RustDuck: The DDoS Botnet Engineered to Outlast Detection
RustDuck is an actively developed DDoS botnet targeting routers, cameras, and servers through known CVEs and default credential abuse, deploying a Rust-based payload with Noise protocol-grade C2 encryption and a weighted sandbox evasion system to build resilient, hard-to-detect flood infrastructure.
RustDuck is an actively developed DDoS botnet first observed by QiAnXin's XLab. It targets routers, cameras, Android set-top boxes, and exposed servers, assembling them into a distributed flood infrastructure capable of taking services offline. While its current infection scale remains limited relative to established DDoS operations, RustDuck's defining characteristic is the pace of its technical evolution: an active migration from C to Rust, four iterating loader encryption schemes, and a weighted sandbox evasion system that adapts to detection.
The botnet exploits a broad combination of known IoT CVEs, credential abuse, and server-side vulnerabilities, giving it an infection surface that spans consumer hardware and enterprise-adjacent infrastructure. Its C2 protocol borrows from the Noise protocol framework, implementing split session keys that rotate every ten minutes, a level of operational security rarely observed in botnets of this scale.
Background of RustDuck
XLab began tracking RustDuck in February 2026 after identifying a new malware family propagating across IoT devices and internet-facing servers through a combination of default credential abuse and known CVEs. The botnet takes its name from its reliance on the free dynamic DNS service duckdns.org for C2 infrastructure, a deliberate operational choice that allows the operator to rotate away from a blocklisted domain at minimal cost.
As of publication, XLab has captured four distinct loader variants, each introducing a new
encryption scheme in direct response to detection. The core module is actively being rewritten from C to Rust, with
newer builds presenting significantly greater reverse engineering resistance than earlier variants. More than 20 IP
addresses have been observed spreading the botnet, with 176.65.139[.]204 identified as the most active
delivery source, a host residing in the same address block as infrastructure tied to a separate ADB-targeting DDoS
campaign reported earlier in 2026.
XLab also notes a broader escalation in the DDoS landscape: the AISURU botnet cluster, aggregating over three million devices, drove attacks approaching 30 Tbps before a US-led takedown this spring. Relative to that scale, RustDuck remains small, but its technical trajectory suggests scale is a goal, not a current constraint.
Vulnerability Details
| CVE ID | CVSS Score | EPSS Score | Affected Products | Vulnerability Type |
|---|---|---|---|---|
| CVE-2025-29635 | 7.2 (High) | 87.24% | D-Link DIR-823X routers | Command Injection |
| CVE-2017-17215 | 8.8 (High) | 78.61% | Huawei HG532 routers | Remote Code Execution |
| CVE-2024-1781 | 9.8 (Critical) | 14.69% | Totolink X6000R routers | Command Injection |
| CVE-2018-8007 | 7.2 (High) | 11.68% | Apache CouchDB | Authenticated Code Execution |
Beyond named CVEs, RustDuck targets Android ADB interfaces, DVRs and IP cameras from TVT, networking hardware from Ruijie, TP-Link, and ZTE, as well as exposed ThinkPHP installations, Jenkins servers, and Hadoop YARN endpoints. Default and weak credential attacks against Telnet and SSH complement the CVE exploitation chain.
Attack Methodology
-
Phase 1: Target Identification
Attackers identify internet-facing routers, NVRs, cameras, Android set-top boxes, and servers accessible via Telnet, SSH, ADB, or known vulnerable web services. Priority targets are end-of-life devices running firmware with no available patch. -
Phase 2: Initial Access
Access is obtained through CVE exploitation (CVE-2025-29635, CVE-2017-17215, CVE-2024-1781, CVE-2018-8007) or credential attacks using default and weak passwords against Telnet and SSH interfaces. ADB interfaces on Android devices are targeted without authentication. -
Phase 3: Two-Stage Payload Delivery
A lightweight loader module is deployed first. The loader decrypts and decompresses a heavier core module, then passes execution to it. The loader has been observed in four variants, each using a distinct encryption scheme: LCG/XOR/LZ4, Xoshiro128 PRNG, fixed-key XOR, and ChaCha20 stream cipher. -
Phase 4: Anti-Analysis and Sandbox Evasion
Before executing its primary functions, the core module runs a weighted scoring system that checks for debuggers (/proc/self/status), analysis tools (Wireshark, gdb, Frida), honeypot configuration files (Cowrie, Dionaea), SHA256 self-integrity, and timing anomalies via dual system clock comparison. A cumulative score above the preset threshold causes the malware to erase itself and exit. -
Phase 5: C2 Registration and Encrypted Session
The infected device performs a handshake using ChaCha20-Poly1305 with Curve25519 key exchange and HKDF-SHA256 key derivation, referencing the IK pattern of the Noise protocol framework. The session then transitions to AES-GCM with separate uplink and downlink keys. Session keys rotate every ten minutes. All C2 traffic carries a three-byte TLS-mimicking header prefix to blend with legitimate traffic. -
Phase 6: Operator Command Execution
The operator issues commands to launch or stop DDoS flood attacks, query device status, upgrade the malware build, or push updated C2 infrastructure to the device. The ability to push new C2 domains allows the operator to retain access to a device even after its current domain is blocklisted. -
Phase 7: DDoS Attack Launch
On operator command, the compromised device participates in volumetric DDoS flood attacks across multiple flood types against designated targets. The distributed nature of the botnet, spread across residential and business IP ranges, complicates source-based mitigation.
Indicators of Compromise (IOCs)
Delivery IP Address
- 176.65.139[.]204
C2 Infrastructure
- *.duckdns[.]org
MITRE ATT&CK Mapping
| Technique ID | Technique Name | Tactic |
|---|---|---|
| T1190 | Exploit Public-Facing Application | Initial Access |
| T1078.001 | Default Accounts | Initial Access |
| T1059 | Command and Scripting Interpreter | Execution |
| T1027 | Obfuscated Files or Information | Defense Evasion |
| T1497 | Virtualization/Sandbox Evasion | Defense Evasion |
| T1071.001 | Web Protocols | Command-And-Control |
| T1573 | Encrypted Channel | Command-And-Control |
| T1568 | Dynamic Resolution | Command-And-Control |
| T1584.008 | Network Devices | Resource-Development |
| T1499 | Endpoint Denial of Service | Impact |
Visual Attack Flow

Mitigation
- Decommission end-of-life hardware. CVE-2025-29635 in D-Link DIR-823X and CVE-2024-1781 in Totolink X6000R have no vendor patches available. CISA's guidance for the DIR-823X is device retirement. Hardware receiving no security updates should be treated as an unmanaged attack surface and replaced.
- Apply available patches immediately. CVE-2018-8007 in Apache CouchDB has patched releases available. Any internet-accessible CouchDB instance not running a patched version should be updated as a critical priority.
- Disable Android Debug Bridge where not required. ADB exposure on Android set-top boxes provides unauthenticated remote code execution. ADB should be disabled on any device not actively undergoing development work.
Instantly Fix Risks with Saner Patch Management
Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.


