Skip to content
· 6 min read MEDIUM @Sdmrf

Why Malware Authors Are Switching to Rust (And What It Means for Defenders)

Examining the trend of malware written in Rust - from BlackCat to RustBucket - and the detection challenges this creates.

#rust #malware #reverse-engineering #analysis
On this page

If you’ve been following malware trends, you’ve noticed more samples written in Rust. BlackCat/ALPHV ransomware. RustBucket from North Korea. Numerous infostealers and loaders.

This isn’t just a curious trend - it has real implications for detection and analysis. Let’s dig into why this is happening and what it means.

Why Malware Authors Are Choosing Rust

1. Memory Safety Features

Ironically, Rust’s safety features benefit malware authors. Memory-safe code means:

  • Fewer crashes during execution
  • More reliable C2 communication
  • Stable operation across diverse victim environments

Malware that crashes before completing its objective is useless. Rust helps prevent that.

2. Cross-Platform Compilation

Rust makes it trivial to compile for multiple platforms:

# Compile for Windows from Linux
rustup target add x86_64-pc-windows-gnu
cargo build --target x86_64-pc-windows-gnu

# macOS
rustup target add x86_64-apple-darwin
cargo build --target x86_64-apple-darwin

One codebase, multiple targets. For operators running large campaigns, this reduces development effort significantly.

3. Performance

Rust compiles to native code with minimal runtime overhead. For malware that needs to:

  • Encrypt files quickly (ransomware)
  • Process large data sets (stealers)
  • Maintain persistence without draining resources

…performance matters. Rust delivers.

4. Detection Evasion (Sort Of)

There’s a common claim that “Rust malware evades AV better.” Reality is more nuanced:

What’s true:

  • AV products have fewer Rust-specific signatures
  • Analysis tools are less mature for Rust binaries
  • Some static analysis engines struggle with Rust patterns

What’s exaggerated:

  • Behavioral detection still works
  • Rust malware still makes API calls that can be hooked
  • It’s “security through obscurity” that degrades over time

5. Modern Tooling and Ecosystem

Rust’s cargo ecosystem provides easy access to:

  • HTTP clients
  • Cryptography libraries
  • Serialization formats
  • Cross-platform abstractions

Less time reinventing wheels, more time developing capabilities.

The Analysis Challenge

Here’s where defenders feel the pain.

Reversed Code Looks Different

Traditional C/C++ malware produces familiar patterns. Rust’s abstractions produce different output:

C function call:

void call_api() {
    SomeAPI(param1, param2);
}

Rust equivalent after compilation:

- Additional wrapper functions
- Iterator machinery
- Result/Option handling code
- Lifetime management artifacts

Analysts trained on C patterns need to relearn recognition.

String Handling

Rust strings aren’t null-terminated C strings. They’re fat pointers with length metadata:

// Rust string in memory
struct String {
    ptr: *mut u8,    // Pointer to buffer
    len: usize,      // Length
    capacity: usize, // Allocated capacity
}

String extraction tools expecting null terminators miss things.

Error Handling Noise

Rust’s Result type generates significant code for error handling:

// This simple code
let data = read_file()?;

// Generates considerable assembly for:
// - Checking Result variant
// - Unwrapping success case
// - Propagating error case

Disassembly is filled with error path code that obscures actual functionality.

Monomorphization

Rust generics are monomorphized - each concrete type gets its own copy:

fn process<T: Display>(item: T) { ... }

// Called with:
process(42);        // Generates process_i32
process("string");  // Generates process_str

Binary size increases. Code paths multiply. Analysis takes longer.

Tools That Help

The good news: tooling is catching up.

IDA Pro

Recent versions have improved Rust support:

  • Better FLIRT signatures for std library
  • Rust type reconstruction
  • Demangling improvements

Still not perfect, but usable.

Ghidra

The Ghidra Rust plugin helps with:

  • Standard library identification
  • Type reconstruction
  • String recovery
# Install from GitHub
# ghidra_rust - community maintained

Specialized Tools

rust-reversing-helper: IDA plugin specifically for Rust

cargo-bloat: If you have the source, identifies size contributors

rust-analyzer: Understanding legitimate Rust code helps recognize patterns in malware

Detection Strategies

How do you detect Rust malware given these challenges?

Behavioral Focus

The malware still has to do malicious things:

  • File encryption (ransomware)
  • Credential access (stealers)
  • C2 communication (RATs)
  • Persistence mechanisms

Hook the APIs, monitor the behaviors. The language doesn’t change what the malware does.

Binary Characteristics

Rust binaries have identifiable features:

Indicators of Rust binary:
- Presence of "rust" or "cargo" in strings
- panic handler references
- Standard library function names (even if stripped)
- Specific compiler artifacts
- Large binary size for simple functionality

Not foolproof, but useful for initial triage.

Network Signatures

C2 protocols are C2 protocols regardless of implementation language. Protocol analysis and network detection work unchanged.

Memory Patterns

At runtime, Rust malware creates observable artifacts:

  • Heap allocation patterns
  • Thread creation
  • Library loading

EDR behavioral detection remains effective.

Case Studies

BlackCat/ALPHV Ransomware

The most prominent Rust ransomware. Key features:

  • Cross-platform (Windows, Linux, ESXi)
  • Configurable encryption modes
  • Access token-based execution
  • Native encryption performance

The Rust choice clearly benefited their operation before their 2024 exit scam.

RustBucket (Lazarus Group)

North Korea’s Rust-based macOS malware:

  • Targets cryptocurrency companies
  • Multi-stage loader
  • Disguised as PDF reader
  • Cross-platform aspirations

Shows nation-states adopting the trend.

Various Stealers

Multiple infostealers have Rust variants:

  • Luca Stealer
  • Various custom stealers on forums

The stealer use case benefits from Rust’s reliable execution.

What To Expect

More Rust malware coming:

  • Language continues growing in popularity
  • Tooling makes development easier
  • Cross-platform benefits are significant

Analysis will improve:

  • IDA, Ghidra plugins maturing
  • Community knowledge accumulating
  • Training materials emerging

It’s not magic:

  • Behavioral detection still works
  • Network detection still works
  • Memory analysis still works

Recommendations for Blue Teams

  1. Update your tools - Ensure analysis platforms have current Rust support
  2. Train analysts - Familiarity with Rust patterns reduces analysis time
  3. Focus on behavior - Don’t rely solely on static signatures
  4. Share intelligence - Rust malware analysis is still developing community knowledge

For Malware Analysts

If you’re not already:

  • Learn basic Rust (understanding the language helps analysis)
  • Practice on legitimate Rust binaries first
  • Contribute to community tooling
  • Document patterns you discover

The learning curve is real, but manageable.

Rust won’t make malware invisible. It makes analysis harder for a while, until defenders adapt. We’re in that adaptation phase now.

Related Articles

high·5 min read

Inside the Lumma Stealer Takedown: How a Joint Operation Disrupted MaaS Infrastructure

A technical breakdown of the coordinated takedown of Lumma Stealer's infrastructure, the malware's capabilities, and why it'll probably be back.