RustDuck Botnet Rewrites in Rust to Hijack Routers for DDoS
Researchers at QiAnXin's XLab have been tracking a fast-evolving botnet called RustDuck since February 2026, warning that its true danger lies not in its current size but in the speed of its development. The malware hijacks home routers, IP cameras, Android boxes, and poorly secured servers, weaponizing them into a distributed denial-of-service (DDoS) network designed to flood targets with junk traffic until they buckle. What sets RustDuck apart from the crowded botnet field is a deliberate rewrite from C into Rust, paired with aggressive anti-analysis techniques that make the newer samples considerably harder to dissect or dismantle.
RustDuck spreads through a layered, opportunistic approach that blends old and new attack vectors. Its first route is brute-force credential guessing against Telnet and SSH services exposed to the internet with weak or default credentials, an entry point that any free password strength checker could have helped administrators rule out. The second leverages unpatched firmware bugs, including CVE-2017-17215 in Huawei HG532 routers, CVE-2025-29635 in discontinued D-Link DIR-823X devices (recently added to CISA's Known Exploited Vulnerabilities list after Mirai variants exploited it in March 2026), CVE-2024-1781 in Totolink X6000R routers, and CVE-2018-8007 in Apache CouchDB. Its third path targets exposed server software such as ThinkPHP, Jenkins, and Hadoop YARN, with XLab identifying more than 20 distribution IPs, the busiest at 176.65.139[.]204. Network defenders can audit exposed attack surfaces using a port scanner to see which services are visible from the outside.
The malware's technical design reveals active engineering rather than a quick re-skin of leaked source. RustDuck installs in two stages: a lightweight loader decrypts and unpacks a heavier core module that is being migrated to Rust, a language whose compiled binaries are notably harder for reverse engineers to decompile than the C binaries that have powered botnets for years. XLab observed real depth in the Rust core's key derivation, command-and-control communications, and anti-VM logic. Before executing its payload, the malware runs a checklist to detect research environments, scanning for tools like Wireshark and gdb as well as attached debuggers, then bailing out if it suspects it is being studied rather than deployed on a real victim.
For defenders, the takeaway is that legacy IoT devices and exposed server stacks remain low-hanging fruit, and that botnet operators are professionalizing their toolchains. Administrators should patch the listed CVEs immediately, retire end-of-life hardware like the D-Link DIR-823X, rotate default credentials on any internet-facing device, and run a full privacy and exposure checkup to identify weak points before an opportunistic botnet does. RustDuck may not be the largest network online today, but its rapid rewrite cycle signals that operators intend to stay ahead of defenders for some time.