Rust for Malware Development

Author: Nick Cerne , Security Consultant III, Bishop Fox

One of my New Year’s resolutions for 2025 was to deepen my understanding of malware development, complementing my experience in gaining initial footholds through web application and API penetration testing. I was strongly motivated to enhance my own abilities, so I could better simulate real adversarial tactics. For malware development, I chose Rust as the primary programming language for its inherent anti-analysis features – allowing for the development of more evasive tooling.

In this blog post, we’ll compare developing malware in Rust compared to its C counterparts and develop a simple malware dropper for demonstration.

Rust VS. C Languages – A Comparative Analysis

At this point, you might be wondering—why Rust? What advantages does using Rust for malware development have over traditional languages like C or C++?

In recent years, languages such as Go, Nim, and Rust have become increasingly popular amongst malware authors which appeared to be motivated largely by two hypotheses:

• Reverse engineering or analyzing binaries compiled in these languages is more difficult than their C/C++ counterparts.

• Malware developed in an unconventional language is much more likely to bypass signature-based detection mechanisms.

In 2023, the Rochester Institute of Technology published a thesis which aimed to prove or disprove these hypotheses by performing a comparative analysis of malware developed in Rust and C/C++. The results of the study are summarized by the following facts:

• The size of Rust binaries is significantly larger than their C/C++ counterparts, which could increase reverse engineering efforts and complexity.

• Automated malware analysis tools produced more false positives and false negatives when analyzing malware compiled in the Rust programming language.

• Status quo reverse engineering tools like Ghidra and IDA Free do not do a great job of disassembling Rust binaries as opposed to C/C++.

To explore these results, we can analyze and compare functionally identical shellcode loader samples. Specifically, a sample developed in Rust and the other in C. At a high level, our malware samples will perform the following:

1. Read raw shellcode bytes from a file that launches calc.exe.
2. Write and execute the shellcode in memory of the local process using Windows APIs.

To read the full blog and explore how we built a Rust Malware Dropper, visit: https://bfx.social/rustmalwaredev.