Back to Intelligence

RustyRocket Malware: Detecting World Leaks Group’s Custom Extortion Toolkit

SA
Security Arsenal Team
April 7, 2026
5 min read

Accenture Cybersecurity has issued a critical warning regarding the "World Leaks" cybercrime group, which has augmented its extortion operations with a new, custom-built malware toolkit dubbed "RustyRocket." This development signals a shift toward more sophisticated, stealthy attack methodologies designed to evade standard endpoint detection and response (EDR) controls.

Unlike commodity ransomware, RustyRocket is characterized as a sophisticated toolset specifically engineered for stealth and persistence, likely leveraging custom code to bypass signature-based defenses. For defenders, this means traditional reactive defenses are insufficient. The presence of RustyRocket in an environment indicates an active, human-operated extortion campaign with the intent to exfiltrate data and encrypt assets. Immediate action is required to hunt for this artifact and harden detection capabilities.

Technical Analysis

Threat Actor: World Leaks Malware Family/Tool: RustyRocket (Custom Malware) Attack Vector: Extortion / Encryption-based attack

Attack Chain & Methodology:

Based on the advisory from Accenture, World Leaks is integrating RustyRocket into the latter stages of their attack lifecycle, primarily post-initial access.

  1. Initial Access: While the specific vector for RustyRocket delivery (e.g., phishing, exploited vulnerability) varies by campaign, the group focuses on gaining a foothold to deploy their toolkit.
  2. Execution & Stealth: RustyRocket is described as "stealthy" and "custom." In modern threat landscapes, this often implies the use of compiled languages (such as Rust or Go) to strip standard API calls and make static analysis difficult. It likely employs anti-analysis techniques to evade sandbox detonation.
  3. Payload Capabilities: As part of an "encryption-based" incident, the tool is likely used to facilitate lateral movement, disable security controls, and eventually execute encryption or file-theft routines for extortion.
  4. Impact: The ultimate goal is extortion. The deployment of this custom tool suggests the group is investing in operational security (OpSec) to maintain access longer than traditional "smash-and-grab" ransomware operators.

Exploitation Status: Active exploitation is confirmed. Accenture has identified this toolset in ongoing extortion campaigns.

Detection & Response

The following detection rules and hunt queries are designed to identify the specific artifacts and behaviors associated with RustyRocket and the World Leaks group's tactics.

Sigma Rules

YAML
---
title: Potential RustyRocket Malware Execution
id: 8d4c92e1-3a5f-4c2a-9b1d-7f8e9c0a1b2d
status: experimental
description: Detects the execution of processes using the suspected name 'RustyRocket' or variants referenced in recent World Leaks threat intelligence.
references:
 - https://www.infosecurity-magazine.com/news/world-leaks-ransomware-rustyrocket/
author: Security Arsenal
date: 2024/05/22
tags:
 - attack.execution
 - attack.t1204
logsource:
 category: process_creation
 product: windows
detection:
 selection:
   Image|contains:
     - 'RustyRocket'
   - OriginalFileName|contains:
     - 'RustyRocket'
 condition: selection
falsepositives:
 - Unlikely, requires investigation
level: critical
---
title: Ransomware Shadow Copy Deletion
id: f9e1d2a3-4b5c-6d7e-8f9a-1b2c3d4e5f6a
status: stable
description: Detects commands used to delete Volume Shadow Copies, a common precursor to encryption in World Leaks incidents.
references:
 - https://attack.mitre.org/techniques/T1490/
author: Security Arsenal
date: 2024/05/22
tags:
 - attack.impact
 - attack.t1490
logsource:
 category: process_creation
 product: windows
detection:
 selection:
   CommandLine|contains:
     - 'vssadmin delete shadows'
     - 'wmic shadowcopy delete'
     - 'wbadmin delete catalog'
falsepositives:
 - System administrative maintenance (rare)
level: high

KQL (Microsoft Sentinel / Defender)

This hunt query looks for the specific process name associated with the new toolset, as well as generic ransomware precursor behavior often seen in these campaigns.

KQL — Microsoft Sentinel / Defender
// Hunt for RustyRocket artifacts and ransomware precursor behavior
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessName has "RustyRocket" 
   or ProcessVersionInfoOriginalFileName has "RustyRocket"
   or ProcessCommandLine has "vssadmin delete shadows" 
   or ProcessCommandLine has "wbadmin delete catalog"
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine, FolderPath
| order by Timestamp desc

Velociraptor VQL

Velociraptor is essential for confirming the presence of the file on disk, especially if the process has already terminated. This artifact hunts for the specific executable name.

VQL — Velociraptor
-- Hunt for RustyRocket executable artifacts on disk
SELECT FullPath, Size, Mtime, Atime, Mode
FROM glob(globs="C:\\Users\\**\\RustyRocket.exe")

-- Hunt for running RustyRocket processes
SELECT Pid, Name, Exe, CommandLine, StartTime
FROM pslist()
WHERE Name =~ 'RustyRocket'

Remediation Script (PowerShell)

Use this script on potentially compromised endpoints to identify and quarantine the suspected artifact. This requires administrative privileges.

PowerShell
# Hunt for and suspend RustyRocket processes
$MaliciousProcess = "RustyRocket"
$FoundProcesses = Get-Process -Name $MaliciousProcess -ErrorAction SilentlyContinue

if ($FoundProcesses) {
    Write-Host "[ALERT] Detected malicious process: $MaliciousProcess (PID: $($FoundProcesses.Id))"
    Stop-Process -Id $FoundProcesses.Id -Force
    Write-Host "[ACTION] Process terminated."
} else {
    Write-Host "[INFO] No running processes found matching $MaliciousProcess."
}

# Scan common user directories for the artifact
Write-Host "[INFO] Scanning for suspicious executables..."
$PathsToScan = @("C:\Users\", "C:\ProgramData\", "C:\Windows\Temp")

foreach ($Path in $PathsToScan) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -Filter "*RustyRocket*" -ErrorAction SilentlyContinue | ForEach-Object {
            Write-Host "[FOUND] Malicious file at: $($_.FullName)"
            # Quarantine logic (delete file)
            # Remove-Item -Path $_.FullName -Force -Confirm:$false
        }
    }
}

Remediation

  1. Immediate Isolation: If RustyRocket is detected, isolate the affected host from the network immediately to prevent lateral movement and further encryption.
  2. Threat Hunting: Utilize the provided Sigma rules and VQL artifacts to scan the entire enterprise environment for signs of compromise. World Leaks often operates with manual hands-on-keyboard activity; look for unusual RDP or SMB lateral movement.
  3. Indicator Enrichment: Extract any file hashes, IP addresses, or domain names associated with the RustyRocket binary and block them at the firewall and proxy level.
  4. Credential Reset: Assume that credentials have been compromised. Force a reset for all privileged accounts and any accounts logged into the affected machines during the intrusion window.
  5. Vendor Advisory: Refer to the specific guidance provided by Accenture regarding the IOCs for this campaign.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwareforensicsworld-leaksrustyrocketmalwareextortion

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action