RustDuck Botnet Rebuilds in Rust to Hijack Routers and Servers for DDoS
RustDuck Botnet Rebuilds in Rust to Hijack Routers and Servers for DDoS 🚀
A new two-stage malware family called RustDuck is hijacking home routers, IP cameras, Android boxes, and poorly secured servers, stitching them into a network designed to knock websites and online services offline. Researchers at QiAnXin’s XLab have tracked it since February 2026. The end goal is a distributed denial-of-service (DDoS) attack: flooding a target with junk traffic from the infected machines until it buckles.
Key Features of RustDuck 🔑
RustDuck stands out for two reasons:
- It is being rewritten from the C programming language into Rust.
- Its newer versions go to unusual lengths to avoid being studied or shut down.
How RustDuck Spreads 🌐
RustDuck spreads by exploiting a mix of old, well-known vulnerabilities:
- Weak Passwords: Devices left on the internet with weak or default passwords on their remote-login services (Telnet and SSH).
- Unpatched Bugs: Targeting unpatched device bugs, including exposed Android debugging interfaces and flaws in devices from TVT, Ruijie, TP-Link, and ZTE.
- Web Software Vulnerabilities: Targeting known holes in ThinkPHP, Jenkins, and Hadoop YARN.
XLab noted that RustDuck installs in two stages: a small loader that decrypts and unpacks a heavier core module, which is being rewritten in Rust. Rust binaries are generally tougher for analysts to dissect than C, and XLab claims RustDuck’s Rust core shows real depth in how it derives its keys, hides from analysis, and communicates with its servers.
Defense Against RustDuck 🛡️
There is no patch for RustDuck itself, as it is malware. Defense means closing the doors it walks through. Organizations should:
- Get remote-management interfaces off the public internet.
- Turn off Android Debug Bridge, Telnet, and SSH where they are not needed.
- Never leave devices reachable with default passwords.
- Patch what you can and replace what you can’t.
For more details, check the full article: Read full article