Posted in

New RustDuck Malware Hijacks Routers, IP Cameras, and Servers to Launch DDoS Attacks

Cybersecurity researchers have uncovered a new malware family called RustDuck that is actively compromising home routers, IP cameras, Android TV boxes, and poorly secured servers to create a botnet capable of launching powerful distributed denial-of-service (DDoS) attacks.

Researchers from QiAnXin’s XLab, who have been tracking the malware since February 2026, say RustDuck is evolving rapidly. While the botnet is still relatively small, its sophisticated design and ongoing development suggest it could become a much larger threat.

Unlike many traditional IoT malware families written in C, RustDuck is being rewritten in Rust, making it more resilient, harder to analyze, and better equipped to evade security researchers.

RustDuck’s Goal: Build a Powerful DDoS Army

The primary purpose of RustDuck is to assemble a network of compromised internet-connected devices that can flood websites and online services with massive amounts of traffic.

These distributed denial-of-service (DDoS) attacks overwhelm servers with junk requests, preventing legitimate users from accessing online services.

Although DDoS botnets are nothing new, RustDuck introduces modern development practices and advanced anti-analysis capabilities rarely seen in IoT malware.

How RustDuck Infects Devices

Rather than relying on a single exploit, RustDuck aggressively scans the internet for multiple attack opportunities.

Weak or Default Passwords

The malware first attempts to compromise devices that expose Telnet or SSH services protected by weak or factory-default credentials.

If login attempts succeed, the malware immediately installs itself.

Exploiting Unpatched Vulnerabilities

RustDuck also targets numerous known vulnerabilities affecting networking equipment and IoT devices from multiple vendors, including:

  • Huawei HG532 routers (CVE-2017-17215)
  • D-Link DIR-823X routers (CVE-2025-29635)
  • Totolink X6000R routers (CVE-2024-1781)
  • Apache CouchDB (CVE-2018-8007)

Researchers also observed attacks targeting exposed Android Debug Bridge (ADB) interfaces along with vulnerabilities affecting devices from TVT, Ruijie, TP-Link, and ZTE.

Many of these vulnerabilities have been publicly known for years but remain exploitable because organizations and home users have failed to apply security updates.

Targeting Enterprise Software

RustDuck extends beyond consumer hardware by attacking exposed enterprise applications, including:

  • ThinkPHP
  • Jenkins
  • Hadoop YARN

This broad attack surface enables the malware to compromise everything from home networking equipment to internet-facing business servers.

XLab identified more than 20 active distribution servers, with one of the busiest operating from 176.65.139[.]204.

A Two-Stage Malware Architecture

RustDuck installs itself in two stages.

The first component is a lightweight loader responsible for decrypting and launching the second-stage payload.

The second-stage module contains the malware’s core functionality and is increasingly being rewritten in Rust.

According to XLab, the transition from C to Rust represents far more than a simple code rewrite. The Rust implementation introduces stronger cryptography, improved key management, and significantly more advanced anti-analysis techniques.

Built to Evade Security Researchers

One of RustDuck’s most notable features is its extensive effort to avoid detection and analysis.

Before executing its malicious payload, the malware checks whether it is running inside a security research environment.

Among the indicators it looks for are:

  • Wireshark
  • GDB debugger
  • Virtual machine environments
  • Honeypots
  • Active debugging tools

Each detected indicator increases an internal risk score.

If the score exceeds a predefined threshold, RustDuck quietly deletes evidence of its execution and terminates itself before researchers can observe its behavior.

Researchers also highlighted two particularly clever detection techniques.

One test attempts to contact an IP address reserved exclusively for documentation and testing. Since that address should never respond on the public internet, any reply strongly suggests the malware is running inside an artificial analysis environment.

Another technique compares multiple system clocks to identify malware sandboxes that accelerate time to force malicious behavior to appear more quickly.

Encrypted Communications Hide Malicious Traffic

RustDuck secures all communication with its command-and-control (C2) servers using modern encryption standards.

The malware uses:

  • ChaCha20-Poly1305 during the initial handshake
  • AES-GCM for encrypted command traffic
  • HKDF-SHA256 for key derivation
  • Curve25519 for secure key exchange

Encryption keys rotate every 10 minutes, while network traffic is designed to closely resemble legitimate encrypted web communications, making detection significantly more difficult.

Remote Control Capabilities

Once infected devices connect to the command server, operators can remotely issue commands to:

  • Launch DDoS attacks
  • Stop active attacks
  • Report device status
  • Switch command-and-control servers
  • Download and install updated malware versions

RustDuck primarily uses free dynamic DNS services such as DuckDNS, which inspired the malware’s name.

Part of a Growing Trend

RustDuck joins a growing number of malware families written in Rust.

In 2025, researchers documented RustoBot, another Rust-based IoT botnet that infected vulnerable routers before launching DDoS attacks.

RustDuck appears to follow a similar strategy but incorporates considerably more sophisticated anti-analysis techniques.

The malware also emerges during a period of record-breaking DDoS activity.

Earlier this year, massive botnets such as AISURU generated attacks approaching 30 terabits per second (Tbps) before international law enforcement operations disrupted their infrastructure.

Although RustDuck is currently much smaller, researchers are paying close attention to its rapid development.

Possible Infrastructure Connection

XLab also noticed an interesting coincidence.

RustDuck’s most active distribution server shares the same IP address range as infrastructure previously associated with another Android Debug Bridge (ADB)-focused DDoS botnet reported earlier in 2026.

Researchers have not confirmed any direct relationship between the two campaigns, but the infrastructure overlap may warrant further investigation.

How Organizations Can Defend Against RustDuck

Since RustDuck exploits existing weaknesses rather than a single software flaw, protecting against it requires strengthening overall security hygiene.

Security teams should:

  • Disable Telnet, SSH, and Android Debug Bridge when remote access is unnecessary.
  • Never leave internet-facing devices protected by default or weak passwords.
  • Patch supported software and firmware promptly.
  • Replace end-of-life networking equipment that no longer receives security updates.
  • Monitor for known indicators of compromise published by XLab, including malicious IP addresses, domains, and file hashes.

For unsupported devices such as the discontinued D-Link DIR-823X, replacement is often the only effective defense because security patches are no longer available.

Final Thoughts

RustDuck may not yet rival the world’s largest DDoS botnets, but its technical sophistication makes it a malware family worth watching.

Its migration to Rust, advanced anti-analysis capabilities, modern cryptography, and modular design demonstrate a level of engineering typically associated with more mature cybercriminal operations.

As attackers continue modernizing their malware, RustDuck serves as another reminder that outdated routers, exposed management services, and unpatched internet-facing systems remain among the easiest entry points for building tomorrow’s botnets.

Leave a Reply

Your email address will not be published. Required fields are marked *