sample on either [Malware Bazaar](https://bazaar.abuse.ch) or [MalShare](https://malshare.com/) is provided - neither of these sites require an account to download samples. 12 | 13 | This is not meant to be a comprehensive effort to track the evolution of these malware families, or to collect every writeup about a malware family. I have tried to collect writeups that are technical, or that highlight something new or interesting about the family. The focus is also on malware that has been observed in the wild, so red teaming tools written in Rust won't be listed here, unless they have been seen in the wild by an independent party. 14 | 15 | This repository is maintained by Cindy Xiao @ [Decoder Loop](https://decoderloop.com). (Prior to 2025-12-15, this repository was located at `github.com/cxiao/decoderloop`.) 16 | 17 | If you would like to contribute or see something that should be changed, please submit a Pull Request on [this GitHub repository](https://github.com/decoderloop/rust-malware-gallery/pulls). Alternatively, you can [Contact](https://decoderloop.com/contact/) me directly. 18 | 19 | _Interested in learning how to analyze Rust malware? At Decoder Loop, we offer expert training on reverse engineering Rust binaries. You can find out more about our upcoming trainings at [decoderloop.com](https://decoderloop.com)._ 20 | 21 | 22 | ## 01flip 23 | 24 | ### Writeups 25 | 26 | - [2025-12-10 - Palo Alto Networks - 01flip: Multi-Platform Ransomware Written in Rust](https://unit42.paloaltonetworks.com/new-ransomware-01flip-written-in-rust/) 27 | 28 | ### Samples 29 | 30 | | SHA-256 Hash | Download Link | 31 | | --- | --- | 32 | | `e5834b7bdd70ec904470d541713e38fe933e96a4e49f80dbfb25148d9674f957` | [MalwareBazaar](https://bazaar.abuse.ch/sample/e5834b7bdd70ec904470d541713e38fe933e96a4e49f80dbfb25148d9674f957/) | 33 | 34 | 35 | ## Agenda Ransomware 36 | 37 | ### Aliases 38 | 39 | Qilin, AgendaCrypt 40 | 41 | ### Writeups 42 | 43 | - [2022-12-16 - Trend Micro - Agenda Ransomware Uses Rust to Target More Vital Industries](https://www.trendmicro.com/en_us/research/22/l/agenda-ransomware-uses-rust-to-target-more-vital-industries.html) 44 | 45 | ### Malpedia 46 | 47 | - [win.agendacrypt](https://malpedia.caad.fkie.fraunhofer.de/details/win.agendacrypt) 48 | 49 | ### Samples 50 | 51 | | SHA-256 Hash | Download Link | 52 | | --- | --- | 53 | | `e90bdaaf5f9ca900133b699f18e4062562148169b29cb4eb37a0577388c22527` | [MalwareBazaar](https://bazaar.abuse.ch/sample/e90bdaaf5f9ca900133b699f18e4062562148169b29cb4eb37a0577388c22527/) | 54 | 55 | 56 | ## Akira Ransomware (Rust "Akira v2" variant) 57 | 58 | ### Writeups 59 | 60 | - [2024-10-21 - Cisco - Akira ransomware continues to evolve](https://blog.talosintelligence.com/akira-ransomware-continues-to-evolve/) 61 | - [2024-12-03 - Check Point - Inside Akira Ransomware's Rust Experiment](https://research.checkpoint.com/2024/inside-akira-ransomwares-rust-experiment/) 62 | 63 | ### Malpedia 64 | 65 | - [elf.akira](https://malpedia.caad.fkie.fraunhofer.de/details/elf.akira) 66 | 67 | ### Samples 68 | 69 | | SHA-256 Hash | Download Link | 70 | | --- | --- | 71 | | `0ee1d284ed663073872012c7bde7fac5ca1121403f1a5d2d5411317df282796c` | [MalwareBazaar](https://bazaar.abuse.ch/sample/0ee1d284ed663073872012c7bde7fac5ca1121403f1a5d2d5411317df282796c/) | 72 | 73 | 74 | ## Akira Ransomware (Rust "Megazord" variant) 75 | 76 | ### Writeups 77 | 78 | - [2024-10-21 - Cisco - Akira ransomware continues to evolve](https://blog.talosintelligence.com/akira-ransomware-continues-to-evolve/) 79 | - [2024-12-02 - Palo Alto - Threat Assessment: Howling Scorpius (Akira Ransomware)](https://unit42.paloaltonetworks.com/threat-assessment-howling-scorpius-akira-ransomware/) 80 | 81 | ### Malpedia 82 | 83 | ### Samples 84 | 85 | | SHA-256 Hash | Download Link | 86 | | --- | --- | 87 | | `28cea00267fa30fb63e80a3c3b193bd9cd2a3d46dd9ae6cede5f932ac15c7e2e` | [MalwareBazaar](https://bazaar.abuse.ch/sample/28cea00267fa30fb63e80a3c3b193bd9cd2a3d46dd9ae6cede5f932ac15c7e2e/) | 88 | | `131da83b521f610819141d5c740313ce46578374abb22ef504a7593955a65f07` | [MalwareBazaar](https://bazaar.abuse.ch/sample/131da83b521f610819141d5c740313ce46578374abb22ef504a7593955a65f07/) | 89 | 90 | 91 | ## AsyncRAT (Rust variant) 92 | 93 | ### Writeups 94 | 95 | - [2025-05-26 - G DATA - Reborn in Rust: AsyncRAT](https://www.gdatasoftware.com/blog/2025/05/38207-asyncrat-rust) 96 | 97 | ### Samples 98 | 99 | | SHA-256 Hash | Download Link | 100 | | --- | --- | 101 | | `eb12c198fc1b6ec79ea4b457988db4478ee6bc9aca128aa24a85b76a57add459` | [MalwareBazaar](https://bazaar.abuse.ch/sample/eb12c198fc1b6ec79ea4b457988db4478ee6bc9aca128aa24a85b76a57add459/) | 102 | 103 | ### Notes 104 | 105 | Note that an open-source project called "Async Rust RAT" exists (https://github.com/pathetic/async-rust-rat/); however, its source code does not match the strings and panic metadata inside the sample `eb12c198fc1b6ec79ea4b457988db4478ee6bc9aca128aa24a85b76a57add459` described in the G DATA report. 106 | 107 | 108 | ## Banshee (Rust variant) 109 | 110 | ### Writeups 111 | 112 | - [2025-01-31 - Kandji - Banshee Rust Rewrite?](https://the-sequence.com/banshee-rust-rewrite) 113 | 114 | ### Samples 115 | 116 | | SHA-256 Hash | Download Link | 117 | | --- | --- | 118 | | `dea72cdd7c9dfc49f0a19581086c8e6e99b000dc33f461ece8b9f37c1bd7068d` | [MalwareBazaar](https://bazaar.abuse.ch/sample/dea72cdd7c9dfc49f0a19581086c8e6e99b000dc33f461ece8b9f37c1bd7068d/) | 119 | 120 | 121 | ## BlackCat Ransomware 122 | 123 | ### Aliases 124 | 125 | ALPHV, Noberus 126 | 127 | ### Writeups 128 | 129 | - [2022-01-26 - Varonis - BlackCat Ransomware (ALPHV)](https://www.varonis.com/blog/blackcat-ransomware) 130 | 131 | ### Malpedia 132 | 133 | - [win.blackcat](https://malpedia.caad.fkie.fraunhofer.de/details/win.blackcat) 134 | - [elf.blackcat](https://malpedia.caad.fkie.fraunhofer.de/details/elf.blackcat) 135 | 136 | ### Samples 137 | 138 | | SHA-256 Hash | Download Link | 139 | | --- | --- | 140 | | `3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83` | [MalwareBazaar](https://bazaar.abuse.ch/sample/3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83/) | 141 | 142 | ## BlackCat Ransomware (Sphynx) 143 | 144 | ### Aliases 145 | 146 | ALPHV Sphynx 147 | 148 | ### Writeups 149 | 150 | - [2023-05-30 - IBM X-Force - BlackCat (ALPHV) ransomware levels up for stealth, speed and exfiltration](https://securityintelligence.com/x-force/blackcat-ransomware-levels-up-stealth-speed-exfiltration/) 151 | 152 | ### Malpedia 153 | 154 | - [win.blackcat](https://malpedia.caad.fkie.fraunhofer.de/details/win.blackcat) 155 | - [elf.blackcat](https://malpedia.caad.fkie.fraunhofer.de/details/elf.blackcat) 156 | 157 | ### Samples 158 | 159 | | SHA-256 Hash | Download Link | 160 | | --- | --- | 161 | | `c0e70e69d8f7432383fa37528cd42db764b73dd08eb75d72229c2a0d02e538cc` | [MalwareBazaar](https://bazaar.abuse.ch/sample/c0e70e69d8f7432383fa37528cd42db764b73dd08eb75d72229c2a0d02e538cc/) | 162 | 163 | ## CargoBay 164 | 165 | ### Writeups 166 | 167 | - [2022-11-29 - IBM X-Force - CargoBay BlackHat Backdoor Analysis Report (IRIS-14738)](https://exchange.xforce.ibmcloud.com/malware-analysis/guid:87abff769352d8208e403331c86eb95f) (mostly paywalled) 168 | - 2023-02-17 - BushidoToken - Tweet thread regarding Rust malware tentatively identified as CargoBay [1](https:///twitter.com/BushidoToken/status/1626538453989990402) [2](https://twitter.com/BushidoToken/status/1626538456859004928) [3](https://twitter.com/BushidoToken/status/1626538458427670529) [4](https://twitter.com/BushidoToken/status/1626538460243808256) [5](https://twitter.com/BushidoToken/status/1626538461908897793) 169 | 170 | ### Malpedia 171 | 172 | - [win.cargobay](https://malpedia.caad.fkie.fraunhofer.de/details/win.cargobay) 173 | 174 | ### Samples 175 | 176 | | SHA-256 Hash | Download Link | 177 | | --- | --- | 178 | | `a963a8a8e1583081daa43638744eef6c410d1a410c11eb9413da15a26e802de5` | [MalwareBazaar](https://bazaar.abuse.ch/sample/a963a8a8e1583081daa43638744eef6c410d1a410c11eb9413da15a26e802de5/) | 179 | 180 | ### Notes 181 | 182 | It's difficult to definitively identify _CargoBay_ samples, as public information about it is limited. According to the publicly available contents of the 2022-11-29 IBM X-Force report, the source code of _CargoBay_ is based on the source code from the book _Black Hat Rust_: https://github.com/skerkour/black-hat-rust 183 | 184 | 185 | ## ChaosBot 186 | 187 | ### Writeups 188 | 189 | - [2025-10-09 - eSentire - New Rust Malware "ChaosBot" Uses Discord for Command and Control](https://www.esentire.com/blog/new-rust-malware-chaosbot-uses-discord-for-command-and-control) 190 | 191 | ### Samples 192 | 193 | | SHA-256 Hash | Download Link | 194 | | --- | --- | 195 | | `4d5f3690cdff840ceba70c1b1630ceadd0d3dcf23c8e0add0257cba2f166f5e6` | [MalwareBazaar](https://bazaar.abuse.ch/sample/4d5f3690cdff840ceba70c1b1630ceadd0d3dcf23c8e0add0257cba2f166f5e6/) | 196 | | `cdc73afb92617d9e2e0b6f2f22587f5f57316250a25b7bb8477a80628703e7b7` | [MalwareBazaar](https://bazaar.abuse.ch/sample/cdc73afb92617d9e2e0b6f2f22587f5f57316250a25b7bb8477a80628703e7b7/) | 197 | 198 | 199 | ## Cicada3301 Ransomware 200 | 201 | ### Writeups 202 | 203 | - [2024-08-30 - TrueSec - Dissecting the Cicada](https://www.truesec.com/hub/blog/dissecting-the-cicada) 204 | - [2024-09-03 - MorphiSec - Cicada3301 Ransomware (archived version)](https://cyberscoop.com/wp-content/uploads/sites/3/2024/08/20240829-morphisec-cicada3301-ransomware-final__doc.pdf) 205 | - [2024-10-18 - Group-IB - Encrypted Symphony: Infiltrating the Cicada3301 Ransomware-as-a-Service Group](https://www.group-ib.com/blog/cicada3301/) 206 | 207 | ### Samples 208 | 209 | | SHA-256 Hash | Download Link | 210 | | --- | --- | 211 | | `7b3022437b637c44f42741a92c7f7ed251845fd02dda642c0a47fde179bd984e` | [MalwareBazaar](https://bazaar.abuse.ch/sample/7b3022437b637c44f42741a92c7f7ed251845fd02dda642c0a47fde179bd984e/) | 212 | | `56e1d092c07322d9dad7d85d773953573cc3294b9e428b3bbbaf935ca4d2f7e7` | [MalwareBazaar](https://bazaar.abuse.ch/sample/56e1d092c07322d9dad7d85d773953573cc3294b9e428b3bbbaf935ca4d2f7e7/) | 213 | 214 | 215 | ## Convuster 216 | 217 | ### Writeups 218 | 219 | - [2021-03-18 - Kaspersky - Convuster: macOS adware now in Rust](https://securelist.com/convuster-macos-adware-in-rust/101258/) 220 | 221 | ### Malpedia 222 | 223 | - [osx.convuster](https://malpedia.caad.fkie.fraunhofer.de/details/osx.convuster) 224 | 225 | ### Samples 226 | 227 | | SHA-256 Hash | Download Link | 228 | | --- | --- | 229 | | `947ae8f075fd0d1e5be0341b922c0173f0c5cfd771314ebe220207f3ed53466a` | [MalShare](https://malshare.com/sample.php?action=detail&hash=947ae8f075fd0d1e5be0341b922c0173f0c5cfd771314ebe220207f3ed53466a) | 230 | 231 | ### Notes 232 | 233 | This is technically not malware - it is adware. 234 | 235 | ## CosmicRust 236 | 237 | ### Writeups 238 | 239 | - [2024-01-04 - Greg Lesnewich - 100DaysofYARA - CosmicRust](https://g-les.github.io/yara/2024/01/04/100DaysofYARA-CosmicRust.html) 240 | 241 | ### Samples 242 | 243 | | SHA-256 Hash | Download Link | 244 | | --- | --- | 245 | | `3315e5a4590e430550a4d85d0caf5f521d421a2966b23416fcfc275a5fd2629a` | [MalShare](https://malshare.com/sample.php?action=detail&hash=3315e5a4590e430550a4d85d0caf5f521d421a2966b23416fcfc275a5fd2629a) | 246 | 247 | 248 | ## DeltaStealer 249 | 250 | ### Writeups 251 | 252 | - [2023-05-19 - Trend Micro - Rust-Based Info Stealers Abuse GitHub Codespaces](https://www.trendmicro.com/en_us/research/23/e/rust-based-info-stealers-abuse-github-codespaces.html) 253 | 254 | ### Malpedia 255 | 256 | - [win.deltastealer](https://malpedia.caad.fkie.fraunhofer.de/details/win.deltastealer) 257 | 258 | ### Samples 259 | 260 | | SHA-256 Hash | Download Link | 261 | | --- | --- | 262 | | `c92a7425959121ff49970c53b78e714b9e450e4b214ac85deb878d0bedf82a70` | [MalwareBazaar](https://bazaar.abuse.ch/sample/c92a7425959121ff49970c53b78e714b9e450e4b214ac85deb878d0bedf82a70/) | 263 | 264 | 265 | ## EDDIESTEALER 266 | 267 | ### Writeups 268 | 269 | - [2025-05-29 - Elastic - Chasing Eddies: New Rust- based InfoStealer used in CAPTCHA campaigns](https://www.elastic.co/security-labs/eddiestealer) 270 | 271 | ### Samples 272 | 273 | | SHA-256 Hash | Download Link | 274 | | --- | --- | 275 | | `5330cf6a8f4f297b9726f37f47cffac38070560cbac37a8e561e00c19e995f42` | [MalwareBazaar](https://bazaar.abuse.ch/sample/5330cf6a8f4f297b9726f37f47cffac38070560cbac37a8e561e00c19e995f42/) | 276 | 277 | 278 | ## Embargo Ransomware 279 | 280 | ### Writeups 281 | 282 | - [2024-05-24 - Cyble - The Rust Revolution: New Embargo Ransomware Steps In](https://cyble.com/blog/the-rust-revolution-new-embargo-ransomware-steps-in/) 283 | - [2024-10-23 - ESET - Embargo ransomware: Rock'n'Rust](https://www.welivesecurity.com/en/eset-research/embargo-ransomware-rocknrust/) 284 | 285 | ### Samples 286 | 287 | | SHA-256 Hash | Download Link | 288 | | --- | --- | 289 | | `ebffc9ced2dba66db9aae02c7ccd2759a36c5167df5cd4adb151b20e7eab173c` | [MalwareBazaar](https://bazaar.abuse.ch/sample/ebffc9ced2dba66db9aae02c7ccd2759a36c5167df5cd4adb151b20e7eab173c/) | 290 | 291 | 292 | ## evm-units 293 | 294 | ### Writeups 295 | 296 | - [2025-12-02 - Socket - Malicious Rust Crate evm-units Serves Cross-Platform Payloads for Silent Execution](https://socket.dev/blog/malicious-rust-crate-evm-units-serves-cross-platform-payloads) 297 | 298 | ### Samples 299 | 300 | This is malicious Rust code inside a Rust crate, which is compiled if a Rust developer uses the crate as part of their project, and executed if the Rust developer calls the malicious code. An archived version of the malicious code can be found at the [Socket.dev package archive](https://socket.dev/cargo/package/evm-units/files/1.3.0/evm-units-1.3.0/src/lib.rs#L210). 301 | 302 | 303 | ## ExeWho2 304 | 305 | ### Writeups 306 | 307 | - [2023-12-04 - Alex Perotti - ExeWho2 - A Tool from the Wild](https://cyb3rkitties.github.io/posts/exewho2-download-execution-payload-red-teaming/) 308 | 309 | ### Samples 310 | 311 | | SHA-256 Hash | Download Link | 312 | | --- | --- | 313 | | `a36967a40dcff74c04b5dd80f1aa685925912df8ff6cb63c14059439e08d5f8d` | [MalwareBazaar](https://bazaar.abuse.ch/sample/a36967a40dcff74c04b5dd80f1aa685925912df8ff6cb63c14059439e08d5f8d/) | 314 | 315 | 316 | ### Notes 317 | 318 | Source code was found with the _ExeWho2_ binary; it is available at https://github.com/cyb3rkitties/exewho2 319 | 320 | ## FickerStealer 321 | 322 | ### Writeups 323 | 324 | - [2020-10-27 - 3xp0rtblog - Tweet on FickerStealer](https://twitter.com/3xp0rtblog/status/1321209656774135810) 325 | - [2021-07-19 - CyberArk - FickerStealer: A New Rust Player in the Market](https://www.cyberark.com/resources/threat-research-blog/fickerstealer-a-new-rust-player-in-the-market) 326 | 327 | ### Malpedia 328 | 329 | - [win.fickerstealer](https://malpedia.caad.fkie.fraunhofer.de/details/win.fickerstealer) 330 | 331 | ### Samples 332 | 333 | | SHA-256 Hash | Download Link | 334 | | --- | --- | 335 | | `dc021a0ca0bb3f66d54d15d2b236422c0b90399ea762c7d7aa6d727b9bd5b46c` | [MalwareBazaar](https://bazaar.abuse.ch/sample/dc021a0ca0bb3f66d54d15d2b236422c0b90399ea762c7d7aa6d727b9bd5b46c/) | 336 | 337 | See also all samples tagged with the [`FickerStealer` signature on Malware Bazaar](https://bazaar.abuse.ch/browse/signature/FickerStealer/). 338 | 339 | ## Fickle Stealer 340 | 341 | ### Writeups 342 | 343 | - [2024-06-19 - Fortinet - Fickle Stealer Distributed via Multiple Attack Chain](https://www.fortinet.com/blog/threat-research/fickle-stealer-distributed-via-multiple-attack-chain) 344 | 345 | ### Samples 346 | 347 | | SHA-256 Hash | Download Link | 348 | | --- | --- | 349 | | `e9bc44cf548a70e7285499209973faf44b7374dece1413dfcdc03bf25a6c599c` | [MalwareBazaar](https://bazaar.abuse.ch/sample/e9bc44cf548a70e7285499209973faf44b7374dece1413dfcdc03bf25a6c599c/) | 350 | 351 | 352 | ## Freeze.rs 353 | 354 | ### Writeups 355 | 356 | - [2023-08-09 - Fortinet - Attackers Distribute Malware via Freeze.rs And SYK Crypter](https://www.fortinet.com/blog/threat-research/malware-distributed-via-freezers-and-syk-crypter) 357 | - [2023-09-07 - Gi7w0rm - Uncovering DDGroup — A long-time threat actor](https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4) 358 | 359 | ### Samples 360 | 361 | | SHA-256 Hash | Download Link | 362 | | --- | --- | 363 | | `afd38445e5249ac5ac66addd18c20d271f41c3ffb056ca49c8c02f9fecb4afcb` | [MalShare](https://malshare.com/sample.php?action=detail&hash=afd38445e5249ac5ac66addd18c20d271f41c3ffb056ca49c8c02f9fecb4afcb) | 364 | 365 | ### Notes 366 | 367 | Source code (for the tool that generates the actual payloads) available at https://github.com/optiv/Freeze.rs 368 | 369 | 370 | ## Rust-based payload delivered by GlassWorm 371 | 372 | ### Writeups 373 | 374 | - [2025-11-29 - Nextron Systems - Analysis of the Rust implants found in the malicious VS Code extension](https://www.nextron-systems.com/2025/11/29/analysis-of-the-rust-implants-found-in-the-malicious-vs-code-extension/) 375 | - [2025-12-10 - Koi - GlassWorm Goes Native: Same Infrastructure, Hardened Delivery](https://www.koi.ai/blog/glassworm-goes-native-same-infrastructure-hardened-delivery) 376 | 377 | ### Samples 378 | 379 | | SHA-256 Hash | Download Link | 380 | | --- | --- | 381 | | `6ebeb188f3cc3b647c4460c0b8e41b75d057747c662f4cd7912d77deaccfd2f2` | [MalwareBazaar](https://bazaar.abuse.ch/sample/6ebeb188f3cc3b647c4460c0b8e41b75d057747c662f4cd7912d77deaccfd2f2/) | 382 | | `fb07743d139f72fca4616b01308f1f705f02fda72988027bc68e9316655eadda` | [MalwareBazaar](https://bazaar.abuse.ch/sample/fb07743d139f72fca4616b01308f1f705f02fda72988027bc68e9316655eadda/) | 383 | 384 | 385 | ## Hive Ransomware (Rust variant) 386 | 387 | ### Writeups 388 | 389 | - [2022-07-05 - Microsoft - Hive ransomware gets upgrades in Rust](https://www.microsoft.com/en-us/security/blog/2022/07/05/hive-ransomware-gets-upgrades-in-rust/) 390 | 391 | ### Malpedia 392 | 393 | - [win.hive](https://malpedia.caad.fkie.fraunhofer.de/details/win.hive) 394 | 395 | ### Samples 396 | 397 | | SHA-256 Hash | Download Link | 398 | | --- | --- | 399 | | `f4a39820dbff47fa1b68f83f575bc98ed33858b02341c5c0464a49be4e6c76d3` | [MalwareBazaar](https://bazaar.abuse.ch/sample/f4a39820dbff47fa1b68f83f575bc98ed33858b02341c5c0464a49be4e6c76d3/) | 400 | 401 | ## Hunters International Ransomware 402 | 403 | ### Writeups 404 | 405 | - [2023-11-09 - Bitdefender - Hive Ransomware's Offspring: Hunters International Takes the Stage](https://www.bitdefender.com.au/blog/businessinsights/hive-ransomwares-offspring-hunters-international-takes-the-stage/) 406 | 407 | ### Samples 408 | 409 | | SHA-256 Hash | Download Link | 410 | | --- | --- | 411 | | `c4d39db132b92514085fe269db90511484b7abe4620286f6b0a30aa475f64c3e` | [MalwareBazaar](https://bazaar.abuse.ch/sample/c4d39db132b92514085fe269db90511484b7abe4620286f6b0a30aa475f64c3e/) | 412 | 413 | 414 | ## JLORAT 415 | 416 | ### Writeups 417 | 418 | - [2023-04-34 - Kaspersky - Tomiris called, they want their Turla malware back > Tomiris's polyglot toolset > JLORAT](https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/#jlorat) 419 | 420 | ### Malpedia 421 | 422 | - [win.jlorat](https://malpedia.caad.fkie.fraunhofer.de/details/win.jlorat) 423 | 424 | ### Samples 425 | 426 | | SHA-256 Hash | Download Link | 427 | | --- | --- | 428 | | `69bb729ff354cd9651f99a05f74f3ea20d483dc8e6e5838e4dd48858fd500d29` | [MalwareBazaar](https://bazaar.abuse.ch/sample/69bb729ff354cd9651f99a05f74f3ea20d483dc8e6e5838e4dd48858fd500d29/) | 429 | 430 | ## KrustyLoader 431 | 432 | ### Writeups 433 | 434 | - [2024-01-29 - Synacktiv - KrustyLoader - Rust malware linked to Ivanti ConnectSecure compromises](https://www.synacktiv.com/publications/krustyloader-rust-malware-linked-to-ivanti-connectsecure-compromises) 435 | - [2024-02-10 - N0fix - KrustyLoader - About stripped Rust symbol recovery (archived version)](https://archive.is/YXkYt) 436 | - [2024-08-03 - N0fix - KrustyLoader - Leveraging rust compilation artifacts to obtain reliable compilation timestamps and pivoting (archived version)](https://archive.is/6WGRv) 437 | - [2025-05-13 - EclecticIQ - China-Nexus Nation State Actors Exploit SAP NetWeaver (CVE-2025-31324) to Target Critical Infrastructures](https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures) 438 | 439 | ### Malpedia 440 | 441 | - [elf.krustyloader](https://malpedia.caad.fkie.fraunhofer.de/details/elf.krustyloader) 442 | 443 | ### Samples 444 | 445 | | SHA-256 Hash | Download Link | 446 | | ---------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------- | 447 | | `030eb56e155fb01d7b190866aaa8b3128f935afd0b7a7b2178dc8e2eb84228b0`
| [MalwareBazaar](https://bazaar.abuse.ch/sample/030eb56e155fb01d7b190866aaa8b3128f935afd0b7a7b2178dc8e2eb84228b0/) | 448 | | `47ff0ae9220a09bfad2a2fb1e2fa2c8ffe5e9cb0466646e2a940ac2e0cf55d04` | [MalwareBazaar](https://bazaar.abuse.ch/sample/47ff0ae9220a09bfad2a2fb1e2fa2c8ffe5e9cb0466646e2a940ac2e0cf55d04/) | 449 | 450 | ## Luca Stealer 451 | 452 | ### Writeups 453 | 454 | - [2022-08-18 - BlackBerry - Luca Stealer Targets Password Managers and Cryptocurrency Wallets](https://blogs.blackberry.com/en/2022/08/luca-stealer-targets-password-managers-and-cryptocurrency-wallets) 455 | - [Binary Defense - Digging through Rust to find Gold: Extracting Secrets from Rust Malware](https://www.binarydefense.com/resources/blog/digging-through-rust-to-find-gold-extracting-secrets-from-rust-malware/) 456 | 457 | ### Malpedia 458 | 459 | - [win.lucastealer](https://malpedia.caad.fkie.fraunhofer.de/details/win.luca_stealer) 460 | 461 | ### Samples 462 | 463 | | SHA-256 Hash | Download Link | 464 | | --- | --- | 465 | | `99331a27afa84009e140880a8739d96f97baa1676d67ba7a3278fe61bfb79022` | [MalShare](https://malshare.com/sample.php?action=detail&hash=99331a27afa84009e140880a8739d96f97baa1676d67ba7a3278fe61bfb79022) | 466 | 467 | ### Notes 468 | 469 | Source code available at https://web.archive.org/web/20220725203750/https://github.com/luca364/rust-stealer/archive/refs/heads/master.zip 470 | 471 | ## Luna Ransomware 472 | 473 | ### Writeups 474 | 475 | - [2022-08-30 - Elastic - LUNA Ransomware Attack Pattern Analysis](https://www.elastic.co/security-labs/luna-ransomware-attack-pattern) 476 | - [2023-01-13 - Nikhil "Kaido" Hegde - Getting Rusty and Stringy with Luna Ransomware](https://nikhilh-20.github.io/blog/luna_ransomware/) 477 | 478 | ### Malpedia 479 | 480 | - [elf.luna](https://malpedia.caad.fkie.fraunhofer.de/details/elf.luna) 481 | 482 | ### Samples 483 | 484 | | SHA-256 Hash | Download Link | 485 | | --- | --- | 486 | | `1cbbf108f44c8f4babde546d26425ca5340dccf878d306b90eb0fbec2f83ab51` | [MalShare](https://malshare.com/sample.php?action=detail&hash=1cbbf108f44c8f4babde546d26425ca5340dccf878d306b90eb0fbec2f83ab51) | 487 | 488 | 489 | ## Myth Stealer 490 | 491 | ### Writeups 492 | 493 | - [2025-06-05 - Trellix - Demystifying Myth Stealer: A Rust Based InfoStealer](https://www.trellix.com/blogs/research/demystifying-myth-stealer-a-rust-based-infostealer/) 494 | - [2025-08-17 - cxiao.net - Reversing a (not-so-) Simple Rust Loader](https://cxiao.net/posts/2025-08-17-not-so-simple-rust-loader/) 495 | 496 | ### Samples 497 | 498 | | SHA-256 Hash | Download Link | 499 | | --- | --- | 500 | | `55a418f8562684607ee0acd745595e297ab7e586d0a5d3f8328643b29c72dfa2` | [MalwareBazaar](https://bazaar.abuse.ch/sample/55a418f8562684607ee0acd745595e297ab7e586d0a5d3f8328643b29c72dfa2/) | 501 | | `2f2b93d37d67b80b4faaf25bebe4e3cbaf7aca35328aeb66da6a1a9b44316f5b` | [MalwareBazaar](https://bazaar.abuse.ch/sample/2f2b93d37d67b80b4faaf25bebe4e3cbaf7aca35328aeb66da6a1a9b44316f5b/) | 502 | | `66054607f38481ee7e39e002b58fe950966c4c0203df39f46acfe5c0e857c89a` | [MalwareBazaar](https://bazaar.abuse.ch/sample/66054607f38481ee7e39e002b58fe950966c4c0203df39f46acfe5c0e857c89a/) | 503 | 504 | 505 | ## Nokoyawa Ransomware (Rust variant) 506 | 507 | ### Writeups 508 | 509 | - [2022-12-20 - Zscaler - Nokoyawa Ransomware: Rust or Bust](https://www.zscaler.com/blogs/security-research/nokoyawa-ransomware-rust-or-bust) 510 | 511 | ### Malpedia 512 | 513 | - [win.nokoyawa](https://malpedia.caad.fkie.fraunhofer.de/details/win.nokoyawa) 514 | 515 | ### Samples 516 | 517 | | SHA-256 Hash | Download Link | 518 | | --- | --- | 519 | | `7095beafff5837070a89407c1bf3c6acf8221ed786e0697f6c578d4c3de0efd6` | [MalwareBazaar](https://bazaar.abuse.ch/sample/7095beafff5837070a89407c1bf3c6acf8221ed786e0697f6c578d4c3de0efd6/) | 520 | 521 | ## P2PInfect 522 | 523 | ### Writeups 524 | 525 | - [2023-07-19 - Palo Alto Networks - P2PInfect: The Rusty Peer-to-Peer Self-Replicating Worm](https://unit42.paloaltonetworks.com/peer-to-peer-worm-p2pinfect/) 526 | - [2023-07-31 - Cado Security - Cado Security Labs Encounter Novel Malware, Redis P2Pinfect (archived version)](https://web.archive.org/web/20250527051235/https://www.cadosecurity.com/blog/redis-p2pinfect) 527 | - [2023-09-20 - Cado Security - Cado Security Labs Researchers Witness a 600X Increase in P2Pinfect Traffic (archived version)](https://web.archive.org/web/20250812081523/https://www.cadosecurity.com/blog/cado-security-labs-researchers-witness-a-600x-increase-in-p2pinfect-traffic) 528 | - [2023-12-04 - Cado Security - P2Pinfect - New Variant Targets MIPS Devices (archived version)](https://web.archive.org/web/20250702212318/https://www.cadosecurity.com/blog/p2pinfect-new-variant-targets-mips-devices) 529 | - [2024-01-16 - Nozomi Networks - P2PInfect Worm Evolves to Target a New Platform](https://www.nozominetworks.com/blog/p2pinfect-worm-evolves-to-target-a-new-platform) 530 | - [2024-06-25 - Cado Security - From Dormant to Dangerous: P2Pinfect Evolves to Deploy New Ransomware and Cryptominer (archived version)](https://web.archive.org/web/20250812064127/https://www.cadosecurity.com/blog/from-dormant-to-dangerous-p2pinfect-evolves-to-deploy-new-ransomware-and-cryptominer) 531 | 532 | 533 | ### Malpedia 534 | 535 | - [elf.p2pinfect](https://malpedia.caad.fkie.fraunhofer.de/details/elf.p2pinfect) 536 | 537 | ### Samples 538 | 539 | | SHA-256 Hash | Download Link | 540 | | --- | --- | 541 | | `3a43116d507d58f3c9717f2cb0a3d06d0c5a7dc29f601e9c2b976ee6d9c8713f` | [MalwareBazaar](https://bazaar.abuse.ch/sample/3a43116d507d58f3c9717f2cb0a3d06d0c5a7dc29f601e9c2b976ee6d9c8713f/) | 542 | 543 | ### Notes 544 | 545 | This sample (`3a43116d507d58f3c9717f2cb0a3d06d0c5a7dc29f601e9c2b976ee6d9c8713f`) isn't one of the hashes mentioned in the linked reports; however, due to the nature of this malware, there are a lot of unique samples out there, and I was able to find this one after some hunting. 546 | 547 | ## RALord Ransomware 548 | 549 | ### Writeups 550 | 551 | - [2025-04 - ISH Tecnologia - RALord: Novo grupo de Ransomware-as-a-Service](https://ish.com.br/wp-content/uploads/2025/04/RALord-Novo-grupo-de-Ransomware-as-a-Service-1.pdf) 552 | 553 | ### Samples 554 | 555 | | SHA-256 Hash | Download Link | 556 | | --- | --- | 557 | | `456b9adaabae9f3dce2207aa71410987f0a571cd8c11f2e7b41468501a863606` | [MalwareBazaar](https://bazaar.abuse.ch/sample/456b9adaabae9f3dce2207aa71410987f0a571cd8c11f2e7b41468501a863606/) | 558 | 559 | 560 | ## RansomExx2 561 | 562 | ### Aliases 563 | 564 | Defray, Defray777 565 | 566 | ### Writeups 567 | 568 | - [2022-11-22 - IBM X-Force - RansomExx upgrades to rust](https://securityintelligence.com/x-force/ransomexx-upgrades-rust/) 569 | 570 | ### Malpedia 571 | 572 | - [elf.ransomexx](https://malpedia.caad.fkie.fraunhofer.de/details/elf.ransomexx) 573 | 574 | ### Samples 575 | 576 | | SHA-256 Hash | Download Link | 577 | | --- | --- | 578 | | `a7ea1e33c548182b8e56e32b547afb4b384ebe257ca0672dbf72569a54408c5c` | [MalShare](https://malshare.com/sample.php?action=detail&hash=a7ea1e33c548182b8e56e32b547afb4b384ebe257ca0672dbf72569a54408c5c) | 579 | 580 | 581 | ## Realst Stealer 582 | 583 | ### Writeups 584 | 585 | - [2023-07-06 - Iamdeadlyz - Fake Blockchain Games Deliver RedLine Stealer & Realst Stealer - A New macOS Infostealer Malware](https://iamdeadlyz.gitbook.io/malware-research/july-2023/fake-blockchain-games-deliver-redline-stealer-and-realst-stealer-a-new-macos-infostealer-malware#realst-stealer-macos) 586 | 587 | ### Samples 588 | 589 | | SHA-256 Hash | Download Link | 590 | | --- | --- | 591 | | `2af0e212ad70eaf8b96a645045ef2764700b5adf7b1187ae3d82240f96f613e2` | [MalwareBazaar](https://bazaar.abuse.ch/sample/2af0e212ad70eaf8b96a645045ef2764700b5adf7b1187ae3d82240f96f613e2/) | 592 | 593 | See also all samples tagged with the [`RealstStealer` tag on Malware Bazaar](https://bazaar.abuse.ch/browse/tag/RealstStealer/). 594 | 595 | ## Rust-based loader for Rilide 596 | 597 | ### Aliases 598 | 599 | BRAINSTORM 600 | 601 | ### Writeups 602 | 603 | - [2023-04-04 - Trustwave - Rilide: A New Malicious Browser Extension for Stealing Cryptocurrencies](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rilide-a-new-malicious-browser-extension-for-stealing-cryptocurrencies/) 604 | - [2023-05-01 - Mandiant - A LNK Between Browsers: Hunting Methodologies and Extension Abusing Actors](https://www.mandiant.com/resources/blog/lnk-between-browsers) 605 | 606 | ### Samples 607 | 608 | | SHA-256 Hash | Download Link | 609 | | --- | --- | 610 | | `0f11aeecbde1f355d26c9d406dad80cb0ae8536aea31fdddaf915d4afd434f3f` | [MalwareBazaar](https://bazaar.abuse.ch/sample/0f11aeecbde1f355d26c9d406dad80cb0ae8536aea31fdddaf915d4afd434f3f/) | 611 | 612 | 613 | ## Rust-based stealer used in RusticWeb campaign 614 | 615 | ### Writeups 616 | 617 | - [2023-12-21 - Seqrite - Operation RusticWeb targets Indian Govt: From Rust-based malware to Web-service exfiltration](https://www.seqrite.com/blog/operation-rusticweb-targets-indian-govt-from-rust-based-malware-to-web-service-exfiltration/) 618 | 619 | ### Malpedia 620 | 621 | - [win.unidentified_112](https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_112) 622 | 623 | ### Samples 624 | 625 | | SHA-256 Hash | Download Link | 626 | | --- | --- | 627 | | `db91e23d9715464511057f2e15c9adc97d3f27fcfa308f05ac7e2de7275fdd32` | [MalShare](https://malshare.com/sample.php?action=detail&hash=db91e23d9715464511057f2e15c9adc97d3f27fcfa308f05ac7e2de7275fdd32) | 628 | 629 | ## RustBucket 630 | 631 | ### Writeups 632 | 633 | - [2023-04-21 - Jamf - BlueNoroff APT group targets macOS with ‘RustBucket’ Malware](https://www.jamf.com/blog/bluenoroff-apt-targets-macos-rustbucket-malware/) 634 | - [2023-07-13 - Elastic - The DPRK strikes using a new variant of RUSTBUCKET](https://www.elastic.co/security-labs/DPRK-strikes-using-a-new-variant-of-rustbucket) 635 | 636 | ### Malpedia 637 | 638 | - [osx.rustbucket](https://malpedia.caad.fkie.fraunhofer.de/details/osx.rustbucket) 639 | - [win.rustbucket](https://malpedia.caad.fkie.fraunhofer.de/details/win.rustbucket) 640 | 641 | ### Samples 642 | 643 | | SHA-256 Hash | Download Link | 644 | | --- | --- | 645 | | `9ca914b1cfa8c0ba021b9e00bda71f36cad132f27cf16bda6d937badee66c747` | [MalShare](https://malshare.com/sample.php?action=detail&hash=9ca914b1cfa8c0ba021b9e00bda71f36cad132f27cf16bda6d937badee66c747) | 646 | | `de81e5246978775a45f3dbda43e2716aaa1b1c4399fe7d44f918fccecc4dd500` | [MalwareBazaar](https://bazaar.abuse.ch/sample/de81e5246978775a45f3dbda43e2716aaa1b1c4399fe7d44f918fccecc4dd500/) | 647 | ## RustDoor 648 | 649 | ### Aliases 650 | 651 | Thiefbucket 652 | 653 | ### Writeups 654 | 655 | - [2024-02-08 - Bitdefender - New macOS Backdoor Written in Rust Shows Possible Link with Windows Ransomware Group](https://www.bitdefender.com/en-us/blog/labs/new-macos-backdoor-written-in-rust-shows-possible-link-with-windows-ransomware-group) 656 | - [2024-02-19 - S2W - RustDoor and GateDoor: A New Pair of Weapons Disguised as Legitimate Software by Suspected Cybercriminal](https://medium.com/s2wblog/rustdoor-and-gatedoor-a-new-pair-of-weapons-disguised-as-legitimate-software-by-suspected-34c94e558b40) 657 | - [2024-09-16 - Jamf - Jamf Threat Labs observes targeted attacks amid FBI Warnings](https://www.jamf.com/blog/jamf-threat-labs-observes-targeted-attacks-amid-fbi-warnings/) 658 | - [2025-02-26 - Palo Alto Networks - RustDoor and Koi Stealer for macOS Used by North Korea-Linked Threat Actor to Target the Cryptocurrency Sector](https://unit42.paloaltonetworks.com/macos-malware-targets-crypto-sector/) 659 | 660 | ### Samples 661 | 662 | | SHA-256 Hash | Download Link | 663 | | --- | --- | 664 | | `a900ec81363358ef26bcdf7827f6091af44c3f1001bc8f52b766c9569b56faa5` | [MalwareBazaar](https://bazaar.abuse.ch/sample/a900ec81363358ef26bcdf7827f6091af44c3f1001bc8f52b766c9569b56faa5/) | 665 | | `4a59e2fe11ed9136d96a985448b34957ee5861adc9c1a52de4ad65880875dfdb` | [MalwareBazaar](https://bazaar.abuse.ch/sample/4a59e2fe11ed9136d96a985448b34957ee5861adc9c1a52de4ad65880875dfdb/) | 666 | | `238b546e2a1afc230f88b98dce1be6bf442b0b807e364106c0b28fe18db2ce66` | [MalwareBazaar](https://bazaar.abuse.ch/sample/238b546e2a1afc230f88b98dce1be6bf442b0b807e364106c0b28fe18db2ce66/) | 667 | 668 | 669 | ## Rustic Crypter 670 | 671 | ### Writeups 672 | 673 | - [2022-05-19 - IBM X-Force - ITG23 crypters highlight cooperation between cyber criminal groups](https://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/) 674 | 675 | ### Samples 676 | 677 | | SHA-256 Hash | Download Link | 678 | | --- | --- | 679 | | `45aa8efb6b1a9a0e0091040bb99a7c37d346aaf306fa4e31e9d5d9f0fef56676` | [MalwareBazaar](https://bazaar.abuse.ch/sample/45aa8efb6b1a9a0e0091040bb99a7c37d346aaf306fa4e31e9d5d9f0fef56676/) | 680 | 681 | ## RustoBot 682 | 683 | ### Writeups 684 | 685 | - [2025-04-21 - Fortinet - New Rust Botnet "RustoBot" is Routed via Routers](https://www.fortinet.com/blog/threat-research/new-rust-botnet-rustobot-is-routed-via-routers) 686 | 687 | ### Samples 688 | 689 | | SHA-256 Hash | Download Link | 690 | | --- | --- | 691 | | `114b460012412411363c9a3ab0246e48a584ce86fc6c0b7855495ec531dd05a1` | [MalwareBazaar](https://bazaar.abuse.ch/sample/114b460012412411363c9a3ab0246e48a584ce86fc6c0b7855495ec531dd05a1/) | 692 | | `1697fd5230f7f09a7b43fee1a1693013ed98beeb7a182cd3f0393d93dd1b7576` | [MalwareBazaar](https://bazaar.abuse.ch/sample/1697fd5230f7f09a7b43fee1a1693013ed98beeb7a182cd3f0393d93dd1b7576/) | 693 | | `44a526f20c592fd95b4f7d61974c6f87701e33776b68a5d0b44ccd2fa3f48c5d` | [MalwareBazaar](https://bazaar.abuse.ch/sample/44a526f20c592fd95b4f7d61974c6f87701e33776b68a5d0b44ccd2fa3f48c5d/) | 694 | | `5dc90cbb0f69f283ccf52a2a79b3dfe94ee8b3474cf6474cfcbe9f66f245a55d` | [MalwareBazaar](https://bazaar.abuse.ch/sample/5dc90cbb0f69f283ccf52a2a79b3dfe94ee8b3474cf6474cfcbe9f66f245a55d/) | 695 | | `9a9b5bdeb1f23736ceffba623c8950d627a791a0b40c4d44ae2f80e02a43955d` | [MalwareBazaar](https://bazaar.abuse.ch/sample/9a9b5bdeb1f23736ceffba623c8950d627a791a0b40c4d44ae2f80e02a43955d/) | 696 | | `9e660ce74e1bdb0a75293758200b03efd5f807e7896665addb684e0ffb53afd2` | [MalwareBazaar](https://bazaar.abuse.ch/sample/9e660ce74e1bdb0a75293758200b03efd5f807e7896665addb684e0ffb53afd2/) | 697 | | `9f098920613bd0390d6485936256a67ae310b633124cfbf503936904e69a81bf` | [MalwareBazaar](https://bazaar.abuse.ch/sample/9f098920613bd0390d6485936256a67ae310b633124cfbf503936904e69a81bf/) | 698 | | `b68e2d852ad157fc01da34e11aa24a5ab30845b706d7827b8119a3e648ce2cf1` | [MalwareBazaar](https://bazaar.abuse.ch/sample/b68e2d852ad157fc01da34e11aa24a5ab30845b706d7827b8119a3e648ce2cf1/) | 699 | | `b910e77ee686d7d6769fab8cb8f9b17a4609c4e164bb4ed80d9717d9ddad364f` | [MalwareBazaar](https://bazaar.abuse.ch/sample/b910e77ee686d7d6769fab8cb8f9b17a4609c4e164bb4ed80d9717d9ddad364f/) | 700 | | `c0abb19b3a72bd2785e8b567e82300423da672a463eefdeda6dd60872ff0e072` | [MalwareBazaar](https://bazaar.abuse.ch/sample/c0abb19b3a72bd2785e8b567e82300423da672a463eefdeda6dd60872ff0e072/) | 701 | | `e547306d6dee4b5b2b6ce3e989b9713a5c21ebe3fefa0f5c1a1ea37cec37e20f` | [MalwareBazaar](https://bazaar.abuse.ch/sample/e547306d6dee4b5b2b6ce3e989b9713a5c21ebe3fefa0f5c1a1ea37cec37e20f/) | 702 | | `ec9e77f1185f644462305184cf8afcf5d12c7eb524a2d3f4090a658a198c20ce` | [MalwareBazaar](https://bazaar.abuse.ch/sample/ec9e77f1185f644462305184cf8afcf5d12c7eb524a2d3f4090a658a198c20ce/) | 703 | | `efb0153047b08aa1876e1e4e97a082f6cb05af75479e1e9069b77d98473a11f4` | [MalwareBazaar](https://bazaar.abuse.ch/sample/efb0153047b08aa1876e1e4e97a082f6cb05af75479e1e9069b77d98473a11f4/) | 704 | 705 | 706 | ## Rustonotto 707 | 708 | ### Aliases 709 | 710 | CHILLYCHINO 711 | 712 | ### Writeups 713 | 714 | - [2025-08-07 - S2W - ScarCruft's New Language: Whispering in PubNub, Crafting Backdoor in Rust, Striking with Ransomware](https://github.com/S2W-TALON/Threat-Intelligence-Report/blob/df953af93d3634885bbfc5a0a2f2e1b2aeef58c1/250807_ScarCruft's%20New%20Language%3A%20Whispering%20in%20PubNub%2C%20Crafting%20Backdoor%20in%20Rust%2C%20Striking%20with%20Ransomware/%5BS2W%5D%20ScarCruft%E2%80%99s%20New%20Language_%20Whispering%20in%20PubNub%2C%20Crafting%20Backdoor%20in%20Rust%2C%20Striking%20with%20Ransomware.pdf) 715 | - [2025-09-08 - Zscaler - APT37 Targets Windows with Rust Backdoor and Python Loader](https://www.zscaler.com/blogs/security-research/apt37-targets-windows-rust-backdoor-and-python-loader) 716 | 717 | ### Malpedia 718 | 719 | - [win.rustonotto](https://malpedia.caad.fkie.fraunhofer.de/details/win.rustonotto) 720 | 721 | ### Samples 722 | 723 | | SHA-256 Hash | Download Link | 724 | | ------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------- | 725 | | `67ad959e8af25a48928c28ca9a38a6f2a61ea4935fe60dfed79061214e840b15` | [MalwareBazaar](https://bazaar.abuse.ch/sample/67ad959e8af25a48928c28ca9a38a6f2a61ea4935fe60dfed79061214e840b15/) | 726 | | `738a31e7a0d96fe1b0ad6778db39425160835a80ac33ce8a84f26b71c00c26b9` | [MalwareBazaar](https://bazaar.abuse.ch/sample/738a31e7a0d96fe1b0ad6778db39425160835a80ac33ce8a84f26b71c00c26b9/) | 727 | 728 | 729 | ## RustyAttr 730 | 731 | ### Writeups 732 | 733 | - [2024-11-13 - Group-IB - Stealthy Attributes of Lazarus APT Group: Evading Detection with Extended Attributes](https://www.group-ib.com/blog/stealthy-attributes-of-apt-lazarus/) 734 | 735 | 736 | ### Samples 737 | 738 | | SHA-256 Hash | Download Link | Notes | 739 | | --- | --- | --- | 740 | | `9111d458d5665b1bf463859792e950fe8d8186df9a6a3241360dc11f34d018c2` | [MalwareBazaar](https://bazaar.abuse.ch/sample/9111d458d5665b1bf463859792e950fe8d8186df9a6a3241360dc11f34d018c2) | Gzip'd CPIO archive containing files and extended attributes required for payload delivery | 741 | | `176e8a5a7b6737f8d3464c18a77deef778ec2b9b42b7e7eafc888aeaf2758c2d` | [MalwareBazaar](https://bazaar.abuse.ch/sample/176e8a5a7b6737f8d3464c18a77deef778ec2b9b42b7e7eafc888aeaf2758c2d) | Rust payload, but without the required extended attribute | 742 | 743 | 744 | ## RustyBuer 745 | 746 | ### Writeups 747 | 748 | - [2021-05-03 - Proofpoint - New Variant of Buer Loader Written in Rust](https://www.proofpoint.com/us/blog/threat-insight/new-variant-buer-loader-written-rust) 749 | 750 | ### Malpedia 751 | 752 | - [win.buer](https://malpedia.caad.fkie.fraunhofer.de/details/win.buer) 753 | 754 | ### Samples 755 | 756 | | SHA-256 Hash | Download Link | 757 | | --- | --- | 758 | | `3abed86f46c8be754239f8c878f035efaae91c33b8eb8818c5bbed98c4d9a3ac` | [MalwareBazaar](https://bazaar.abuse.ch/sample/3abed86f46c8be754239f8c878f035efaae91c33b8eb8818c5bbed98c4d9a3ac/) | 759 | 760 | 761 | ## RustyClaw 762 | 763 | ### Writeups 764 | 765 | - [2024-10-17 - Cisco - UAT-5647 targets Ukrainian and Polish entities with RomCom malware variants](https://blog.talosintelligence.com/uat-5647-romcom/) 766 | - [2025-06-30 - Proofpoint - 10 Things I Hate About Attribution: RomCom vs. TransferLoader](https://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader) 767 | 768 | ### Malpedia 769 | 770 | - [win.rusty_claw](https://malpedia.caad.fkie.fraunhofer.de/details/win.rusty_claw) 771 | 772 | ### Samples 773 | 774 | | SHA-256 Hash | Download Link | 775 | | --- | --- | 776 | | `10e1d453d4f9ca05ff6af3dcd7766a17ca1470ee89ba90feee5d52f8d2b18a4c` | [MalwareBazaar](https://bazaar.abuse.ch/sample/10e1d453d4f9ca05ff6af3dcd7766a17ca1470ee89ba90feee5d52f8d2b18a4c/) | 777 | | `7602e2c1ae27e1b36ee4aed357e505f14496f63db29fb4fcdd0d8a9db067a5c4` | [MalwareBazaar](https://bazaar.abuse.ch/sample/7602e2c1ae27e1b36ee4aed357e505f14496f63db29fb4fcdd0d8a9db067a5c4/) | 778 | | `b1fe8fbbb0b6de0f1dcd4146d674a71c511488a9eb4538689294bd782df040df` | [MalwareBazaar](https://bazaar.abuse.ch/sample/b1fe8fbbb0b6de0f1dcd4146d674a71c511488a9eb4538689294bd782df040df/) | 779 | 780 | 781 | ## RustyFlag 782 | 783 | ### Writeups 784 | 785 | - [2023-09-14 - Deep Instinct - Operation Rusty Flag – A Malicious Campaign Against Azerbaijanian Targets](https://www.deepinstinct.com/blog/operation-rusty-flag-a-malicious-campaign-against-azerbaijanian-targets) 786 | 787 | ### Malpedia 788 | 789 | - [win.unidentified_110](https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_110) 790 | 791 | ### Samples 792 | 793 | | SHA-256 Hash | Download Link | 794 | | --- | --- | 795 | | `5327308fee51fc6bb95996c4185c4cfcbac580b747d79363c7cf66505f3ff6db` | [MalwareBazaar](https://bazaar.abuse.ch/sample/5327308fee51fc6bb95996c4185c4cfcbac580b747d79363c7cf66505f3ff6db/) | 796 | 797 | 798 | ## RustyPages 799 | 800 | ### Writeups 801 | 802 | - [2025-08-19 - Kandji - Threat Detected: RustyPages Malware - Part I](https://the-sequence.com/rustypages-malware-part-i) 803 | 804 | ### Samples 805 | 806 | | SHA-256 Hash | Download Link | 807 | | --- | --- | 808 | | `e98756472404aeef70ba4d403339962989d9ed733fa0f6a23bdf4c2900d7e877` | [MalwareBazaar](https://bazaar.abuse.ch/sample/e98756472404aeef70ba4d403339962989d9ed733fa0f6a23bdf4c2900d7e877/) | 809 | | `7ab47b7b14f4d6848b9f4d410d1315ccc68e9a6714d94a2e870b6ba77d28e828` | [MalwareBazaar](https://bazaar.abuse.ch/sample/7ab47b7b14f4d6848b9f4d410d1315ccc68e9a6714d94a2e870b6ba77d28e828/) | 810 | | `5cee6368c6a9922a81a03831979947db8e5365986b4ad725c552ab6018a083b3` | [MalwareBazaar](https://bazaar.abuse.ch/sample/5cee6368c6a9922a81a03831979947db8e5365986b4ad725c552ab6018a083b3/) | 811 | | `d2c48f4fa4b0285889ef6c7667e12a1c0eda1393632ef2eac67b32777bf096f7` | [MalwareBazaar](https://bazaar.abuse.ch/sample/d2c48f4fa4b0285889ef6c7667e12a1c0eda1393632ef2eac67b32777bf096f7/) | 812 | | `f4c41111960771e0d7558ec2453b76ba9c422fcb9408e09a8de1fd611c272846` | [MalwareBazaar](https://bazaar.abuse.ch/sample/f4c41111960771e0d7558ec2453b76ba9c422fcb9408e09a8de1fd611c272846/) | 813 | 814 | 815 | ## SnowFlake Stealer 816 | 817 | ### Writeups 818 | 819 | - [2022-02-14 - Finch4 - SnowFlake Stealer Analysis](https://github.com/Finch4/Malware-Analysis-Reports/blob/4f3baae07575e799db97ec22cb271d89c0fb0879/SnowFlake%20Stealer/SnowFlake%20Stealer%20Analysis.pdf) 820 | 821 | ### Samples 822 | 823 | | SHA-256 Hash | Download Link | 824 | | --- | --- | 825 | | `1ae99a454f6c11e30c346ca825e2d20bc5450ddb808f25dd20a4d952604d34f0` | [MalwareBazaar](https://bazaar.abuse.ch/sample/1ae99a454f6c11e30c346ca825e2d20bc5450ddb808f25dd20a4d952604d34f0/) | 826 | | `4f10f503422560da8a332c30323401af59a914af940716d06e139ed7371be53f` | [MalwareBazaar](https://bazaar.abuse.ch/sample/4f10f503422560da8a332c30323401af59a914af940716d06e139ed7371be53f/) | 827 | | `5e1626ac3140548619efba38a154b98234080908158378ad2e7e4af9e92cfbb8` | [MalwareBazaar](https://bazaar.abuse.ch/sample/5e1626ac3140548619efba38a154b98234080908158378ad2e7e4af9e92cfbb8/) | 828 | | `674f31aed8544f2f54423de908559f3d1964ef4f3391d2bf989915766b8c42e9` | [MalwareBazaar](https://bazaar.abuse.ch/sample/674f31aed8544f2f54423de908559f3d1964ef4f3391d2bf989915766b8c42e9/) | 829 | | `8441c5d0d5ee30f94f54459ba89a3a2d20677d98313c120f32bf98015214049f` | [MalwareBazaar](https://bazaar.abuse.ch/sample/8441c5d0d5ee30f94f54459ba89a3a2d20677d98313c120f32bf98015214049f/) | 830 | | `b44db0bf0992d55c7353fe368322fe0b1e912b2a381c4bf8b7c56c9fcd2a86ff` | [MalwareBazaar](https://bazaar.abuse.ch/sample/b44db0bf0992d55c7353fe368322fe0b1e912b2a381c4bf8b7c56c9fcd2a86ff/) | 831 | 832 | 833 | ## SPICA 834 | 835 | ### Writeups 836 | 837 | - [2024-01-18 - Google TAG - Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware](https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware/) 838 | 839 | ### Samples 840 | 841 | | SHA-256 Hash | Download Link | 842 | | --- | --- | 843 | | `37c52481711631a5c73a6341bd8bea302ad57f02199db7624b580058547fb5a9` | [MalwareBazaar](https://bazaar.abuse.ch/sample/37c52481711631a5c73a6341bd8bea302ad57f02199db7624b580058547fb5a9/) | 844 | 845 | 846 | ## SSLoad 847 | 848 | ### Writeups 849 | 850 | - [2024-04-11 - Palo Alto Networks - Contact Forms Campaign Pushes SSLoad Malware](https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-04-15-IOC-for-Contact-Forms-campaign-SSLoad-activity.txt) 851 | 852 | ### Malpedia 853 | 854 | - [win.ssload](https://malpedia.caad.fkie.fraunhofer.de/details/win.ssload) 855 | 856 | ### Samples 857 | 858 | | SHA-256 Hash | Download Link | 859 | | --- | --- | 860 | | `09ffc4188bf11bf059b616491fcb8a09a474901581f46ec7f2c350fbda4e1e1c` | [MalwareBazaar](https://bazaar.abuse.ch/sample/09ffc4188bf11bf059b616491fcb8a09a474901581f46ec7f2c350fbda4e1e1c/) | 861 | 862 | 863 | ## SysJoker (Rust variant) 864 | 865 | ### Aliases 866 | 867 | RustDown 868 | 869 | ### Writeups 870 | 871 | - [2023-11-23 - Check Point - Israel-Hamas War Spotlight: Shaking the Rust Off SysJoker](https://research.checkpoint.com/2023/israel-hamas-war-spotlight-shaking-the-rust-off-sysjoker/) 872 | - [2023-11-27 - Intezer - WildCard: The APT Behind SysJoker Targets Critical Sectors in Israel](https://intezer.com/blog/research/wildcard-evolution-of-sysjoker-cyber-threat/) 873 | 874 | ### Malpedia 875 | 876 | - [win.sysjoker](https://malpedia.caad.fkie.fraunhofer.de/details/win.sysjoker) 877 | 878 | ### Samples 879 | 880 | | SHA-256 Hash | Download Link | 881 | | --- | --- | 882 | | `d4095f8b2fd0e6deb605baa1530c32336298afd026afc0f41030fa43371e3e72` | [MalShare](https://malshare.com/sample.php?action=detail&hash=d4095f8b2fd0e6deb605baa1530c32336298afd026afc0f41030fa43371e3e72) | 883 | 884 | 885 | ## Tetra Loader 886 | 887 | ### Writeups 888 | 889 | - [2025-05-22 - Cisco - UAT-6382 exploits Cityworks zero-day vulnerability to deliver malware](https://blog.talosintelligence.com/uat-6382-exploits-cityworks-vulnerability/) 890 | 891 | ### Malpedia 892 | 893 | - [win.tetra_loader](https://malpedia.caad.fkie.fraunhofer.de/details/win.tetra_loader) 894 | 895 | ### Samples 896 | 897 | | SHA-256 Hash | Download Link | 898 | | --- | --- | 899 | | `14ed3878b6623c287283a8a80020f68e1cb6bfc37b236f33a95f3a64c4f4611f` | [MalwareBazaar](https://bazaar.abuse.ch/sample/14ed3878b6623c287283a8a80020f68e1cb6bfc37b236f33a95f3a64c4f4611f/) | 900 | | `1c38e3cda8ac6d79d9da40834367697a209c6b07e6b3ab93b3a4f375b161a901` | [MalwareBazaar](https://bazaar.abuse.ch/sample/1c38e3cda8ac6d79d9da40834367697a209c6b07e6b3ab93b3a4f375b161a901/) | 901 | | `4ffc33bdc8527a2e8cb87e49cdc16c3b1480dfc135e507d552f581a67d1850a9` | [MalwareBazaar](https://bazaar.abuse.ch/sample/4ffc33bdc8527a2e8cb87e49cdc16c3b1480dfc135e507d552f581a67d1850a9/) | 902 | 903 | ### Notes 904 | 905 | According to Cisco Talos, _Tetra Loader_ is built using an open-source Rust payload builder framework called _MaLoader_ (https://github.com/lv183037/MaLoader/). 906 | 907 | 908 | ## Zeon Ransomware (Rust variant) 909 | 910 | ### Writeups 911 | 912 | - [2022-06-22 - SentinelOne - From the Front Lines | 3 New and Emerging Ransomware Threats Striking Businesses in 2022](https://www.sentinelone.com/blog/from-the-front-lines-3-new-and-emerging-ransomware-threats-striking-businesses-in-2022/) 913 | 914 | ### Samples 915 | 916 | | SHA-256 Hash | Download Link | 917 | | --- | --- | 918 | | `fb57abf08a85f1d7ca0a6fdcd76b04ccf964a5b05f2f784492083994773e4590` | [MalShare](https://malshare.com/sample.php?action=detail&hash=fb57abf08a85f1d7ca0a6fdcd76b04ccf964a5b05f2f784492083994773e4590) | 919 | 920 | ### Notes 921 | 922 | There is a lack of good open reporting on _Zeon Ransomware_, so I will clarify a few potential points of confusion in the notes here. 923 | 924 | There are samples which have been identified as _Zeon Ransomware_, but which are written with Python rather than Rust. These samples are packaged via PyInstaller, and obfuscated with PyArmor. For example, `c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a` ([MalShare](https://malshare.com/sample.php?action=detail&hash=c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a)) is a PyInstaller file which drops a nearly identical ransom note as the highlighted Rust sample above, `fb57abf08a85f1d7ca0a6fdcd76b04ccf964a5b05f2f784492083994773e4590` The ransom note of both samples say "All of your files are currently encrypted by ZEON strain", and link to the same Tor site (`http[:]//zeonrefpbompx6rwdqa5hxgtp2cxgfmoymlli3azoanisze33pp3x3yd[.]onion`), for victims to begin the payment process. 925 | 926 | There is reporting which states that _Zeon Ransomware_ is connected to _[Royal Ransomware](https://malpedia.caad.fkie.fraunhofer.de/details/win.royal_ransom)_, such as [CISA's advisory on Royal Ransomware](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a). However, I have not been able to find any reporting that states Royal Ransomware is written in Rust, nor any Rust samples of Royal Ransomware. 927 | --------------------------------------------------------------------------------