SecPod

Learn Search

Search across all Learn content

← Back to Security Research
RustDuck: The DDoS Botnet Engineered to Outlast Detection

RustDuck: The DDoS Botnet Engineered to Outlast Detection

RustDuck is an actively developed DDoS botnet targeting routers, cameras, and servers through known CVEs and default credential abuse, deploying a Rust-based payload with Noise protocol-grade C2 encryption and a weighted sandbox evasion system to build resilient, hard-to-detect flood infrastructure.

Jul 2, 2026By Yash Raj

RustDuck is an actively developed DDoS botnet first observed by QiAnXin's XLab. It targets routers, cameras, Android set-top boxes, and exposed servers, assembling them into a distributed flood infrastructure capable of taking services offline. While its current infection scale remains limited relative to established DDoS operations, RustDuck's defining characteristic is the pace of its technical evolution: an active migration from C to Rust, four iterating loader encryption schemes, and a weighted sandbox evasion system that adapts to detection.

The botnet exploits a broad combination of known IoT CVEs, credential abuse, and server-side vulnerabilities, giving it an infection surface that spans consumer hardware and enterprise-adjacent infrastructure. Its C2 protocol borrows from the Noise protocol framework, implementing split session keys that rotate every ten minutes, a level of operational security rarely observed in botnets of this scale.

Background of RustDuck

XLab began tracking RustDuck in February 2026 after identifying a new malware family propagating across IoT devices and internet-facing servers through a combination of default credential abuse and known CVEs. The botnet takes its name from its reliance on the free dynamic DNS service duckdns.org for C2 infrastructure, a deliberate operational choice that allows the operator to rotate away from a blocklisted domain at minimal cost.

As of publication, XLab has captured four distinct loader variants, each introducing a new encryption scheme in direct response to detection. The core module is actively being rewritten from C to Rust, with newer builds presenting significantly greater reverse engineering resistance than earlier variants. More than 20 IP addresses have been observed spreading the botnet, with 176.65.139[.]204 identified as the most active delivery source, a host residing in the same address block as infrastructure tied to a separate ADB-targeting DDoS campaign reported earlier in 2026.

XLab also notes a broader escalation in the DDoS landscape: the AISURU botnet cluster, aggregating over three million devices, drove attacks approaching 30 Tbps before a US-led takedown this spring. Relative to that scale, RustDuck remains small, but its technical trajectory suggests scale is a goal, not a current constraint.

Vulnerability Details

CVE ID CVSS Score EPSS Score Affected Products Vulnerability Type
CVE-2025-29635 7.2 (High) 87.24% D-Link DIR-823X routers Command Injection
CVE-2017-17215 8.8 (High) 78.61% Huawei HG532 routers Remote Code Execution
CVE-2024-1781 9.8 (Critical) 14.69% Totolink X6000R routers Command Injection
CVE-2018-8007 7.2 (High) 11.68% Apache CouchDB Authenticated Code Execution

Beyond named CVEs, RustDuck targets Android ADB interfaces, DVRs and IP cameras from TVT, networking hardware from Ruijie, TP-Link, and ZTE, as well as exposed ThinkPHP installations, Jenkins servers, and Hadoop YARN endpoints. Default and weak credential attacks against Telnet and SSH complement the CVE exploitation chain.

Attack Methodology

  • Phase 1: Target Identification
    Attackers identify internet-facing routers, NVRs, cameras, Android set-top boxes, and servers accessible via Telnet, SSH, ADB, or known vulnerable web services. Priority targets are end-of-life devices running firmware with no available patch.
  • Phase 2: Initial Access
    Access is obtained through CVE exploitation (CVE-2025-29635, CVE-2017-17215, CVE-2024-1781, CVE-2018-8007) or credential attacks using default and weak passwords against Telnet and SSH interfaces. ADB interfaces on Android devices are targeted without authentication.
  • Phase 3: Two-Stage Payload Delivery
    A lightweight loader module is deployed first. The loader decrypts and decompresses a heavier core module, then passes execution to it. The loader has been observed in four variants, each using a distinct encryption scheme: LCG/XOR/LZ4, Xoshiro128 PRNG, fixed-key XOR, and ChaCha20 stream cipher.
  • Phase 4: Anti-Analysis and Sandbox Evasion
    Before executing its primary functions, the core module runs a weighted scoring system that checks for debuggers (/proc/self/status), analysis tools (Wireshark, gdb, Frida), honeypot configuration files (Cowrie, Dionaea), SHA256 self-integrity, and timing anomalies via dual system clock comparison. A cumulative score above the preset threshold causes the malware to erase itself and exit.
  • Phase 5: C2 Registration and Encrypted Session
    The infected device performs a handshake using ChaCha20-Poly1305 with Curve25519 key exchange and HKDF-SHA256 key derivation, referencing the IK pattern of the Noise protocol framework. The session then transitions to AES-GCM with separate uplink and downlink keys. Session keys rotate every ten minutes. All C2 traffic carries a three-byte TLS-mimicking header prefix to blend with legitimate traffic.
  • Phase 6: Operator Command Execution
    The operator issues commands to launch or stop DDoS flood attacks, query device status, upgrade the malware build, or push updated C2 infrastructure to the device. The ability to push new C2 domains allows the operator to retain access to a device even after its current domain is blocklisted.
  • Phase 7: DDoS Attack Launch
    On operator command, the compromised device participates in volumetric DDoS flood attacks across multiple flood types against designated targets. The distributed nature of the botnet, spread across residential and business IP ranges, complicates source-based mitigation.
Key Observation: RustDuck's weighted sandbox scoring system is more operationally robust than the binary single-condition checks common in commodity IoT malware. No individual check triggers evasion in isolation; the malware requires a cumulative score above threshold before self-erasing, reducing false positives on genuine victim devices under unusual load conditions.

Indicators of Compromise (IOCs)

Delivery IP Address

  • 176.65.139[.]204

C2 Infrastructure

  • *.duckdns[.]org

MITRE ATT&CK Mapping

Technique ID Technique Name Tactic
T1190 Exploit Public-Facing Application Initial Access
T1078.001 Default Accounts Initial Access
T1059 Command and Scripting Interpreter Execution
T1027 Obfuscated Files or Information Defense Evasion
T1497 Virtualization/Sandbox Evasion Defense Evasion
T1071.001 Web Protocols Command-And-Control
T1573 Encrypted Channel Command-And-Control
T1568 Dynamic Resolution Command-And-Control
T1584.008 Network Devices Resource-Development
T1499 Endpoint Denial of Service Impact

Visual Attack Flow

Mitigation

  1. Decommission end-of-life hardware. CVE-2025-29635 in D-Link DIR-823X and CVE-2024-1781 in Totolink X6000R have no vendor patches available. CISA's guidance for the DIR-823X is device retirement. Hardware receiving no security updates should be treated as an unmanaged attack surface and replaced.
  2. Apply available patches immediately. CVE-2018-8007 in Apache CouchDB has patched releases available. Any internet-accessible CouchDB instance not running a patched version should be updated as a critical priority.
  3. Disable Android Debug Bridge where not required. ADB exposure on Android set-top boxes provides unauthenticated remote code execution. ADB should be disabled on any device not actively undergoing development work.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.

Featured Posts

Open Citrix Critical Update: NetScaler Vulnerabilities Fixed Enabling File Leakage and Service Disruption
Citrix Critical Update: NetScaler Vulnerabilities Fixed Enabling File Leakage and Service Disruption

CVE Research

Citrix Critical Update: NetScaler Vulnerabilities Fixed Enabling File Leakage and Service Disruption

Citrix has issued critical fixes for six NetScaler vulnerabilities that could lead to arbitrary file reads, memory disclosure, and denial-of-service attacks. As internet-facing appliances, NetScaler deployments remain attractive targets for threat actors seeking initial access to enterprise networks.

Jul 2, 2026

Open Breaking Down CVE-2026-43503: Dirty Clone Linux Kernel Privilege Escalation Vulnerability

Breaking Down CVE-2026-43503: Dirty Clone Linux Kernel Privilege Escalation Vulnerability

CVE Research

Breaking Down CVE-2026-43503: Dirty Clone Linux Kernel Privilege Escalation Vulnerability

Jun 29, 2026

Open CVE-2026-31431: Hardening Linux Against Copy Fail - Patching, Containment, and Defense-in-Depth

CVE-2026-31431: Hardening Linux Against Copy Fail - Patching, Containment, and Defense-in-Depth

CVE Research

CVE-2026-31431: Hardening Linux Against Copy Fail - Patching, Containment, and Defense-in-Depth

Jun 29, 2026

Open FortiBleed: The Leak That Turned 73,000 Firewalls Into a Targeting Database
FortiBleed: The Leak That Turned 73,000 Firewalls Into a Targeting Database

CVE Research

FortiBleed: The Leak That Turned 73,000 Firewalls Into a Targeting Database

FortiBleed is a credential-exposure campaign targeting Fortinet firewalls, with over 86,000 devices compromised across 194 countries. No patch exists – attackers crack stolen password hashes and turn devices into listening posts for credential theft.

Jun 25, 2026