"Researchers at QiAnXin's XLab have tracked it since February 2026."
How RustDuck gains a foothold
RustDuck is a two-stage malware family that spreads by trying a variety of well-known access paths rather than inventing a single breakthrough exploit. XLab describes three primary vectors: devices left exposed with weak or default passwords on remote-login services (Telnet and SSH); unpatched device vulnerabilities — including exposed Android debugging interfaces and flaws in hardware from TVT, Ruijie, TP-Link, and ZTE — and targeted web software like ThinkPHP, Jenkins, and Hadoop YARN.
XLab lists a handful of named, years-old vulnerabilities RustDuck exploits, including:
- CVE-2017-17215 (remote code execution in Huawei HG532 routers)
- CVE-2025-29635 (command-injection in discontinued D-Link DIR-823X routers; added to CISA's Known Exploited Vulnerabilities list)
- CVE-2024-1781 (command-injection in Totolink X6000R routers)
- CVE-2018-8007 (remote code execution in Apache CouchDB requiring an authenticated admin)
XLab counted more than 20 internet addresses distributing the malware, with the busiest at 176.65.139[.]204.
Two-stage design and a Rust core
RustDuck installs a small loader that decrypts and unpacks a heavier core module. That core — the component being rewritten from C into Rust — contains the functionality used to join and operate the botnet. XLab notes the move to Rust is notable: Rust binaries are harder for analysts to dissect than the older C-based device malware, and the Rust core shows active development in key derivation, anti-analysis, and command handling rather than a quick repackaging of leaked code.
Anti-analysis checks and stealth techniques
Newer RustDuck samples run an extensive checklist before taking action to detect whether they are running in a researcher lab or a trap. The malware looks for analysis tools such as Wireshark and gdb, for debuggers attached to its process, and for the fingerprints of honeypots or virtual-machine hardware. Each detection increments a risk score; if the score crosses a threshold, RustDuck removes its traces and quits.
Two specific checks stand out: one attempts to contact an internet address reserved for testing — an address that should never reply — and if it does reply, the malware treats that as evidence of a fake network and bails. Another compares two clocks to catch sandboxes that speed up time to force premature execution. These measures are deliberate attempts to frustrate live analysis.
Encrypted communications and control
RustDuck's network communications are engineered to blend in and resist interception. XLab reports the malware uses ChaCha20-Poly1305 during the handshake and AES-GCM for command traffic, derives keys with HKDF-SHA256 and a Curve25519 exchange, and rotates keys every ten minutes. The connection is made to resemble ordinary encrypted web traffic.
Operators can issue a short set of commands once a device checks in: start an attack, stop it, report status, switch to new control servers, or quietly upgrade the malware. Control addresses lean on free dynamic-DNS services such as duckdns.org — the source of the "Duck" in RustDuck.
Overlap with other botnets and the DDoS context
RustDuck is small compared with the largest recent DDoS actors, but it arrives amid a brutal year for volumetric attacks. XLab notes that larger botnets such as AISURU previously marshaled millions of devices and produced attacks near 30 Tbps before a US-led operation dismantled their infrastructure in spring 2026. RustDuck’s busiest delivery address sits in the same small block as a server used by an ADB-targeting DDoS botnet reported in spring 2026; XLab calls the overlap worth checking but does not link the two operations.
What this means for technologists, procurement leaders, and end users
- Technologists and security teams should block the known indicators XLab published — file hashes, control domains, and source addresses — and add them to monitoring and detection feeds.
- Procurement and infrastructure teams are reminded that unsupported or end-of-life devices are high risk: CISA explicitly advises pulling the D-Link DIR-823X from service rather than waiting for a patch, and XLab notes the Totolink vendor never responded to disclosure.
- End users and operators of small devices should remove remote-management interfaces from the public internet, disable Android Debug Bridge, Telnet, and SSH where not needed, and apply fixes where vendors provide them; CouchDB, for example, has fixed releases available.
RustDuck is a compact botnet that wears the engineering of a more serious operation: a Rust rewrite, modern cryptography, and paranoid anti-analysis routines. Whether it grows into a larger threat or fizzles out, XLab warns the techniques it is testing — particularly the language shift and the hide-from-researchers checklist — are precisely the elements other criminal crews are most likely to copy.
