RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow

RustDuck is a small, evolving DDoS botnet migrating to Rust. It uses advanced encryption, anti-analysis evasion, and exploits known IoT flaws.

Since February 2026, researchers at QiAnXin’s XLab have been tracking a new malware family, called RustDuck, that hijacks routers, cameras, Android set-top boxes, and exposed servers, then uses them to flood targets with junk traffic until they go offline. It’s not the biggest DDoS botnet around right now, and that’s almost beside the point.

“The reason XLab flagged it is the speed at which it’s changing. The codebase is actively migrating from C to Rust, and each new variant brings meaningfully more sophisticated encryption, evasion, and communication design.” reads the report published by XLab.

“Although the family’s current activity level and influence in DDoS attacks are not yet comparable to some mainstream botnets, its speed of technological evolution deserves significant attention. Research has found that the family is undergoing a comprehensive technological transition from C to Rust, and its anti-defense and traffic encryption techniques are also iterating rapidly.”

RustDuck doesn’t rely on a single entry point. It combines weak and default passwords on Telnet and SSH interfaces with a broad list of known device vulnerabilities. Targeted hardware includes Android ADB interfaces, DVRs and cameras from TVT, and networking gear from Ruijie, TP-Link, and ZTE. On the software side, it goes after exposed ThinkPHP installations, Jenkins servers, and Hadoop YARN endpoints, which pushes its reach from cheap home hardware into server environments.

The named CVEs in its arsenal range from recent to ancient. CVE-2025-29635 is a command-injection flaw in discontinued D-Link DIR-823X routers that CISA added to its Known Exploited Vulnerabilities list in April 2026. CVE-2017-17215 is a remote code execution bug in Huawei HG532 routers that Mirai variants were already abusing nine years ago. CVE-2024-1781 hits Totolink X6000R routers whose manufacturer never responded to the disclosure. CVE-2018-8007 targets an authenticated admin code execution path in Apache CouchDB. XLab observed more than 20 IP addresses actively spreading the botnet, with 176.65.139[.]204 the most active delivery source.

The XLab researchers reported that RustDuck installs itself in two stages. A loader arrives first, decrypts a compressed payload, and hands execution to a heavier core module. The loader itself has gone through four documented variants, each with a different encryption scheme: the first used a Linear Congruential Generator with XOR and LZ4 compression; the second upgraded to Xoshiro128 with hardcoded constants designed to make batch decryption nearly impossible; the third reverted to standard XOR with a fixed magic string; the fourth introduced ChaCha20 as the stream cipher. The progression isn’t random. Each step reflects the authors responding to detection.

The core module is where the Rust rewrite is happening, and Rust binaries are genuinely harder to analyze than the C that has powered device malware for years. That’s not a minor operational detail. It means the newer samples resist the standard toolkit analysts have used on IoT malware since Mirai.

Before RustDuck does anything visible, the core module runs a weighted scoring system to decide whether it’s sitting on a real victim device or inside a researcher’s lab. Each detected condition adds points to a risk score. Hit the threshold, and the malware erases its traces and exits cleanly.

“To thwart automated sandbox analysis and dynamic debugging by reverse engineers, the Core module incorporates a dynamic weight scoring mechanism. During runtime, the software iterates through various environment checks.” continues the report. “When the accumulated risk score exceeds a preset threshold, the program automatically erases traces and exits.”

The highest-weight checks, worth 100 points each, scan the process list for tools like Wireshark, gdb, and Frida, read /proc/self/status to detect an attached debugger, and verify a SHA256 checksum appended to the malware’s own file so it knows if anyone has modified it or inserted breakpoints. A check worth 50 points looks for honeypot configuration files from Cowrie and Dionaea in standard system paths. Another worth 35 points makes an asynchronous connection attempt to 192.0.2.1, an IP address reserved for testing that should never respond on a real network. If it does respond, the malware knows it’s inside a fake environment built to fool it, and leaves.

The timing check is particularly well-constructed. It samples two independent clocks before and after a deliberate half-second sleep, then compares the difference. A sandbox that speeds up time to rush malware through its behavior, or a debugger that pauses execution at a breakpoint, will show an anomaly in that comparison. Both conditions trigger an exit.

Once the malware decides the environment is genuine, it initiates a structured two-phase connection to its command-and-control infrastructure. The handshake phase uses ChaCha20-Poly1305 encryption and a Curve25519 key exchange, with session keys derived through HKDF-SHA256. The key rotates every ten minutes. After the handshake completes, the session switches to AES-GCM with separate keys for traffic going up to the server and commands coming down, a design that breaks the assumption that capturing one key gives you both directions of the conversation.

The command loop traffic adds a three-byte header that mimics the structure of standard TLS records, which helps the traffic blend into normal encrypted web traffic at the network layer.

“The new variant’s network communication protocol deeply references the IK pattern of the Noise protocol framework. Relying on the client’s hardcoded server static public key and the ephemeral public key generated at runtime for ECDH, session keys are derived. Additionally, the protocol introduces a global MsgID across all phases, which is used for message sequence verification and participates in rolling generation of new keys.” continues the report. “This design cuts off the possibility of decrypting traffic on the network side using plaintext keys.”

The C2 domains lean on free dynamic DNS services, specifically duckdns.org, which is where the name comes from.

Once a device checks in successfully, the operator has five commands available: launch a DDoS attack across various flood types, stop an active attack, fetch the device’s current status and resource usage, upgrade the malware to a newer build, and push new C2 infrastructure dynamically. That last one matters because it means the operator can rotate away from a blocklisted domain without losing the infected device.

RustDuck isn’t the first botnet to pick up Rust. Fortinet documented RustoBot in April 2025, a Rust-based DDoS botnet spreading through Totolink and other routers using a structurally similar playbook. The broader DDoS landscape has been brutal this year: AISURU and related botnets, combining over three million hijacked devices, drove attacks approaching 30 Tbps before a US-led takedown this spring. Next to that scale, RustDuck is currently small.

One detail XLab flags without drawing a firm conclusion: the most active delivery IP, 176.65.139[.]204, sits in the same small address block as infrastructure tied to a separate ADB-targeting DDoS botnet reported earlier in 2026. Shared bulletproof hosting is a plausible explanation. Worth noting either way.

There’s no single patch for RustDuck because it’s not a single vulnerability. Shutting down its entry points means getting remote management interfaces off the public internet entirely, disabling Android Debug Bridge where it isn’t needed, and never leaving Telnet or SSH reachable with default credentials. CouchDB has patched releases available. The D-Link DIR-823X does not, and CISA’s guidance is to pull it from service. The Totolink maker never responded to the disclosure at all. Gear past end-of-life needs to be replaced, not managed around.

XLab’s full report includes the loader SHA1 hashes, known C2 domains, and the active delivery addresses. Feed them into your monitoring now, before the next variant makes the current indicators stale.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to our Newsletter