RustDuck Botnet Hijacks Routers, Cameras and Servers for DDoS Attacks
Since February 2026, researchers at XLab (QiAnXin) have been tracking a new botnet called RustDuck, which hijacks routers, IP cameras, Android TV boxes and poorly secured servers to use them in DDoS attacks. Here’s what we know about this threat and how it operates.
RustDuck relies on a two-component architecture: a small loader decrypts and decompresses a much larger Core module, where most of its capabilities are concentrated. According to XLab’s report, more than 20 IP addresses are already involved in its distribution, the most active being 176.65.139[.]204.

Weak Passwords and Old Flaws Drive Propagation
To spread across devices, RustDuck combines several methods:
- Brute-forcing weak or default passwords on Telnet and SSH remote access services,
- Exploiting exposed Android debugging interfaces (ADB) and flaws targeting TVT equipment (recorders and cameras), Ruijie, TP-Link and ZTE,
- Exploiting old, already patched CVEs that are still relevant : CVE-2017-17215 (Huawei HG532 routers, previously abused by Mirai variants in 2017), CVE-2025-29635 (D-Link DIR-823X routers, discontinued), CVE-2024-1781 (Totolink X6000R routers) and CVE-2018-8007 (RCE on Apache CouchDB),
- Compromising exposed server software such as ThinkPHP, Jenkins and Hadoop YARN, extending its reach from cheap consumer hardware to enterprise infrastructure.
This operating model is nothing new. Other botnets follow the same methods. Notably, CatDDoS, which exploits more than 80 vulnerabilities to compromise devices, and the Mirai "Gayfemboy" botnet and its twenty or so exploited flaws are worth mentioning. Since this is a botnet, the goal remains the same: to amass machines in order to launch distributed denial-of-service attacks with as many zombie devices as possible.
Rust and Anti-Analysis: The Real Innovation
It is the Core module, rewritten in Rust, that sets RustDuck apart from other botnets. Rust binaries are generally harder to disassemble than C. XLab researchers believe there are real improvements in key derivation, obfuscation and communications.
Proof that this is not a hastily coded piece of malware, it analyzes the infected machine before acting. In fact, the malware runs a battery of checks to determine whether it has landed in a researcher’s sandbox rather than on a real victim’s system. Each test adds points to a risk score: beyond a certain threshold, the program wipes its traces and stops.
XLab’s report mentions several of these tests, including:
- Searching for analysis tools in the process list (Wireshark,
tcpdump,gdb,ida,frida…), - Detecting honeypots (Cowrie or Dionaea configuration files),
- A “network black hole” test: a connection to the reserved test address
192.0.2.1(RFC 5737), which should never respond. If it does respond, RustDuck assumes it is in an analysis environment simulating the Internet and gives up, - Detecting virtualized hardware (VirtualBox, VMware, specific MAC prefixes).

Once the tests are complete, the machine joins the botnet if the results are favorable. From there, attackers can issue remote commands to control it.
That said, RustDuck is not the first botnet to adopt Rust. According to The Hacker News, Fortinet had already documented RustoBot in April 2025, a Rust-written botnet that spread via Totolink routers to carry out DDoS attacks.
Let’s finish with a small clarification about the name RustDuck, which was chosen for two reasons: the move from C to Rust for the code, and the use of domains hosted on the free duckdns.org dynamic DNS service.


