Jul 3, 2026 · 10:25 AM
Subscribe
Home News

RustDuck Botnet Is Rewriting Itself Faster Than Researchers Can Track

XLab has tracked a small but rapidly evolving botnet called RustDuck since February 2026, and its speed of change, not its size, is what worries researchers. The malware hijacks routers, cameras and exposed servers through old exploits and password brute-forcing, then rewrites its own encryption every few months to dodge analysis.

Judith Murphy
· 4 min read · 77 views
RustDuck Botnet Is Rewriting Itself Faster Than Researchers Can Track

A botnet nobody has heard of is teaching itself Rust faster than most software teams manage, and that speed is the actual story.

Researchers at QiAnXin's XLab have been watching a malware family called RustDuck since February 2026, and what they found is not a giant army of hijacked devices. It is a small one that keeps rebuilding itself, mid-campaign, into something harder to catch. According to XLab's writeup, RustDuck breaks into home routers, IP cameras, Android set-top boxes and exposed servers, herds them into a botnet, and points the combined traffic at whatever target its operators choose. The end goal is the oldest trick in the book: a distributed denial-of-service attack, flood a website or service with junk traffic until it falls over.

The name gives away how researchers found it. XLab says early versions of the malware's core payload encrypted three DuckDNS command-and-control domains, and combined with the shift from the C programming language to Rust, that's where RustDuck comes from. DuckDNS is a free dynamic DNS service, the kind of tool a hobbyist project or a budget-conscious botnet operator reaches for, not the infrastructure of a well-funded state actor.

What makes RustDuck worth writing about isn't its size. XLab and other researchers who reviewed the malware, including the team at Security Affairs, describe its current footprint as small next to established DDoS botnets. XLab counted more than 20 internet addresses actively spreading it, with the busiest single address, 176.65.139.204, doing the bulk of the distribution. That's a modest operation by botnet standards.

What isn't modest is the pace of its engineering.

RustDuck runs on a two-stage design: a small loader lands first, decrypts a compressed payload, and hands control to a heavier core module. XLab has already tracked that loader through four distinct variants, each swapping out its encryption scheme. The first relied on a Linear Congruential Generator with XOR and LZ4 compression. The second moved to Xoshiro128 with hardcoded constants built specifically to make batch decryption difficult for analysts. The third reverted to a simpler XOR scheme with a fixed magic string. The fourth introduced ChaCha20 as its stream cipher. Four rewrites of the same component in a few months isn't typical malware maintenance. It looks more like a team iterating on a product.

The core module tells the same story. As Rust code replaces the C that has powered router and IoT malware for years, key derivation now uses HKDF-SHA256, with some variants rotating time-based keys every ten minutes. Network handshakes use Curve25519-style elliptic curve exchanges for forward secrecy, and the transport layer has split across branches using either lightweight Ascon128 encryption or a hybrid of ChaCha20-Poly1305 and AES-GCM. None of that is exotic cryptography on its own. What's notable is that it's showing up in a home-router botnet at all, in a codebase that started out, by XLab's account, comparatively simple.

RustDuck doesn't need novel exploits to spread. Its infection strategy is Telnet and SSH brute-forcing against weak or default passwords, stacked with a grab bag of known remote-code-execution flaws. According to reporting from The Hacker News and CyberPress, the target list includes Android ADB interfaces, TVT API endpoints, and devices from Ruijie, TP-Link and ZTE, along with web application bugs in ThinkPHP, Jenkins and Apache YARN. Some of the hardware-specific bugs are genuinely old. CVE-2017-17215, a remote code execution flaw in Huawei's HG532 router, was already being abused by Mirai variants nine years ago and is still working today. CVE-2024-1781 hits Totolink's X6000R router, whose manufacturer never responded to the original disclosure. CVE-2025-29635, a command-injection flaw in the discontinued D-Link DIR-823X, only made CISA's Known Exploited Vulnerabilities list this past April.

That's the part of this story that has nothing to do with Rust. Discontinued routers don't get patched, and owners rarely know their camera or set-top box has become part of somebody else's traffic cannon. A botnet operator doesn't need a zero-day when a nine-year-old bug in an abandoned product still opens the door. RustDuck's operators are exploiting the same neglected hardware that Mirai's descendants have lived off for a decade, and they're doing it with tooling that's evolving faster than the devices it's breaking into ever will.

XLab's own assessment is blunt: RustDuck isn't yet a major DDoS threat by scale. Its rate of change is what earned it a writeup. A small botnet that rewrites its encryption four times in a few months and keeps splitting into new variant branches is one worth watching before it grows, not after.

Also read: Shanghai Bets on a New Quantum Computing Zone to Beat Rival Chinese CitiesSingapore Will Fine Cloud Giants a Million Dollars for Going DarkSakana AI's Ren Ito Joins the UN's New AI for Good Commission

TOPICS
Judith Murphy is a financial journalist and market analyst covering AI, technology stocks, and emerging market trends. She has contributed to multiple financial publications and brings a data-driven approach to her coverage of the technology sector and its impact on global markets.
Related Articles
More posts →
Loading next article…
You're all caught up