World Leaks, the cyber-criminal data extortion group which has targeted some of the world’s biggest companies, has added a novel, never-before-seen malware to their arsenal, research by Accenture Cybersecurity has revealed.
Accenture has named the malware ‘RustyRocket’. It allows World Leaks to stealthily maintain persistence on networks and forms a key part of the extortion groups’ attacks.
“The sophisticated toolset is a critical component of World Leaks’ operations and has functioned entirely under the radar, enabling affiliates to stealthily exfiltrate data and proxy traffic across victim environments,” T. Ryan Wheeler, MD and global head of Accenture cyber intelligence said in a LinkedIn post, which revealed the research.
World Leaks is classed as a ransomware group, but rather than encrypting data and demanding a ransom for a decryption key, they steal sensitive corporate and personal data then threaten to publish it if they are not paid a ransom.
The group has claimed Nike among their victims and exposed over 188,000 stolen files after the sports brand refused to give in to extortion demands.
RustyRocket, A Sophisticated Rust Malware
Written in Rust and designed to target both Microsoft Windows and Linux environments, RuskyRocket malware is described as a “sophisticated data exfiltration and proxy tool” which allows attackers to steal data through heavily obfuscated, multi-layered encrypted tunnels.
This blends the malicious activity within legitimate network activity. Researchers note that this makes RustyRocket activity by World Leaks “exceptionally difficult” to detect.
The malware is also designed to be difficult to monitor. To achieve this, RustyRocket employs a novel execution guardrail of requiring the user to input a pre-encrypted configuration at runtime.
“In short, this means RustyRocket is extremely hard to spot and highly flexible, making it perfectly crafted to steal data, proxy networks, and spearhead extortion‑focused cyber-attacks,” said Wheeler.
World Leaks has been active since early 2025 and typically gains initial network access via social engineering, stolen credentials or exploiting exposed infrastructure.
By deploying sophisticated, stealthy tools like RustyRocket, World Leaks can maintain persistence within the network, taking that time to gather the data which is ultimately used for blackmail extortion.
“RustyRocket is a good example of how hackers are evolving techniques to confound traditional defenses,” said Wheeler.
“It demonstrates that the best defense for enterprises is to strengthen defenses by leaning into advanced approaches for continuous threat exposure management, security testing, and red teaming, all while preparing your people to be ready for such attacks,” he added.
To help defend against World Leaks cyber-attacks which deploy RustyRocket, as well as similar malware, ransomware and extortion campaigns, Accenture recommended that organizations monitor for anomalous outbound data transfers and that network segmentation should be applied to limit lateral movement by attackers.
