A new malware strain named RustDuck is actively compromising home routers, IP cameras, Android devices, and inadequately secured servers to orchestrate distributed denial-of-service (DDoS) attacks. This botnet, under observation by QiAnXin’s XLab since February 2026, is notable for its rapid evolution and increasing sophistication.
Propagation Methods
RustDuck employs multiple vectors to infiltrate devices. It exploits weak or default passwords on remote login services such as Telnet and SSH, allowing unauthorized access. Additionally, it targets unpatched vulnerabilities in various devices, including:
- Exposed Android debugging interfaces
- Flaws in devices from manufacturers like TVT (DVRs and cameras), Ruijie, TP-Link, and ZTE
- Specific vulnerabilities such as:
- CVE-2017-17215: A remote code execution flaw in Huawei HG532 routers
- CVE-2025-29635: A command-injection vulnerability in D-Link DIR-823X routers
- CVE-2024-1781: A command-injection issue in Totolink X6000R routers
- CVE-2018-8007: A remote code execution vulnerability in Apache CouchDB
Furthermore, RustDuck exploits known weaknesses in web software platforms like ThinkPHP, Jenkins, and Hadoop YARN, extending its reach from consumer devices to exposed server software.
Technical Sophistication
RustDuck operates through a two-stage installation process: an initial loader decrypts and deploys a more complex core module. This core, now being rewritten in the Rust programming language, enhances the malware’s resilience and evasion capabilities. Rust’s inherent complexity makes reverse engineering more challenging compared to traditional C-based malware.
The malware incorporates advanced anti-analysis techniques. It performs checks to detect the presence of analysis tools such as Wireshark and gdb, identifies debuggers attached to its process, and recognizes virtual machine environments. If these conditions are met, RustDuck terminates its operations to avoid detection.
Notably, RustDuck conducts specific tests to identify sandbox environments. For instance, it attempts to communicate with a reserved internet address that should not respond; any reply indicates a controlled environment, prompting the malware to cease execution. Additionally, it compares system clocks to detect time acceleration, a common sandbox tactic, further demonstrating its sophisticated evasion strategies.
The transition to Rust and the implementation of these advanced techniques suggest that RustDuck is under active development, reflecting a broader trend among cybercriminals to adopt more secure and efficient programming languages to enhance malware capabilities.
As malware authors continue to evolve their tactics, the cybersecurity community must remain vigilant. The adoption of Rust in malware development underscores the need for updated detection methods and proactive security measures to counter increasingly sophisticated threats.
