🦀💮 Rust Malware Sample Gallery

Hokusai - Crab and Flowers

About

The intention of this page is to collect and highlight malware written in the Rust programming language, so that malware reverse engineers have a collection of Rust samples to practice reversing on. Malware written in Rust is rapidly becoming a significant problem, especially with the advent of high-impact ransomware families such as BlackCat. However, the knowledge in the malware reverse engineering community on how to reverse Rust binaries is still very poor.

I have collected at least one publicly available sample for each family. Definitive identification of malware families is hard, and I am not personally familiar with every malware family here, so I have tried to stick to sample hashes that are directly mentioned in the linked writeups. For each sample mentioned, a download link for that sample on either Malware Bazaar or MalShare is provided - neither of these sites require an account to download samples.

This is not meant to be a comprehensive effort to track the evolution of these malware families, or to collect every writeup about a malware family. I have tried to collect writeups that are technical, or that highlight something new or interesting about the family. The focus is also on malware that has been observed in the wild, so red teaming tools written in Rust won't be listed here, unless they have been seen in the wild by an independent party.

This repository is maintained by Cindy Xiao @ Decoder Loop. (Prior to 2025-12-15, this repository was located at github.com/cxiao/decoderloop.)

If you would like to contribute or see something that should be changed, please submit a Pull Request on this GitHub repository. Alternatively, you can Contact me directly.

Interested in learning how to analyze Rust malware? At Decoder Loop, we offer expert training on reverse engineering Rust binaries. You can find out more about our upcoming trainings at decoderloop.com.

01flip

Writeups

• 2025-12-10 - Palo Alto Networks - 01flip: Multi-Platform Ransomware Written in Rust

Samples

SHA-256 Hash	Download Link
e5834b7bdd70ec904470d541713e38fe933e96a4e49f80dbfb25148d9674f957	MalwareBazaar

Agenda Ransomware

Aliases

Qilin, AgendaCrypt

Writeups

• 2022-12-16 - Trend Micro - Agenda Ransomware Uses Rust to Target More Vital Industries

Malpedia

• win.agendacrypt

Samples

SHA-256 Hash	Download Link
e90bdaaf5f9ca900133b699f18e4062562148169b29cb4eb37a0577388c22527	MalwareBazaar

Akira Ransomware (Rust "Akira v2" variant)

Writeups

• 2024-10-21 - Cisco - Akira ransomware continues to evolve
• 2024-12-03 - Check Point - Inside Akira Ransomware's Rust Experiment

Malpedia

• elf.akira

Samples

SHA-256 Hash	Download Link
0ee1d284ed663073872012c7bde7fac5ca1121403f1a5d2d5411317df282796c	MalwareBazaar

Akira Ransomware (Rust "Megazord" variant)

Writeups

• 2024-10-21 - Cisco - Akira ransomware continues to evolve
• 2024-12-02 - Palo Alto - Threat Assessment: Howling Scorpius (Akira Ransomware)

Malpedia

Samples

SHA-256 Hash	Download Link
28cea00267fa30fb63e80a3c3b193bd9cd2a3d46dd9ae6cede5f932ac15c7e2e	MalwareBazaar
131da83b521f610819141d5c740313ce46578374abb22ef504a7593955a65f07	MalwareBazaar

Banshee (Rust variant)

Writeups

• 2025-01-31 - Kandji - Banshee Rust Rewrite?

Samples

SHA-256 Hash	Download Link
dea72cdd7c9dfc49f0a19581086c8e6e99b000dc33f461ece8b9f37c1bd7068d	MalwareBazaar

BlackCat Ransomware

Aliases

ALPHV, Noberus

Writeups

• 2022-01-26 - Varonis - BlackCat Ransomware (ALPHV)

Malpedia

• win.blackcat
• elf.blackcat

Samples

SHA-256 Hash	Download Link
3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83	MalwareBazaar

BlackCat Ransomware (Sphynx)

Aliases

ALPHV Sphynx

Writeups

• 2023-05-30 - IBM X-Force - BlackCat (ALPHV) ransomware levels up for stealth, speed and exfiltration

Malpedia

• win.blackcat
• elf.blackcat

Samples

SHA-256 Hash	Download Link
c0e70e69d8f7432383fa37528cd42db764b73dd08eb75d72229c2a0d02e538cc	MalwareBazaar

CargoBay

Writeups

• 2022-11-29 - IBM X-Force - CargoBay BlackHat Backdoor Analysis Report (IRIS-14738) (mostly paywalled)
• 2023-02-17 - BushidoToken - Tweet thread regarding Rust malware tentatively identified as CargoBay 1 2 3 4 5

Malpedia

• win.cargobay

Samples

SHA-256 Hash	Download Link
a963a8a8e1583081daa43638744eef6c410d1a410c11eb9413da15a26e802de5	MalwareBazaar

Notes

It's difficult to definitively identify CargoBay samples, as public information about it is limited. According to the publicly available contents of the 2022-11-29 IBM X-Force report, the source code of CargoBay is based on the source code from the book Black Hat Rust: https://github.com/skerkour/black-hat-rust

ChaosBot

Writeups

• 2025-10-09 - eSentire - New Rust Malware "ChaosBot" Uses Discord for Command and Control

Samples

SHA-256 Hash	Download Link
4d5f3690cdff840ceba70c1b1630ceadd0d3dcf23c8e0add0257cba2f166f5e6	MalwareBazaar
cdc73afb92617d9e2e0b6f2f22587f5f57316250a25b7bb8477a80628703e7b7	MalwareBazaar

Cicada3301 Ransomware

Writeups

• 2024-08-30 - TrueSec - Dissecting the Cicada
• 2024-09-03 - MorphiSec - Cicada3301 Ransomware (archived version)
• 2024-10-18 - Group-IB - Encrypted Symphony: Infiltrating the Cicada3301 Ransomware-as-a-Service Group

Samples

SHA-256 Hash	Download Link
7b3022437b637c44f42741a92c7f7ed251845fd02dda642c0a47fde179bd984e	MalwareBazaar
56e1d092c07322d9dad7d85d773953573cc3294b9e428b3bbbaf935ca4d2f7e7	MalwareBazaar

Convuster

Writeups

• 2021-03-18 - Kaspersky - Convuster: macOS adware now in Rust

Malpedia

• osx.convuster

Samples

SHA-256 Hash	Download Link
947ae8f075fd0d1e5be0341b922c0173f0c5cfd771314ebe220207f3ed53466a	MalShare

Notes

This is technically not malware - it is adware.

CosmicRust

Writeups

• 2024-01-04 - Greg Lesnewich - 100DaysofYARA - CosmicRust

Samples

SHA-256 Hash	Download Link
3315e5a4590e430550a4d85d0caf5f521d421a2966b23416fcfc275a5fd2629a	MalShare

DeltaStealer

Writeups

• 2023-05-19 - Trend Micro - Rust-Based Info Stealers Abuse GitHub Codespaces

Malpedia

• win.deltastealer

Samples

SHA-256 Hash	Download Link
c92a7425959121ff49970c53b78e714b9e450e4b214ac85deb878d0bedf82a70	MalwareBazaar

EDDIESTEALER

Writeups

• 2025-05-29 - Elastic - Chasing Eddies: New Rust- based InfoStealer used in CAPTCHA campaigns

Samples

SHA-256 Hash	Download Link
5330cf6a8f4f297b9726f37f47cffac38070560cbac37a8e561e00c19e995f42	MalwareBazaar

Embargo Ransomware

Writeups

• 2024-05-24 - Cyble - The Rust Revolution: New Embargo Ransomware Steps In
• 2024-10-23 - ESET - Embargo ransomware: Rock'n'Rust

Samples

SHA-256 Hash	Download Link
ebffc9ced2dba66db9aae02c7ccd2759a36c5167df5cd4adb151b20e7eab173c	MalwareBazaar

evm-units

Writeups

• 2025-12-02 - Socket - Malicious Rust Crate evm-units Serves Cross-Platform Payloads for Silent Execution

Samples

This is malicious Rust code inside a Rust crate, which is compiled if a Rust developer uses the crate as part of their project, and executed if the Rust developer calls the malicious code. An archived version of the malicious code can be found at the Socket.dev package archive.

ExeWho2

Writeups

• 2023-12-04 - Alex Perotti - ExeWho2 - A Tool from the Wild

Samples

SHA-256 Hash	Download Link
a36967a40dcff74c04b5dd80f1aa685925912df8ff6cb63c14059439e08d5f8d	MalwareBazaar

Notes

Source code was found with the ExeWho2 binary; it is available at https://github.com/cyb3rkitties/exewho2

FickerStealer

Writeups

• 2020-10-27 - 3xp0rtblog - Tweet on FickerStealer
• 2021-07-19 - CyberArk - FickerStealer: A New Rust Player in the Market

Malpedia

• win.fickerstealer

Samples

SHA-256 Hash	Download Link
dc021a0ca0bb3f66d54d15d2b236422c0b90399ea762c7d7aa6d727b9bd5b46c	MalwareBazaar

See also all samples tagged with the FickerStealer signature on Malware Bazaar.

Fickle Stealer

Writeups

• 2024-06-19 - Fortinet - Fickle Stealer Distributed via Multiple Attack Chain

Samples

SHA-256 Hash	Download Link
e9bc44cf548a70e7285499209973faf44b7374dece1413dfcdc03bf25a6c599c	MalwareBazaar

Freeze.rs

Writeups

• 2023-08-09 - Fortinet - Attackers Distribute Malware via Freeze.rs And SYK Crypter
• 2023-09-07 - Gi7w0rm - Uncovering DDGroup — A long-time threat actor

Samples

SHA-256 Hash	Download Link
afd38445e5249ac5ac66addd18c20d271f41c3ffb056ca49c8c02f9fecb4afcb	MalShare

Notes

Source code (for the tool that generates the actual payloads) available at https://github.com/optiv/Freeze.rs

Rust-based payload delivered by GlassWorm

Writeups

• 2025-11-29 - Nextron Systems - Analysis of the Rust implants found in the malicious VS Code extension
• 2025-12-10 - Koi - GlassWorm Goes Native: Same Infrastructure, Hardened Delivery

Samples

SHA-256 Hash	Download Link
6ebeb188f3cc3b647c4460c0b8e41b75d057747c662f4cd7912d77deaccfd2f2	MalwareBazaar
fb07743d139f72fca4616b01308f1f705f02fda72988027bc68e9316655eadda	MalwareBazaar

Hive Ransomware (Rust variant)

Writeups

• 2022-07-05 - Microsoft - Hive ransomware gets upgrades in Rust

Malpedia

• win.hive

Samples

SHA-256 Hash	Download Link
f4a39820dbff47fa1b68f83f575bc98ed33858b02341c5c0464a49be4e6c76d3	MalwareBazaar

Hunters International Ransomware

Writeups

• 2023-11-09 - Bitdefender - Hive Ransomware's Offspring: Hunters International Takes the Stage

Samples

SHA-256 Hash	Download Link
c4d39db132b92514085fe269db90511484b7abe4620286f6b0a30aa475f64c3e	MalwareBazaar

JLORAT

Writeups

• 2023-04-34 - Kaspersky - Tomiris called, they want their Turla malware back > Tomiris's polyglot toolset > JLORAT

Malpedia

• win.jlorat

Samples

SHA-256 Hash	Download Link
69bb729ff354cd9651f99a05f74f3ea20d483dc8e6e5838e4dd48858fd500d29	MalwareBazaar

KrustyLoader

Writeups

• 2024-01-29 - Synacktiv - KrustyLoader - Rust malware linked to Ivanti ConnectSecure compromises
• 2024-02-10 - N0fix - KrustyLoader - About stripped Rust symbol recovery (archived version)
• 2024-08-03 - N0fix - KrustyLoader - Leveraging rust compilation artifacts to obtain reliable compilation timestamps and pivoting (archived version)
• 2025-05-13 - EclecticIQ - China-Nexus Nation State Actors Exploit SAP NetWeaver (CVE-2025-31324) to Target Critical Infrastructures

Malpedia

• elf.krustyloader

Samples

SHA-256 Hash	Download Link
030eb56e155fb01d7b190866aaa8b3128f935afd0b7a7b2178dc8e2eb84228b0	MalwareBazaar
47ff0ae9220a09bfad2a2fb1e2fa2c8ffe5e9cb0466646e2a940ac2e0cf55d04	MalwareBazaar

Luca Stealer

Writeups

• 2022-08-18 - BlackBerry - Luca Stealer Targets Password Managers and Cryptocurrency Wallets
• Binary Defense - Digging through Rust to find Gold: Extracting Secrets from Rust Malware

Malpedia

• win.lucastealer

Samples

SHA-256 Hash	Download Link
99331a27afa84009e140880a8739d96f97baa1676d67ba7a3278fe61bfb79022	MalShare

Notes

Source code available at https://web.archive.org/web/20220725203750/https://github.com/luca364/rust-stealer/archive/refs/heads/master.zip

Luna Ransomware

Writeups

• 2022-08-30 - Elastic - LUNA Ransomware Attack Pattern Analysis
• 2023-01-13 - Nikhil "Kaido" Hegde - Getting Rusty and Stringy with Luna Ransomware

Malpedia

• elf.luna

Samples

SHA-256 Hash	Download Link
1cbbf108f44c8f4babde546d26425ca5340dccf878d306b90eb0fbec2f83ab51	MalShare

Myth Stealer

Writeups

• 2025-06-05 - Trellix - Demystifying Myth Stealer: A Rust Based InfoStealer
• 2025-08-17 - cxiao.net - Reversing a (not-so-) Simple Rust Loader

Samples

SHA-256 Hash	Download Link
55a418f8562684607ee0acd745595e297ab7e586d0a5d3f8328643b29c72dfa2	MalwareBazaar
2f2b93d37d67b80b4faaf25bebe4e3cbaf7aca35328aeb66da6a1a9b44316f5b	MalwareBazaar
66054607f38481ee7e39e002b58fe950966c4c0203df39f46acfe5c0e857c89a	MalwareBazaar

Nokoyawa Ransomware (Rust variant)

Writeups

• 2022-12-20 - Zscaler - Nokoyawa Ransomware: Rust or Bust

Malpedia

• win.nokoyawa

Samples

SHA-256 Hash	Download Link
7095beafff5837070a89407c1bf3c6acf8221ed786e0697f6c578d4c3de0efd6	MalwareBazaar

P2PInfect

Writeups

• 2023-07-19 - Palo Alto Networks - P2PInfect: The Rusty Peer-to-Peer Self-Replicating Worm
• 2023-07-31 - Cado Security - Cado Security Labs Encounter Novel Malware, Redis P2Pinfect (archived version)
• 2023-09-20 - Cado Security - Cado Security Labs Researchers Witness a 600X Increase in P2Pinfect Traffic (archived version)
• 2023-12-04 - Cado Security - P2Pinfect - New Variant Targets MIPS Devices (archived version)
• 2024-01-16 - Nozomi Networks - P2PInfect Worm Evolves to Target a New Platform
• 2024-06-25 - Cado Security - From Dormant to Dangerous: P2Pinfect Evolves to Deploy New Ransomware and Cryptominer (archived version)

Malpedia

• elf.p2pinfect

Samples

SHA-256 Hash	Download Link
3a43116d507d58f3c9717f2cb0a3d06d0c5a7dc29f601e9c2b976ee6d9c8713f	MalwareBazaar

Notes

This sample (3a43116d507d58f3c9717f2cb0a3d06d0c5a7dc29f601e9c2b976ee6d9c8713f) isn't one of the hashes mentioned in the linked reports; however, due to the nature of this malware, there are a lot of unique samples out there, and I was able to find this one after some hunting.

RALord Ransomware

Writeups

• 2025-04 - ISH Tecnologia - RALord: Novo grupo de Ransomware-as-a-Service

Samples

SHA-256 Hash	Download Link
456b9adaabae9f3dce2207aa71410987f0a571cd8c11f2e7b41468501a863606	MalwareBazaar

RansomExx2

Aliases

Defray, Defray777

Writeups

• 2022-11-22 - IBM X-Force - RansomExx upgrades to rust

Malpedia

• elf.ransomexx

Samples

SHA-256 Hash	Download Link
a7ea1e33c548182b8e56e32b547afb4b384ebe257ca0672dbf72569a54408c5c	MalShare

Realst Stealer

Writeups

• 2023-07-06 - Iamdeadlyz - Fake Blockchain Games Deliver RedLine Stealer & Realst Stealer - A New macOS Infostealer Malware

Samples

SHA-256 Hash	Download Link
2af0e212ad70eaf8b96a645045ef2764700b5adf7b1187ae3d82240f96f613e2	MalwareBazaar

See also all samples tagged with the RealstStealer tag on Malware Bazaar.

Rust-based loader for Rilide

Aliases

BRAINSTORM

Writeups

• 2023-04-04 - Trustwave - Rilide: A New Malicious Browser Extension for Stealing Cryptocurrencies
• 2023-05-01 - Mandiant - A LNK Between Browsers: Hunting Methodologies and Extension Abusing Actors

Samples

SHA-256 Hash	Download Link
0f11aeecbde1f355d26c9d406dad80cb0ae8536aea31fdddaf915d4afd434f3f	MalwareBazaar

Rust-based stealer used in RusticWeb campaign

Writeups

• 2023-12-21 - Seqrite - Operation RusticWeb targets Indian Govt: From Rust-based malware to Web-service exfiltration

Malpedia

• win.unidentified_112

Samples

SHA-256 Hash	Download Link
db91e23d9715464511057f2e15c9adc97d3f27fcfa308f05ac7e2de7275fdd32	MalShare

RustBucket

Writeups

• 2023-04-21 - Jamf - BlueNoroff APT group targets macOS with ‘RustBucket’ Malware
• 2023-07-13 - Elastic - The DPRK strikes using a new variant of RUSTBUCKET

Malpedia

• osx.rustbucket
• win.rustbucket

Samples

SHA-256 Hash	Download Link
9ca914b1cfa8c0ba021b9e00bda71f36cad132f27cf16bda6d937badee66c747	MalShare
de81e5246978775a45f3dbda43e2716aaa1b1c4399fe7d44f918fccecc4dd500	MalwareBazaar

RustDoor

Aliases

Thiefbucket

Writeups

• 2024-02-08 - Bitdefender - New macOS Backdoor Written in Rust Shows Possible Link with Windows Ransomware Group
• 2024-02-19 - S2W - RustDoor and GateDoor: A New Pair of Weapons Disguised as Legitimate Software by Suspected Cybercriminal
• 2024-09-16 - Jamf - Jamf Threat Labs observes targeted attacks amid FBI Warnings
• 2025-02-26 - Palo Alto Networks - RustDoor and Koi Stealer for macOS Used by North Korea-Linked Threat Actor to Target the Cryptocurrency Sector

Samples

SHA-256 Hash	Download Link
a900ec81363358ef26bcdf7827f6091af44c3f1001bc8f52b766c9569b56faa5	MalwareBazaar
4a59e2fe11ed9136d96a985448b34957ee5861adc9c1a52de4ad65880875dfdb	MalwareBazaar
238b546e2a1afc230f88b98dce1be6bf442b0b807e364106c0b28fe18db2ce66	MalwareBazaar

Rustic Crypter

Writeups

• 2022-05-19 - IBM X-Force - ITG23 crypters highlight cooperation between cyber criminal groups

Samples

SHA-256 Hash	Download Link
45aa8efb6b1a9a0e0091040bb99a7c37d346aaf306fa4e31e9d5d9f0fef56676	MalwareBazaar

RustoBot

Writeups

• 2025-04-21 - Fortinet - New Rust Botnet "RustoBot" is Routed via Routers

Samples

SHA-256 Hash	Download Link
114b460012412411363c9a3ab0246e48a584ce86fc6c0b7855495ec531dd05a1	MalwareBazaar
1697fd5230f7f09a7b43fee1a1693013ed98beeb7a182cd3f0393d93dd1b7576	MalwareBazaar
44a526f20c592fd95b4f7d61974c6f87701e33776b68a5d0b44ccd2fa3f48c5d	MalwareBazaar
5dc90cbb0f69f283ccf52a2a79b3dfe94ee8b3474cf6474cfcbe9f66f245a55d	MalwareBazaar
9a9b5bdeb1f23736ceffba623c8950d627a791a0b40c4d44ae2f80e02a43955d	MalwareBazaar
9e660ce74e1bdb0a75293758200b03efd5f807e7896665addb684e0ffb53afd2	MalwareBazaar
9f098920613bd0390d6485936256a67ae310b633124cfbf503936904e69a81bf	MalwareBazaar
b68e2d852ad157fc01da34e11aa24a5ab30845b706d7827b8119a3e648ce2cf1	MalwareBazaar
b910e77ee686d7d6769fab8cb8f9b17a4609c4e164bb4ed80d9717d9ddad364f	MalwareBazaar
c0abb19b3a72bd2785e8b567e82300423da672a463eefdeda6dd60872ff0e072	MalwareBazaar
e547306d6dee4b5b2b6ce3e989b9713a5c21ebe3fefa0f5c1a1ea37cec37e20f	MalwareBazaar
ec9e77f1185f644462305184cf8afcf5d12c7eb524a2d3f4090a658a198c20ce	MalwareBazaar
efb0153047b08aa1876e1e4e97a082f6cb05af75479e1e9069b77d98473a11f4	MalwareBazaar

Rustonotto

Aliases

CHILLYCHINO

Writeups

• 2025-08-07 - S2W - ScarCruft's New Language: Whispering in PubNub, Crafting Backdoor in Rust, Striking with Ransomware
• 2025-09-08 - Zscaler - APT37 Targets Windows with Rust Backdoor and Python Loader

Malpedia

• win.rustonotto

Samples

SHA-256 Hash	Download Link
67ad959e8af25a48928c28ca9a38a6f2a61ea4935fe60dfed79061214e840b15	MalwareBazaar
738a31e7a0d96fe1b0ad6778db39425160835a80ac33ce8a84f26b71c00c26b9	MalwareBazaar

RustyAttr

Writeups

• 2024-11-13 - Group-IB - Stealthy Attributes of Lazarus APT Group: Evading Detection with Extended Attributes

Samples

| SHA-256 Hash | Download Link | Notes | | --- | --- | | 9111d458d5665b1bf463859792e950fe8d8186df9a6a3241360dc11f34d018c2 | MalwareBazaar | Gzip'd CPIO archive containing files and extended attributes required for payload delivery | | 176e8a5a7b6737f8d3464c18a77deef778ec2b9b42b7e7eafc888aeaf2758c2d | MalwareBazaar | Rust payload, but without the required extended attribute |

RustyBuer

Writeups

• 2021-05-03 - Proofpoint - New Variant of Buer Loader Written in Rust

Malpedia

• win.buer

Samples

SHA-256 Hash	Download Link
3abed86f46c8be754239f8c878f035efaae91c33b8eb8818c5bbed98c4d9a3ac	MalwareBazaar

RustyClaw

Writeups

• 2024-10-17 - Cisco - UAT-5647 targets Ukrainian and Polish entities with RomCom malware variants
• 2025-06-30 - Proofpoint - 10 Things I Hate About Attribution: RomCom vs. TransferLoader

Malpedia

• win.rusty_claw

Samples

SHA-256 Hash	Download Link
10e1d453d4f9ca05ff6af3dcd7766a17ca1470ee89ba90feee5d52f8d2b18a4c	MalwareBazaar
7602e2c1ae27e1b36ee4aed357e505f14496f63db29fb4fcdd0d8a9db067a5c4	MalwareBazaar
b1fe8fbbb0b6de0f1dcd4146d674a71c511488a9eb4538689294bd782df040df	MalwareBazaar

RustyFlag

Writeups

• 2023-09-14 - Deep Instinct - Operation Rusty Flag – A Malicious Campaign Against Azerbaijanian Targets

Malpedia

• win.unidentified_110

Samples

SHA-256 Hash	Download Link
5327308fee51fc6bb95996c4185c4cfcbac580b747d79363c7cf66505f3ff6db	MalwareBazaar

RustyPages

Writeups

• 2025-08-19 - Kandji - Threat Detected: RustyPages Malware - Part I

Samples

SHA-256 Hash	Download Link
e98756472404aeef70ba4d403339962989d9ed733fa0f6a23bdf4c2900d7e877	MalwareBazaar
7ab47b7b14f4d6848b9f4d410d1315ccc68e9a6714d94a2e870b6ba77d28e828	MalwareBazaar
5cee6368c6a9922a81a03831979947db8e5365986b4ad725c552ab6018a083b3	MalwareBazaar
d2c48f4fa4b0285889ef6c7667e12a1c0eda1393632ef2eac67b32777bf096f7	MalwareBazaar
f4c41111960771e0d7558ec2453b76ba9c422fcb9408e09a8de1fd611c272846	MalwareBazaar

SnowFlake Stealer

Writeups

• 2022-02-14 - Finch4 - SnowFlake Stealer Analysis

Samples

SHA-256 Hash	Download Link
1ae99a454f6c11e30c346ca825e2d20bc5450ddb808f25dd20a4d952604d34f0	MalwareBazaar
4f10f503422560da8a332c30323401af59a914af940716d06e139ed7371be53f	MalwareBazaar
5e1626ac3140548619efba38a154b98234080908158378ad2e7e4af9e92cfbb8	MalwareBazaar
674f31aed8544f2f54423de908559f3d1964ef4f3391d2bf989915766b8c42e9	MalwareBazaar
8441c5d0d5ee30f94f54459ba89a3a2d20677d98313c120f32bf98015214049f	MalwareBazaar
b44db0bf0992d55c7353fe368322fe0b1e912b2a381c4bf8b7c56c9fcd2a86ff	MalwareBazaar

SPICA

Writeups

• 2024-01-18 - Google TAG - Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware

Samples

SHA-256 Hash	Download Link
37c52481711631a5c73a6341bd8bea302ad57f02199db7624b580058547fb5a9	MalwareBazaar

SSLoad

Writeups

• 2024-04-11 - Palo Alto Networks - Contact Forms Campaign Pushes SSLoad Malware

Malpedia

• win.ssload

Samples

SHA-256 Hash	Download Link
09ffc4188bf11bf059b616491fcb8a09a474901581f46ec7f2c350fbda4e1e1c	MalwareBazaar

SysJoker (Rust variant)

Aliases

RustDown

Writeups

• 2023-11-23 - Check Point - Israel-Hamas War Spotlight: Shaking the Rust Off SysJoker
• 2023-11-27 - Intezer - WildCard: The APT Behind SysJoker Targets Critical Sectors in Israel

Malpedia

• win.sysjoker

Samples

SHA-256 Hash	Download Link
d4095f8b2fd0e6deb605baa1530c32336298afd026afc0f41030fa43371e3e72	MalShare

Tetra Loader

Writeups

• 2025-05-22 - Cisco - UAT-6382 exploits Cityworks zero-day vulnerability to deliver malware

Malpedia

• win.tetra_loader

Samples

SHA-256 Hash	Download Link
14ed3878b6623c287283a8a80020f68e1cb6bfc37b236f33a95f3a64c4f4611f	MalwareBazaar
1c38e3cda8ac6d79d9da40834367697a209c6b07e6b3ab93b3a4f375b161a901	MalwareBazaar
4ffc33bdc8527a2e8cb87e49cdc16c3b1480dfc135e507d552f581a67d1850a9	MalwareBazaar

Notes

According to Cisco Talos, Tetra Loader is built using an open-source Rust payload builder framework called MaLoader (https://github.com/lv183037/MaLoader/).

Zeon Ransomware (Rust variant)

Writeups

• 2022-06-22 - SentinelOne - From the Front Lines | 3 New and Emerging Ransomware Threats Striking Businesses in 2022

Samples

SHA-256 Hash	Download Link
fb57abf08a85f1d7ca0a6fdcd76b04ccf964a5b05f2f784492083994773e4590	MalShare

Notes

There is a lack of good open reporting on Zeon Ransomware, so I will clarify a few potential points of confusion in the notes here.

There are samples which have been identified as Zeon Ransomware, but which are written with Python rather than Rust. These samples are packaged via PyInstaller, and obfuscated with PyArmor. For example, c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a (MalShare) is a PyInstaller file which drops a nearly identical ransom note as the highlighted Rust sample above, fb57abf08a85f1d7ca0a6fdcd76b04ccf964a5b05f2f784492083994773e4590 The ransom note of both samples say "All of your files are currently encrypted by ZEON strain", and link to the same Tor site (http[:]//zeonrefpbompx6rwdqa5hxgtp2cxgfmoymlli3azoanisze33pp3x3yd[.]onion), for victims to begin the payment process.

There is reporting which states that Zeon Ransomware is connected to Royal Ransomware, such as CISA's advisory on Royal Ransomware. However, I have not been able to find any reporting that states Royal Ransomware is written in Rust, nor any Rust samples of Royal Ransomware.