MalwareUsed by 1 actor

RustScan

RustScan is a publicly available modern port-scanning tool used to identify reachable network services, including SSH endpoints and open ports on targeted systems. In the provided reporting, it is described as a primitive subnet/network scanner or public tool used during post-compromise reconnaissance and lateral movement preparation rather than as bespoke malware. CERT-UA reported attackers it tracks as UAC-0247 used RustScan for network scanning inside compromised Ukrainian environments, including local self-government bodies and municipal healthcare institutions, alongside tools such as LIGOLO-NG and CHISEL. Separate reporting on the Linux intrusion chain ShadowHS states operators used RustScan to identify reachable SSH endpoints before downloading the tool spirit to brute-force SSH logins using default credentials. Additional ATT&CK-mapped reporting on Scattered Spider notes use of RustScan during activity cluster C0027 to scan for open ports on targeted VMware ESXi appliances. The content does not provide standalone RustScan-specific IOCs beyond noting that related reporting included SHA-256 hashes for RustScan binaries in the ShadowHS case.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

UAC-0247

Зокрема, виявлено як примітивні сканери підмереж, так і публічно доступний інструментарій, наприклад RUSTSCAN.

via cert uacert.gov.ua

MITRE ATT&CK

Techniques & procedures

8 distinct techniques documented for this family, organized by ATT&CK tactic.

Reconnaissance

2 techniques

T1595Active ScanningEvidence1

Scanning ports via Masscan & RustScan I stopped over-relying on one tool and lowered the maximum packet rate as it typically leads to inconsistent results.

T1595.001Scanning IP BlocksEvidence1

Find ports quickly ... Scans all 65k ports in 3 seconds ... if you want to run a slow scan due to stealth, that is possible too.

Resource Development

1 technique

T1588.002ToolEvidence2

The content repeatedly states that threat actors 'obtained,' 'acquired,' or 'used' publicly available, open-source, legitimate, or modified tools such as Mimikatz, Cobalt Strike, PsExec, Empire, Impacket, and many others.

Execution

1 technique

T1059Command and Scripting InterpreterEvidence1

RustScan has a new scripting engine that allows anyone to write scripts in most languages. Python, Lua, and Shell are all supported.

Discovery

3 techniques

T1016System Network Configuration DiscoveryEvidence1

while also conducting reconnaissance and lateral movement within networks. They employ subnet scanners and tools like RUSTSCAN

T1018Remote System DiscoveryEvidence1

Several actors used discovery tools such as BloodHound, AdFind, Advanced IP Scanner, SoftPerfect Network Scanner, NBTscan, RustScan, and SNScan for user, system, and network discovery.

T1046Network Service DiscoveryEvidence8

Alongside the theft tools, the attackers used basic subnet scanners and the publicly available RUSTSCAN tool to map out internal networks.

Command and Control

1 technique

T1105Ingress Tool TransferEvidence1

Also downloaded to the infected machine is a malware family dubbed AGINGFLY and a PowerShell script referred to as SILENTLOOP

INDICATORS OF COMPROMISE

IOCs tracked for this family

5 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

1 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

4 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app2 months ago

hash.md5●●●●●●●●●●●●View more in app2 months ago

hash.sha256●●●●●●●●●●●●View more in app2 months ago

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

cert uaNews

Apr 15, 2026

CERT-UA

Publicly available network scanner used for subnet reconnaissance during post-compromise activity.

cyble comNews

Jan 30, 2026

Shadowhs-fileless-linux-post-exploitation-framework

Open-source port scanner used by the framework for discovery of SSH endpoints to support lateral movement.

mitre attackNews

Jan 25, 2026

Scattered Spider, Roasted 0ktapus, Octo Tempest, Storm-0875, Group G1015 | MITRE ATT&CK®

Network port-scanning tool used for discovery of open services (e.g., scanning ESXi appliances).

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching5

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping8

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.