RustDuck: A Stealthy, Rust-Based Botnet Targeting Routers and Servers
Researchers at QiAnXin’s XLab have uncovered RustDuck, a two-stage malware family actively hijacking home routers, IP cameras, Android devices, and poorly secured servers to build a distributed denial-of-service (DDoS) botnet. First tracked in February 2026, RustDuck stands out not for its current scale but for its rapid evolution and sophisticated evasion tactics.
Infection Vectors
RustDuck spreads through multiple well-known vulnerabilities, exploiting:
- Default or weak credentials on Telnet and SSH services.
- Unpatched flaws in devices from TVT (DVRs/cameras), Ruijie, TP-Link, ZTE, and Android debugging interfaces.
- Vulnerable web software, including ThinkPHP, Jenkins, and Hadoop YARN.
Over 20 IP addresses have been identified as distribution points, with the most active 176.65.139[.]204 sharing address space with a separate ADB-targeting botnet reported earlier in 2026.
Evasion and Stealth
RustDuck’s design prioritizes evasion, employing a two-stage infection process:
- A lightweight loader decrypts and deploys a core module, increasingly rewritten in Rust a language that complicates reverse engineering compared to traditional C-based malware.
- The core module performs extensive anti-analysis checks, including:
- Detecting debuggers (e.g., Wireshark, gdb), virtual machines, and honeypots.
- Testing for reserved IP responses to identify fake networks.
- Comparing system clocks to detect sandbox time acceleration.
Communication is encrypted using ChaCha20-Poly1305 and AES-GCM, with keys rotated every 10 minutes. Traffic mimics legitimate HTTPS to avoid detection. Command-and-control (C2) servers leverage dynamic DNS services like duckdns.org, allowing operators to issue DDoS commands, update malware, or switch C2 addresses.
Broader Context
RustDuck follows a growing trend of Rust-based botnets, such as RustoBot (documented in April 2025), which targeted routers for DDoS attacks. While smaller than record-breaking botnets like AISURU (3M+ devices, 30 Tbps attacks), RustDuck’s advanced techniques Rust rewrites and anti-analysis measures signal a shift toward more resilient malware.
The botnet’s infrastructure overlaps with other DDoS operations, suggesting possible shared hosting or coordinated activity. Though currently limited in scale, its development pace and evasion methods could inspire future threats.
Source: https://thehackernews.com/2026/06/rustduck-botnet-rebuilds-in-rust-to.html
Ruijie Networks cybersecurity rating report: https://www.rankiteo.com/company/ruijie-networks
TP-Link Systems Inc. cybersecurity rating report: https://www.rankiteo.com/company/tp-link
Hortonworks cybersecurity rating report: https://www.rankiteo.com/company/hortonworks
"id": "RUITP-HOR1782865482",
"linkid": "ruijie-networks, tp-link, hortonworks",
"type": "Cyber Attack",
"date": "2/2026",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"
{'affected_entities': [{'industry': 'Technology (DVRs/cameras)',
'name': 'TVT',
'type': 'Device manufacturer'},
{'industry': 'Networking',
'name': 'Ruijie',
'type': 'Device manufacturer'},
{'industry': 'Networking',
'name': 'TP-Link',
'type': 'Device manufacturer'},
{'industry': 'Telecommunications',
'name': 'ZTE',
'type': 'Device manufacturer'}],
'attack_vector': ['Exploitation of default/weak credentials (Telnet/SSH)',
'Unpatched vulnerabilities in devices (TVT, Ruijie, '
'TP-Link, ZTE, Android debugging interfaces)',
'Vulnerable web software (ThinkPHP, Jenkins, Hadoop YARN)'],
'date_detected': '2026-02',
'description': 'Researchers at QiAnXin’s XLab have uncovered RustDuck, a '
'two-stage malware family actively hijacking home routers, IP '
'cameras, Android devices, and poorly secured servers to build '
'a distributed denial-of-service (DDoS) botnet. RustDuck '
'stands out for its rapid evolution and sophisticated evasion '
'tactics, including Rust-based rewrites and anti-analysis '
'measures.',
'impact': {'operational_impact': 'Potential DDoS attacks on targeted systems',
'systems_affected': 'Home routers, IP cameras, Android devices, '
'poorly secured servers'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Rust-based malware complicates reverse engineering and '
'detection. Two-stage infection processes and '
'anti-analysis checks increase resilience. Dynamic DNS and '
'encrypted C2 communications enhance evasion.',
'motivation': 'DDoS attacks, botnet expansion',
'post_incident_analysis': {'corrective_actions': ['Patch management for '
'vulnerable devices and '
'software.',
'Credential hardening for '
'remote access services.',
'Enhanced monitoring for '
'Rust-based malware and '
'encrypted C2 traffic.'],
'root_causes': ['Exploitation of unpatched '
'vulnerabilities and weak '
'credentials.',
'Use of Rust-based malware to '
'evade detection.',
'Dynamic DNS and encrypted C2 '
'communications for resilience.']},
'recommendations': ['Patch known vulnerabilities in devices and web software.',
'Enforce strong, unique credentials for Telnet/SSH '
'services.',
'Monitor for unusual HTTPS traffic patterns.',
'Implement network segmentation to limit lateral '
'movement.',
'Enhance detection capabilities for Rust-based malware.'],
'references': [{'source': 'QiAnXin’s XLab'}],
'title': 'RustDuck: A Stealthy, Rust-Based Botnet Targeting Routers and '
'Servers',
'type': 'Botnet, DDoS',
'vulnerability_exploited': ['Default/weak credentials',
'Unpatched flaws in TVT, Ruijie, TP-Link, ZTE '
'devices',
'ThinkPHP, Jenkins, Hadoop YARN vulnerabilities']}