Threat actors are increasingly abandoning traditional languages like C and C++ in favor of modern alternatives such as Golang, Rust, and Nim. <\/p>\n
This strategic shift enables developers to compile malicious code for both Linux and Windows<\/a> with minimal modifications. <\/p>\n Among the emerging threats in this landscape is \u201cLuca Stealer,\u201d a Rust-based information stealer that has recently appeared in the wild alongside other notable threats such as BlackCat ransomware<\/a>.<\/p>\n While Rust\u2019s adoption in the malware community <\/a>is still in its early stages compared to Golang, it is expanding rapidly. <\/p>\n Luca Stealer represents a significant development as it was released publicly under an open-source model. <\/p>\n This availability provides security researchers with a unique opportunity to study how Rust is used in malicious software design, offering critical insights for future defense strategies. <\/p>\n The shift to these languages requires defenders to develop new analysis techniques to detect and reverse-engineer these sophisticated binaries.<\/p>\n Analyzing Rust binaries presents unique challenges for defenders using standard tools. Unlike standard C programs, Rust executables handle strings differently. <\/p>\n Rust strings are not null-terminated, meaning they do not end with a \u201cnull byte\u201d to mark the end of the text. This often causes reverse engineering tools like Ghidra to misinterpret data, leading to overlapping string definitions. <\/p>\n Analysts must usually manually clear code bytes and redefine strings to identify valid data correctly.<\/p>\n Additionally, finding the primary function in a Rust binary requires specific knowledge of the compiler\u2019s output. <\/p>\n According to Binary Defence<\/a>, the entry point typically initialises the environment and then calls a specific internal function (std::rt::lang_start_internal). <\/p>\n This function receives the address of the actual user-written primary function, which researchers can identify by tracing the arguments passed during this call.<\/p>\n One advantage for defenders is the presence of artifacts left by the Rust build system, Cargo. External dependencies, known as \u201ccrates,\u201d are often statically linked into the binary. <\/p>\n By searching for specific string patterns, such as\u00a0cargoregistry, analysts can list the libraries a malware sample uses, such as\u00a0reqwest\u00a0for HTTP requests. <\/p>\n Furthermore, compilation artifacts like PDB paths may remain in the \u201cDebug Data<\/a>\u201d section, potentially leaking the author\u2019s username or system paths. <\/p>\n As threat actors continue to leverage Rust, understanding these structural nuances is essential for effective detection.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Rust-Based Luca Stealer Spreads Across Linux and Windows Systems<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nThe Rise of Luca Stealer<\/strong><\/h2>\n
![\"built](\"https:\/\/i0.wp.com\/gbhackers.com\/wp-content\/uploads\/2025\/12\/image-89.png?ssl=1\")
![\"leak](\"https:\/\/i0.wp.com\/gbhackers.com\/wp-content\/uploads\/2025\/12\/image-90.png?ssl=1\")
![\"Running](\"https:\/\/i0.wp.com\/gbhackers.com\/wp-content\/uploads\/2025\/12\/image-91.png?ssl=1\")
Indicators of Compromise (IoCs)<\/strong><\/h2>\n
\n\n
\n \nType<\/th>\n Identifier<\/th>\n Description<\/th>\n<\/tr>\n<\/thead>\n \n SHA256<\/strong><\/td>\n 8f47d1e39242ee4b528fcb6eb1a89983c27854bac57bc4a15597b37b7edf34a6<\/code><\/td>\nUnknown Rust Malware Sample<\/td>\n<\/tr>\n \n String<\/strong><\/td>\n cargoregistry<\/code><\/td>\nIndicator of Rust crate dependencies<\/td>\n<\/tr>\n \n String<\/strong><\/td>\n std::rt::lang_start_internal<\/code><\/td>\nIndicator of Rust runtime entry point<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n