[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f9_zb67c6C5ePBQXc9_C4SHdbaviYtf74tcL9Vx4cwWE":3},{"article":4,"iocs":53},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":30,"category":31,"article_tags":35},"c87ab51b-f691-418c-adcc-56e3c0622ed0","RustDuck Botnet Rebuilds in Rust to Hijack Routers and Servers for DDoS","rustduck-botnet-rebuilds-in-rust-to-hijack-routers-and-servers-for-ddos-288f4e","A new two-stage malware family called RustDuck is hijacking home routers, IP cameras, Android boxes, and poorly secured servers, then stitching them into a network built to knock websites and online services offline. Researchers at QiAnXin's XLab have tracked it since February 2026, and say the real story is not how big it is today, but how fast it is changing. The end goal is a","A new malware family named RustDuck is being rewritten in Rust to hijack routers, IP cameras, and servers for DDoS attacks. Researchers note its rapid evolution and sophisticated evasion techniques, including checks for analysis tools and virtual environments. It spreads by exploiting weak passwords and unpatched vulnerabilities in various devices and software.","RustDuck botnet rebuilds in Rust, hijacks routers and servers for DDoS attacks.","RustDuck Botnet Rebuilds in Rust to Hijack Routers and Servers for DDoS Swati KhandelwalJun 30, 2026Botnet \u002F Vulnerability A new two-stage malware family called RustDuck is hijacking home routers, IP cameras, Android boxes, and poorly secured servers, then stitching them into a network built to knock websites and online services offline. Researchers at QiAnXin's XLab have tracked it since February 2026, and say the real story is not how big it is today, but how fast it is changing. The end goal is a distributed denial-of-service (DDoS) attack: flooding a target with junk traffic from the infected machines until it buckles. RustDuck is one more entrant in a crowded field, but it stands out for two reasons. It is being rewritten from the C programming language into Rust, and its newer versions go to unusual lengths to avoid being studied or shut down. How it spreads RustDuck does not lean on a single clever trick. It sprays a mix of old, well-known weaknesses and hopes one sticks. The first is the oldest in the book: devices left on the internet with weak or default passwords on their remote-login services (Telnet and SSH). Guess the password, walk in. The second is unpatched device bugs. XLab says RustDuck goes after exposed Android debugging interfaces and flaws in gear from TVT (DVRs and cameras), Ruijie, TP-Link, and ZTE, plus a handful of named, years-old vulnerabilities that still litter the internet: CVE-2017-17215, a remote code execution bug in Huawei HG532 routers that the original Mirai-style botnets abused back in 2017. CVE-2025-29635, a command-injection flaw in discontinued D-Link DIR-823X routers that Akamai watched Mirai variants exploit in March 2026. CISA added it to its Known Exploited Vulnerabilities list the next month. CVE-2024-1781, a command-injection bug in Totolink X6000R routers, whose maker never responded to the disclosure. CVE-2018-8007, a remote code execution path in Apache CouchDB that an authenticated admin can abuse. The third path is web software. RustDuck also targets known holes in ThinkPHP, Jenkins, and Hadoop YARN, which stretches its reach from cheap home hardware to exposed server software. XLab counted more than 20 internet addresses spreading the malware, with the busiest at 176.65.139[.]204. What makes it tricky RustDuck installs in two stages: a small loader that decrypts and unpacks a heavier core module. That core is where the interesting engineering lives, and it is the part being rewritten in Rust. Rust binaries are generally tougher for analysts to take apart than the C that has powered device malware for years, and XLab says RustDuck's Rust core shows real depth in how it derives its keys, hides from analysis, and talks to its servers. The switch points to active development, not a quick re-skin of leaked code. The bigger tell is how hard the newer samples work to stay hidden. Before doing anything, RustDuck runs a checklist to decide whether it has landed in a security researcher's lab instead of on a real victim's device. It looks for analysis tools like Wireshark and gdb, for debuggers attached to its own process, for the fingerprints of a honeypot trap, even for virtual-machine hardware. Each hit adds points to a risk score. Cross a threshold, and the malware erases its traces and quits before anyone can watch it run. Two of those checks stand out. One quietly tries to reach an internet address that is reserved for testing and should never answer; if something replies, RustDuck knows it is inside a fake network built to fool malware, and bails. Another compares two clocks to catch sandboxes that speed up time to rush malware into showing its hand. Its communications are locked down to match. RustDuck encrypts its traffic with modern ciphers: ChaCha20-Poly1305 for the handshake, AES-GCM once it is taking commands. It derives its keys with HKDF-SHA256 and a Curve25519 exchange, rotates them every ten minutes, and dresses the connection up to look like ordinary encrypted web traffic so it blends in. Once a device checks in, the operators can send a short list of orders: start an attack, stop it, report status, switch to new control servers, or quietly upgrade the malware to a newer build. The control addresses lean on free dynamic-DNS services like duckdns.org, which is where the \"Duck\" in the name comes from. This fits a bigger pattern RustDuck is not the first botnet to reach for Rust. In April 2025, Fortinet documented RustoBot, a Rust-based botnet that spread through Totolink and other routers to run DDoS attacks, using the same recipe: cheap routers, a modern language, and flood traffic on demand. It also arrives in a brutal year for DDoS. The same kind of botnet, scaled up, has produced the biggest floods on record. AISURU and a cluster of related botnets, more than three million hijacked devices between them, drove attacks near 30 Tbps before a US-led operation tore down their infrastructure this spring. Next to that, RustDuck is tiny. The worry is the direction it is heading. One detail worth a second look: RustDuck's busiest delivery address, 176.65.139[.]204, sits in the same small block of addresses as the server behind a separate ADB-targeting DDoS botnet reported in spring 2026. That could be a coincidence or shared bulletproof hosting, and XLab does not link the two, but the overlap is the kind of thing worth checking. What to do There is no patch for RustDuck itself, because it is malware, not a single bug. Defense means closing the doors it walks through: Get remote-management interfaces off the public internet. Turn off Android Debug Bridge, Telnet, and SSH where they are not needed, and never leave them reachable with default passwords. Patch what you can, replace what you can't. CouchDB has fixed releases to upgrade to, but some of these routers are past end-of-life. For the D-Link DIR-823X, CISA's advice is to pull it from service rather than wait for a patch that isn't coming, and the Totolink maker never answered the disclosure. Unsupported gear has to be replaced, not fixed. Block the known indicators. XLab's report lists the malware's file hashes, control domains, and source addresses; feed them into your monitoring. RustDuck is a small botnet wearing the engineering of a serious one. Whether it grows into a real threat or fizzles out, the techniques it is testing, a Rust rewrite and a paranoid hide-from-researchers routine, are the parts other crews are most likely to borrow. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Android, botnet, CouchDB, ddos, Jenkins, Malware, Router, Rust, Vulnerability ⚡ Top Stories This Week Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability New Gaslight macOS Malware Uses Prompt Injection to Disrupt AI-Assisted Analysis Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited to Gain Root Access Google Sets Sept. 30 Deadline for Android Developer Verification in Four Countries Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recovered FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation Fake AI Agent Skill Passed Security Scans and Reportedly Reached 26,000 Agents WhatsApp VBScript Campaign Uses Fake Documents to Install ManageEngine RMM Tool 29-Year-Old Squid Proxy Bug 'Squidbleed' Can Leak Cleartext HTTP Requests ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More Unpatchable 'usbliter8' Exploit Breaks Apple A12 and A13 SecureROM Boot Chain The Gentlemen RaaS Uses GentleKiller EDR Framework Targeting 400 Security Processes AutoJack Attack Lets One Web Page Hijack AI Agent for Host Code Execution CISA Warns Fortinet Customers as FortiBleed Hits 86,644 FortiGate Devices F5 Patches Two Critical NGINX Open Source Flaws Enabling Remote Code Execution Salesforce Disables Klue App Integration After OAu","https:\u002F\u002Fthehackernews.com\u002F2026\u002F06\u002Frustduck-botnet-rebuilds-in-rust-to.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEi2XzOOqoX4E_CfxUMxd0YAH9MRjvZ8-kBBiVhd2VvCvbie3zla8PA80fO2xZ4Ux3_gmreVKG7ANFrSGpDk1lsURfQZuVVapjqi565oGmkqImmFdiQsQFL5z7V9s7TTkH4KgmGbEFnpdAQz94DrXip4q8Qa-ec9K1B1cmeL3szEBWUq9nX-MWppatyug3A\u002Fs1600\u002FRustDuck.jpg","2026-06-30T17:45:25+00:00","2026-06-30T20:00:26.938271+00:00",8,[18,21,23,25,27],{"name":19,"type":20},"Huawei HG532","product",{"name":22,"type":20},"D-Link DIR-823X",{"name":24,"type":20},"Totolink X6000R",{"name":26,"type":20},"Apache CouchDB",{"name":28,"type":29},"QiAnXin","vendor","89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5",{"id":30,"icon":32,"name":33,"slug":34},null,"Malware","malware",[36,41,43,48],{"category":37},{"id":38,"icon":32,"name":39,"slug":40},"80544778-fabb-4dcd-aa35-17492e5dcf4f","Vulnerabilities","vulnerabilities",{"category":42},{"id":30,"icon":32,"name":33,"slug":34},{"category":44},{"id":45,"icon":32,"name":46,"slug":47},"d6f63bb8-0801-486a-be7f-171400700454","IoT\u002FOT","iot-ot",{"category":49},{"id":50,"icon":32,"name":51,"slug":52},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[54,58,61,64,67],{"type":55,"value":56,"context":57},"cve","CVE-2017-17215","Remote code execution bug in Huawei HG532 routers",{"type":55,"value":59,"context":60},"CVE-2025-29635","Command-injection flaw in D-Link DIR-823X routers",{"type":55,"value":62,"context":63},"CVE-2024-1781","Command-injection bug in Totolink X6000R routers",{"type":55,"value":65,"context":66},"CVE-2018-8007","Remote code execution path in Apache CouchDB",{"type":68,"value":69,"context":70},"ip","176.65.139.204","IP address spreading the malware"]