Hackers Launch Rust-Based Luca Stealer Targeting Linux and Windows
Cybercriminals are shifting away from traditional programming languages like C and C++ and towards modern alternatives such as Rust, Golang, and Nim, allowing them to write malicious code that can be easily compiled for both Windows and Linux with minimal modifications.
This strategic move enables threat actors to streamline their malware development process, and a newly identified information-stealing malware called “Luca Stealer” is leading the charge, having been built entirely in Rust and released as open-source code.
The rise of Rust-based threats is a growing concern, with malware written in Golang becoming increasingly common, while Rust adoption is still in its early stages but gaining momentum rapidly.
The Rise of Rust-Based Threats
Luca Stealer marks a significant milestone in the evolution of Rust-based malware, joining other notable threats such as the BlackCat ransomware, and its public availability serves as a blueprint for less experienced cybercriminals to study and learn from.
The open-source model of Luca Stealer accelerates the development of new malware variants, forcing security defenders to adapt their analysis techniques to detect these cross-platform threats quickly.

Analyzing Rust malware presents unique challenges for security researchers, as Rust binaries handle text strings differently, often lacking “null terminators” that usually mark the end of a sentence in computer code.
According to Binary Defence, this causes analysis tools to misinterpret data, resulting in overlapping text and garbled output, and the Rust compiler organizes code in complex ways, making it challenging to locate the malicious program’s main entry point.
However, Rust malware leaves behind distinct digital fingerprints that researchers can leverage, including the presence of “crates” or external software libraries managed by the Rust build system, known as “Cargo).

By examining these embedded text strings, analysts can identify precisely which third-party libraries the malware uses, and careless developers often leave behind “PDB paths” file locations from their own computers that get saved into the malware during the build process.
These paths can reveal the attacker’s username and the directory structure of their development machine, and in a recent analysis of an unknown Rust sample, researchers used these indicators to map out the malware’s capabilities and trace its origins.

Indicators of Compromise (IoC)
| Indicator Type | Value | Description |
|---|---|---|
| SHA256 | 8f47d1e39242ee4b528fcb6eb1a89983c27854bac57bc4a15597b37b7edf34a6 |
Rust-based malware sample hash |
| Crate Dependency | reqwest |
Library used for HTTP network requests |
| Crate Dependency | base64 |
Library used for data encoding |
| File Path | library\std\src\sys\windows\stdio.rs |
Internal Rust library path observed in analysis |