The Botnet That’s Still Small but Engineering Like It Plans to Grow


RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow

Pierluigi Paganini
July 01, 2026

RustDuck is a small, evolving DDoS botnet migrating to Rust. It uses advanced encryption, anti-analysis evasion, and exploits known IoT flaws.

Since February 2026, researchers at QiAnXin’s XLab have been tracking a new malware family, called RustDuck, that hijacks routers, cameras, Android set-top boxes, and exposed servers, then uses them to flood targets with junk traffic until they go offline. It’s not the biggest DDoS botnet around right now, and that’s almost beside the point.

“The reason XLab flagged it is the speed at which it’s changing. The codebase is actively migrating from C to Rust, and each new variant brings meaningfully more sophisticated encryption, evasion, and communication design.” reads the report published by XLab.

“Although the family’s current activity level and influence in DDoS attacks are not yet comparable to some mainstream botnets, its speed of technological evolution deserves significant attention. Research has found that the family is undergoing a comprehensive technological transition from C to Rust, and its anti-defense and traffic encryption techniques are also iterating rapidly.”

RustDuck doesn’t rely on a single entry point. It combines weak and default passwords on Telnet and SSH interfaces with a broad list of known device vulnerabilities. Targeted hardware includes Android ADB interfaces, DVRs and cameras from TVT, and networking gear from Ruijie, TP-Link, and ZTE. On the software side, it goes after exposed ThinkPHP installations, Jenkins servers, and Hadoop YARN endpoints, which pushes its reach from cheap home hardware into server environments.

The named CVEs in its arsenal range from recent to ancient. CVE-2025-29635 is a command-injection flaw in discontinued D-Link DIR-823X routers that CISA added to its Known Exploited Vulnerabilities list in April 2026. CVE-2017-17215 is a remote code execution bug in Huawei HG532 routers that Mirai variants were already abusing nine years ago. CVE-2024-1781 hits Totolink X6000R routers whose manufacturer never responded to the disclosure. CVE-2018-8007 targets an authenticated admin code execution path in Apache CouchDB. XLab observed more than 20 IP addresses actively spreading the botnet, with 176.65.139[.]204 the most active delivery source.

The XLab researchers reported that RustDuck installs itself in two stages. A loader arrives first, decrypts a compressed payload, and hands execution to a heavier core module. The loader itself has gone through four documented variants, each with a different encryption scheme: the first used a Linear Congruential Generator with XOR and LZ4 compression; the second upgraded to Xoshiro128 with hardcoded constants designed to make batch decryption nearly impossible; the third reverted to standard XOR with a fixed magic string; the fourth introduced ChaCha20 as the stream cipher. The progression isn’t random. Each step reflects the authors responding to detection.

The core module is where the Rust rewrite is happening, and Rust binaries are genuinely harder to analyze than the C that has powered device malware for years. That’s not a minor operational detail. It means the newer samples resist the standard toolkit analysts have used on IoT malware since Mirai.

Before RustDuck does anything visible, the core module runs a weighted scoring system to decide whether it’s sitting on a real victim device or inside a researcher’s lab. Each detected condition adds points to a risk score. Hit the threshold, and the malware erases its traces and exits cleanly.

“To thwart automated sandbox analysis and dynamic debugging by reverse engineers, the Core module incorporates a dynamic weight scoring mechanism. During runtime, the software iterates through various environment checks.” continues the report. “When the accumulated risk score exceeds a preset threshold, the program automatically erases traces and exits.”

The highest-weight checks, worth 100 points each, scan the process list for tools like Wireshark, gdb, and Frida, read /proc/self/status to detect an attached debugger, and verify a SHA256 checksum appended to the malware’s own file so it knows if anyone has modified it or inserted breakpoints. A check worth 50 points looks for honeypot configuration files from Cowrie and Dionaea in standard system paths. Another worth 35 points makes an asynchronous connection attempt to 192.0.2.1, an IP address reserved for testing that should never respond on a real network. If it does respond, the malware knows it’s inside a fake environment built to fool it, and leaves.

The timing check is particularly well-constructed. It samples two independent clocks before and after a deliberate half-second sleep, then compares the difference. A sandbox that speeds up time to rush malware through its behavior, or a debugger that pauses execution at a breakpoint, will show an anomaly in that comparison. Both conditions trigger an exit.

Once the malware decides the environment is genuine, it initiates a structured two-phase connection to its command-and-control infrastructure. The handshake phase uses ChaCha20-Poly1305 encryption and a Curve25519 key exchange, with session keys derived through HKDF-SHA256. The key rotates every ten minutes. After the handshake completes, the session switches to AES-GCM with separate keys for traffic going up to the server and commands coming down, a design that breaks the assumption that capturing one key gives you both directions of the conversation.

The command loop traffic adds a three-byte header that mimics the structure of standard TLS records, which helps the traffic blend into normal encrypted web traffic at the network layer.

“The new variant’s network communication protocol deeply references the IK pattern of the Noise protocol framework. Relying on the client’s hardcoded server static public key and the ephemeral public key generated at runtime for ECDH, session keys are derived. Additionally, the protocol introduces a global MsgID across all phases, which is used for message sequence verification and participates in rolling generation of new keys.” continues the report. “This design cuts off the possibility of decrypting traffic on the network side using plaintext keys.”

The C2 domains lean on free dynamic DNS services, specifically duckdns.org, which is where the name comes from.

Once a device checks in successfully, the operator has five commands available: launch a DDoS attack across various flood types, stop an active attack, fetch the device’s current status and resource usage, upgrade the malware to a newer build, and push new C2 infrastructure dynamically. That last one matters because it means the operator can rotate away from a blocklisted domain without losing the infected device.

RustDuck isn’t the first botnet to pick up Rust. Fortinet documented RustoBot in April 2025, a Rust-based DDoS botnet spreading through Totolink and other routers using a structurally similar playbook. The broader DDoS landscape has been brutal this year: AISURU and related botnets, combining over three million hijacked devices, drove attacks approaching 30 Tbps before a US-led takedown this spring. Next to that scale, RustDuck is currently small.

One detail XLab flags without drawing a firm conclusion: the most active delivery IP, 176.65.139[.]204, sits in the same small address block as infrastructure tied to a separate ADB-targeting DDoS botnet reported earlier in 2026. Shared bulletproof hosting is a plausible explanation. Worth noting either way.

There’s no single patch for RustDuck because it’s not a single vulnerability. Shutting down its entry points means getting remote management interfaces off the public internet entirely, disabling Android Debug Bridge where it isn’t needed, and never leaving Telnet or SSH reachable with default credentials. CouchDB has patched releases available. The D-Link DIR-823X does not, and CISA’s guidance is to pull it from service. The Totolink maker never responded to the disclosure at all. Gear past end-of-life needs to be replaced, not managed around.

XLab’s full report includes the loader SHA1 hashes, known C2 domains, and the active delivery addresses. Feed them into your monitoring now, before the next variant makes the current indicators stale.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)







Source link

Leave a Reply

Subscribe to Our Newsletter

Get our latest articles delivered straight to your inbox. No spam, we promise.

Recent Reviews


Microsoft has spent the last several years pushing Copilot and new user interface designs, which has meant that several great features included with Windows don’t get the recognition that they deserve. These are some of my favorites that will run on any Windows 11-compatible PC.

Clipboard history remembers everything you copy

Win+V replaces one of the oldest frustrations in computing

Windows’s default clipboard has been a source of minor but constant annoyance: it holds exactly one thing. If you copy something new, the previous item is wiped out. It is enough of a problem that multiple third-party apps were created to address the shortcoming.

Now, Windows has Clipboard History built in, though it isn’t enabled by default. To turn it on, press Windows+i, then navigate to System > Clipboard, and click the toggle next to Clipboard history.

Once it is enabled, you can press Win+V to view up to 25 items in your clipboard history, including text, images, and links.

If you have specific pieces of information you use daily—like an email signature, a common code snippet, or a home address—you should pin up some of those items. Pinned items persist between system reboots and clipboard history clears, which means you never have to hunt to find something when you need it.

You can even enable sync in the Clipboard settings, allowing your copied text to follow you between different PCs signed in to the same Microsoft account. Once you get into the habit of using Win+V, the standard copy-paste function will feel useless by comparison.

Voice typing actually works now

Win+H lets you write with your voice

Notepad with Windows Voice Typing popup visible.

Windows dictation software has a reputation for being clunky and difficult to use, but that isn’t the case anymore. Thanks to the improvements in AI that we’ve seen since 2024, voice typing accuracy has improved significantly, especially for technical vocabulary. You don’t have to spend your time manually fixing formatting either. The tool supports punctuation commands like “period,” “new line,” and “question mark,” which prevents your text from turning into a rambling mess.

To use voice typing, press Windows+H anywhere there is a text field.

While it isn’t a full replacement for high-end professional software, it is free, built-in, and more than good enough for long-form writing, taking down a sudden idea, or writing quick messages when your hands are full.

Snap layouts make window management effortless

Hover over the maximize button and pick a layout

Notepad with the Windows Snap Layout window visible.

You can manually drag windows to the edges of your screen to split your display up, but you’re doing more work than is necessary in most cases. Windows’ Snap Layouts allow you to instantly arrange your Windows into predefined halves, thirds, or quarters. Just hover over the maximize button on any window or press Win+Z.

One of the most practical aspects of this system is the Snap Group. If you snap a browser and a document side-by-side, Windows remembers them as a pair. When you Alt+Tab, you can bring the entire group back together.

Live captions transcribe any audio on your device

Real-time subtitles for anything you’re watching

You can enable real-time subtitles for any audio playing through your speakers by going to Settings > Accessibility > Captions, or by pressing Win+Ctrl+L. The audio is processed locally on your device; nothing is sent to the cloud, which is critical if you’re privacy conscious or if whatever you’re captioning demands confidentiality.

I’ve mostly taken to using it when it is too hot to wear my headphones. I can just toggle it on and keep watching without disrupting anyone around me.

There are some hardware requirements you need to meet. Basic same-language captioning works on any Windows 11 PC running 22H2 and up, but if you want real-time translation, you will need Copilot+ hardware with an NPU and at least Windows 11 24H2.


The NZXT Capsule Elite USB microphone sitting on a desk.


Windows 11’s voice typing convinced me to skip Wispr Flow and other premium apps

Windows lets me turn my rambling thoughts into notes without typing anything.

Dynamic Lock locks your PC when you walk away

Pair your phone via Bluetooth and your computer can lock itself automatically

I can’t count how many times I’ve stepped away from my PC only to think, “Dang, I forgot to lock my PC.”

Fortunately, Windows has an easy way to handle that automatically by pairing your phone with your PC. When your phone gets out of range (about 20 feet in my house, though your wall materials and layout will affect that), your computer will automatically lock after about 30 seconds. There is no need to install a separate app on your phone, the setup just uses the Bluetooth connection itself. While the 30-second delay means it isn’t a guarantee no one can access my PC, it does mean it won’t remain unlocked if I step away for a long time.

I especially like this feature when I’m working on my laptop in public.

You can enable Dynamic Lock by navigating to Settings > Bluetooth & devices and pairing your phone, then enabling Dynamic Lock in Settings > Accounts > Sign-in options.


Microsoft includes tons of great tools if you dig for them

These tools aren’t alone either. There are tons of practical tools buried in Windows, unappreciated and underutilized.

Each of these tools takes less than a minute to enable, but they can make a significant difference in your day-to-day workflow. It is worth the small investment of time to find them and set them up.

If you’re looking for even more advanced customization options, I’d recommend checking out Microsoft PowerToys. It gives you a huge range of fantastic tools that make Windows much more pleasant to use.



Source link