🦀💮 Rust Malware Sample Gallery

Hokusai - Crab and Flowers

About

The intention of this page is to collect and highlight malware written in the Rust programming language, so that malware reverse engineers have a collection of Rust samples to practice reversing on. Malware written in Rust is rapidly becoming a significant problem, especially with the advent of high-impact ransomware families such as BlackCat. However, the knowledge in the malware reverse engineering community on how to reverse Rust binaries is still very poor.

I have collected at least one publicly available sample for each family. Definitive identification of malware families is hard, and I am not personally familiar with every malware family here, so I have tried to stick to sample hashes that are directly mentioned in the linked writeups. For each sample mentioned, a download link for that sample on either Malware Bazaar or MalShare is provided - neither of these sites require an account to download samples.

This is not meant to be a comprehensive effort to track the evolution of these malware families, or to collect every writeup about a malware family. I have tried to collect writeups that are technical, or that highlight something new or interesting about the family. The focus is also on malware that has been observed in the wild, so red teaming tools written in Rust won't be listed here, unless they have been seen in the wild by an independent party.

If you would like to contribute or see something that should be changed, please submit a Pull Request on this GitHub repository. Alternatively, you can Contact me directly.

Agenda Ransomware

Aliases

Qilin, AgendaCrypt

Writeups

• 2022-12-16 - Trend Micro - Agenda Ransomware Uses Rust to Target More Vital Industries

Malpedia

• win.agendacrypt

Samples

BlackCat Ransomware

Aliases

ALPHV, Noberus

Writeups

• 2022-01-26 - Varonis - BlackCat Ransomware (ALPHV)

Malpedia

• win.blackcat
• elf.blackcat

Samples

BlackCat Ransomware (Sphynx)

Aliases

ALPHV Sphynx

Writeups

• 2023-05-30 - IBM X-Force - BlackCat (ALPHV) ransomware levels up for stealth, speed and exfiltration

Malpedia

• win.blackcat
• elf.blackcat

Samples

CargoBay

Writeups

• 2022-11-29 - IBM X-Force - CargoBay BlackHat Backdoor Analysis Report (IRIS-14738) (mostly paywalled)
• 2023-02-17 - BushidoToken - Tweet thread regarding Rust malware tentatively identified as CargoBay 1 2 3 4 5

Malpedia

• win.cargobay

Samples

Notes

It's difficult to definitively identify CargoBay samples, as public information about it is limited. According to the publicly available contents of the 2022-11-29 IBM X-Force report, the source code of CargoBay is based on the source code from the book Black Hat Rust: https://github.com/skerkour/black-hat-rust

Convuster

Writeups

• 2021-03-18 - Kaspersky - Convuster: macOS adware now in Rust

Malpedia

• osx.convuster

Samples

Notes

This is technically not malware - it is adware.

CosmicRust

Writeups

• 2024-01-04 - Greg Lesnewich - 100DaysofYARA - CosmicRust

Samples

DeltaStealer

Writeups

• 2023-05-19 - Trend Micro - Rust-Based Info Stealers Abuse GitHub Codespaces

Malpedia

• win.deltastealer

Samples

ExeWho2

Writeups

• 2023-12-04 - Alex Perotti - ExeWho2 - A Tool from the Wild

Samples

Notes

Source code was found with the ExeWho2 binary; it is available at https://github.com/cyb3rkitties/exewho2

FickerStealer

Writeups

• 2020-10-27 - 3xp0rtblog - Tweet on FickerStealer
• 2021-07-19 - CyberArk - FickerStealer: A New Rust Player in the Market

Malpedia

• win.fickerstealer

Samples

See also all samples tagged with the FickerStealer signature on Malware Bazaar.

Freeze.rs

Writeups

• 2023-08-09 - Fortinet - Attackers Distribute Malware via Freeze.rs And SYK Crypter
• 2023-09-07 - Gi7w0rm - Uncovering DDGroup — A long-time threat actor

Samples

Notes

Source code (for the tool that generates the actual payloads) available at https://github.com/optiv/Freeze.rs

Hive Ransomware (Rust variant)

Writeups

• 2022-07-05 - Microsoft - Hive ransomware gets upgrades in Rust

Malpedia

• win.hive

Samples

Hunters International Ransomware

Writeups

• 2023-11-09 - Bitdefender - Hive Ransomware's Offspring: Hunters International Takes the Stage

Samples

JLORAT

Writeups

• 2023-04-34 - Kaspersky - Tomiris called, they want their Turla malware back > Tomiris's polyglot toolset > JLORAT

Malpedia

• win.jlorat

Samples

Luca Stealer

Writeups

• 2022-08-18 - BlackBerry - Luca Stealer Targets Password Managers and Cryptocurrency Wallets
• Binary Defense - Digging through Rust to find Gold: Extracting Secrets from Rust Malware

Malpedia

• win.lucastealer

Samples

Notes

Source code available at https://web.archive.org/web/20220725203750/https://github.com/luca364/rust-stealer/archive/refs/heads/master.zip

Luna Ransomware

Writeups

• 2022-08-30 - Elastic - LUNA Ransomware Attack Pattern Analysis
• 2023-01-13 - Nikhil "Kaido" Hegde - Getting Rusty and Stringy with Luna Ransomware

Malpedia

• elf.luna

Samples

Nokoyawa Ransomware (Rust variant)

Writeups

• 2022-12-20 - Zscaler - Nokoyawa Ransomware: Rust or Bust

Malpedia

• win.nokoyawa

Samples

P2PInfect

Writeups

• 2023-07-19 - Palo Alto Networks - P2PInfect: The Rusty Peer-to-Peer Self-Replicating Worm
• 2023-07-31 - Cado Security - Cado Security Labs Encounter Novel Malware, Redis P2Pinfect

Malpedia

• elf.p2pinfect

Samples

Notes

This sample (3a43116d507d58f3c9717f2cb0a3d06d0c5a7dc29f601e9c2b976ee6d9c8713f) isn't one of the hashes mentioned in the linked reports; however, due to the nature of this malware, there are a lot of unique samples out there, and I was able to find this one after some hunting.

RansomExx2

Aliases

Defray, Defray777

Writeups

• 2022-11-22 - IBM X-Force - RansomExx upgrades to rust

Malpedia

• elf.ransomexx

Samples

Realst Stealer

Writeups

• 2023-07-06 - Iamdeadlyz - Fake Blockchain Games Deliver RedLine Stealer & Realst Stealer - A New macOS Infostealer Malware

Samples

See also all samples tagged with the RealstStealer tag on Malware Bazaar.

Rust-based loader for Rilide

Aliases

BRAINSTORM

Writeups

• 2023-04-04 - Trustwave - Rilide: A New Malicious Browser Extension for Stealing Cryptocurrencies
• 2023-05-01 - Mandiant - A LNK Between Browsers: Hunting Methodologies and Extension Abusing Actors

Samples

Rust-based stealer used in RusticWeb campaign

Writeups

• 2023-12-21 - Seqrite - Operation RusticWeb targets Indian Govt: From Rust-based malware to Web-service exfiltration

Malpedia

• win.unidentified_112

Samples

RustBucket

Writeups

• 2023-04-21 - Jamf - BlueNoroff APT group targets macOS with ‘RustBucket’ Malware
• 2023-07-13 - Elastic - The DPRK strikes using a new variant of RUSTBUCKET

Malpedia

• osx.rustbucket
• win.rustbucket

Samples

Rustic Crypter

Writeups

• 2022-05-19 - IBM X-Force - ITG23 crypters highlight cooperation between cyber criminal groups

Samples

RustyBuer

Writeups

• 2021-05-03 - Proofpoint - New Variant of Buer Loader Written in Rust

Malpedia

• win.buer

Samples

RustyFlag

Writeups

• 2023-09-14 - Deep Instinct - Operation Rusty Flag – A Malicious Campaign Against Azerbaijanian Targets

Malpedia

• win.unidentified_110

Samples

SPICA

Writeups

• 2024-01-18 - Google TAG - Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware

Samples

SysJoker (Rust variant)

Aliases

RustDown

Writeups

• 2023-11-23 - Check Point - Israel-Hamas War Spotlight: Shaking the Rust Off SysJoker
• 2023-11-27 - Intezer - WildCard: The APT Behind SysJoker Targets Critical Sectors in Israel

Malpedia

• win.sysjoker

Samples

Zeon Ransomware (Rust variant)

Writeups

• 2022-06-22 - SentinelOne - From the Front Lines | 3 New and Emerging Ransomware Threats Striking Businesses in 2022

Samples

Notes

There is a lack of good open reporting on Zeon Ransomware, so I will clarify a few potential points of confusion in the notes here.

There are samples which have been identified as Zeon Ransomware, but which are written with Python rather than Rust. These samples are packaged via PyInstaller, and obfuscated with PyArmor. For example, c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a (MalShare) is a PyInstaller file which drops a nearly identical ransom note as the highlighted Rust sample above, fb57abf08a85f1d7ca0a6fdcd76b04ccf964a5b05f2f784492083994773e4590 The ransom note of both samples say "All of your files are currently encrypted by ZEON strain", and link to the same Tor site (http[:]//zeonrefpbompx6rwdqa5hxgtp2cxgfmoymlli3azoanisze33pp3x3yd[.]onion), for victims to begin the payment process.

There is reporting which states that Zeon Ransomware is connected to Royal Ransomware, such as CISA's advisory on Royal Ransomware. However, I have not been able to find any reporting that states Royal Ransomware is written in Rust, nor any Rust samples of Royal Ransomware.