RustyRocket
RustyRocket is a custom malware platform used by the World Leaks extortion group and first identified and named by Accenture. It is written in Rust and is described as a sophisticated data exfiltration and proxy tool that supports stealthy persistence on victim networks. Accenture reported that it targets both Microsoft Windows and Linux environments, uses heavily obfuscated multi-layer encrypted tunnels to blend malicious traffic into legitimate network activity, and includes an execution guardrail requiring a pre-encrypted configuration at runtime, which makes monitoring and detection more difficult.
In the reported World Leaks intrusion, the actor gained initial access by brute forcing an exposed RDP service using a company-specific wordlist and reused the compromised Administrator credentials to move laterally. On Day 2 of the intrusion, the actor downloaded agent.zip from temp[.]sh to the domain controller, deployed agent.exe to C:\ProgramData\Veeam, and executed it on both the domain controller and backup server. The payload was identified as RustyRocket, with SHA256 743f9dbb32f86322c5f55f1e9051c5cd88092f10adcdac45aa648ac06e229b8a. In that case, RustyRocket ran in NORMAL mode, used SMB over port 445 to collect files from reachable hosts, and exfiltrated data over HTTPS over port 443 to more than 6,900 unique Cloudflare IPs.
RustyRocket is associated with World Leaks’ data-theft-and-extortion operations rather than file encryption. World Leaks has been active since early 2025 and is reported to obtain access through social engineering, stolen credentials, or exploitation of exposed infrastructure. In the cited intrusion, RustyRocket was deployed after the actor had already accessed the domain controller and backup infrastructure, indicating use against high-value enterprise systems and backup environments.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The threat actor then downloaded agent.exe (RustyRocket, first identified and named by Accenture) which is a custom exfiltration platform that World Leaks distributes to their operators.
Techniques & procedures
5 distinct techniques documented for this family, organized by ATT&CK tactic.
Collection
1 technique
Collection
Command and Control
2 techniques
Command and Control
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Rust-based custom exfiltration platform used to index files across the network, collect data over SMB, and transfer it to cloud infrastructure over HTTPS. It supports NORMAL, CLIENT/SERVER, and SERVER modes, accepts credentials for remote share access, and has documented persistence methods and a companion pivoting proxy.
A Rust-written cross-platform (Windows/Linux) malware used by the World Leaks extortion group to maintain persistence, exfiltrate data, and proxy traffic via heavily obfuscated, multi-layer encrypted tunnels. It includes an execution guardrail requiring a pre-encrypted configuration to be provided at runtime, complicating monitoring and detection.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.