Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareRansomwareUsed by 1 actor

RustyStealer

RustyStealer is a Rust-based information stealer and credential-harvesting malware family for Windows. The reporting describes it as an infostealer used to gather credentials, browser sessions, and cryptocurrency wallet data, and in some cases to deliver additional malware. It has been observed as a precursor in multi-stage intrusion chains, including incidents where it enabled compromise of legitimate high-privilege accounts that were then used for lateral movement via WinRM and PowerShell before Ymir ransomware deployment. In one Kaspersky-investigated case, a RustyStealer sample named AudioDriver2.0.exe was found on multiple systems two days before ransomware execution; that sample was placed in Windows\Temp, had MD5 5ee1befc69d120976a60a97d3254e9eb, was detected as Trojan.Win32.Sheller.ey, and communicated with C2 74.50.84[.]181 over port 443. Open-source reporting cited in the content also links RustyStealer activity to intrusion chains preceding Ymir ransomware.

RustyStealer has also been reported as a payload delivered by the Amadey botnet in pay-per-install campaigns alongside other stealers, RATs, loaders, and abused remote-management tools. In those campaigns it was one of several commodity malware families distributed to harvest credentials, browser sessions, and crypto wallets. Separate reporting attributes a RustyStealer variant to the Iranian APT group MuddyWater. Another campaign linked RustyStealer to the SilverFox threat actor targeting Chinese-speaking victims with social-engineering lures; in that case, the sample was a Rust-compiled launcher carrying a 5.5 MB AES-encrypted payload, included a PDB path of launcher.pdb and a Rust cargo path under C:\Users\dev.cargo, and persisted under %ProgramData% using one of 20 legitimate-sounding executable names. The content maps RustyStealer to MITRE ATT&CK techniques T1083, T1057, T1129, and T1027.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
SilverFox

Sample 4: RustyStealer ... This is a Rust-compiled launcher carrying a 5.5 MB AES-encrypted payload.

via breakglass intelintel.breakglass.tech
MITRE ATT&CK

Techniques & procedures

21 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques
T1189Drive-by CompromiseEvidence1

Many of the Keitaro IP addresses we saw in the AS214351 network host and distribute malware.

T1566PhishingEvidence1

The lure filenames are not random. They are precision-engineered psychological operations targeting specific anxieties within Chinese-speaking populations.

Execution

3 techniques
T1059.001PowerShellEvidence1

Lateral movement across the network was facilitated using tools like Windows Remote Management (WinRM) and PowerShell for remote control.

T1129Shared ModulesEvidence1

This sample has obfuscated content for obstructing analysis and includes shared modules indicating that the artifact can invoke functions from APIs, such as native Windows DLLs... RustyStealer TTPs... Execution Shared Modules T1129.

T1204.002Malicious FileEvidence1

The video title promises the footage. The file is an .exe.

Persistence

1 technique
T1547.001Registry Run Keys / Startup FolderEvidence1

MITRE ATT&CK Tactic Technique ID ... Persistence Registry Run Keys T1547.001

Privilege Escalation

1 technique
T1547.001Registry Run Keys / Startup FolderEvidence1

MITRE ATT&CK Tactic Technique ID ... Persistence Registry Run Keys T1547.001

Stealth

3 techniques
T1027Obfuscated Files or InformationEvidence1

This sample has obfuscated content for obstructing analysis... RustyStealer TTPs... Defense evasion Obfuscated Files or Information T1027.

T1027.013Encrypted/Encoded FileEvidence1

This is a Rust-compiled launcher carrying a 5.5 MB AES-encrypted payload

T1036.005Match Legitimate Resource Name or LocationEvidence1

RustyStealer selects from a pool of 20 legitimate-sounding executable names when writing itself to %ProgramData%

Credential Access

3 techniques
T1003OS Credential DumpingEvidence1

RustyStealer, essentially a credential-harvesting tool, enabled attackers to gain unauthorized access to systems by compromising legitimate high-privilege accounts useful in lateral movement.

T1555Credentials from Password StoresEvidence2

The simultaneous deployment of three malware families (ValleyRAT for access, Gh0stRAT for persistence, RustyStealer for credential theft)

T1555.003Credentials from Web BrowsersEvidence1

MITRE ATT&CK Mapping ... Credential Access Credentials from Password Stores: Credentials from Web Browsers T1555.003 Vidar, Lumma, Salat, Santa, Rusty stealers

Discovery

2 techniques
T1057Process DiscoveryEvidence1

RustyStealer TTPs: Tactic Technique ID Discovery Process Discovery T1057.

T1083File and Directory DiscoveryEvidence1

The malware constantly uses the memmove function while enumerating subdirectories and files inside the affected system, so they can be encrypted later... Tactics, techniques and procedures... Discovery File and Directory Discovery T1083.

Lateral Movement

2 techniques
T1021Remote ServicesEvidence1

Lateral movement across the network was facilitated using tools like Windows Remote Management (WinRM) and PowerShell for remote control.

T1021.006Windows Remote ManagementEvidence1

Lateral movement across the network was facilitated using tools like Windows Remote Management (WinRM) and PowerShell for remote control.

Command and Control

4 techniques
T1071Application Layer ProtocolEvidence1

MITRE ATT&CK Tactic Technique ID ... Command and Control Application Layer Protocol T1071

T1104Multi-Stage ChannelsEvidence1

MITRE ATT&CK Tactic Technique ID ... Command and Control Multi-Stage Channels T1104

T1105Ingress Tool TransferEvidence1

MITRE ATT&CK Mapping ... Command and Control Ingress Tool Transfer T1105 Amadey downloads 50+ payloads to infected hosts

T1219Remote Access ToolsEvidence1

62[.]60[.]226[.]248 was also hosting a customized remote monitoring and management (RMM) client called ScreenConnect that auto-enrolled victims into the actor-controlled network relays.

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence2

According to Kaspersky researchers who discovered Ymir during an incident response... Kaspersky has found evidence that Ymir connects to external servers that might facilitate data exfiltration, the ransomware does not feature such a capability.

INDICATORS OF COMPROMISE

IOCs tracked for this family

50 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
41 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
7 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other
2 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
hash.sha256●●●●●●●●●●●●View more in app18 days ago
ip.v4●●●●●●●●●●●●View more in app18 days ago
hash.sha256●●●●●●●●●●●●View more in app18 days ago
uri●●●●●●●●●●●●View more in app18 days ago
hash.sha256●●●●●●●●●●●●View more in app23 days ago
ip.v4●●●●●●●●●●●●View more in app1 month ago
ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app
breakglass intelNews
Apr 1, 2026
30 Samples in 10 Days: SilverFox Weaponizes Scam Compound Fear and a Phone Farm Business Front to Target Chinese Diaspora - Breakglass Intelligence - Breakglass Intelligence

A Rust-compiled stealer/launcher carrying a large AES-encrypted payload. It uses strong encryption, Windows cryptographic APIs, and a persistence disguise system that writes itself to %ProgramData% under one of 20 legitimate-sounding filenames to evade casual forensic review. The campaign describes it as serving the credential theft role in the kill chain.

Read more
infoblox threat intel blogNews
Mar 26, 2026
Inside Keitaro Abuse Part 2: One Platform, Many Threats

An information stealer and credential-harvesting tool that can also deliver additional malware.

Read more
breakglass intelNews
Mar 12, 2026
LummaStealer's Go Loader and the fbf543 Amadey Supermarket: 50 Payloads, 13 Malware Families, and the Bulletproof Host That Ties It All Together - Breakglass Intelligence - Breakglass Intelligence

A newer Rust-based stealer family distributed by the campaign.

Read more
breakglass intelNews
Mar 12, 2026
Amadey's Marketplace: Inside a 100-Sample Pay-Per-Install Operation Distributing Vidar, XWorm, and 22 Other Malware Families - Breakglass Intelligence - Breakglass Intelligence

RustyStealer is listed as an information stealer distributed in the campaign.

Read more
+5 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching50

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping21

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.