July 7, 2026
RustDuck Unmasked: Inside the Rust-Powered Botnet Hijacking Routers and Servers
THREATSYS | Threat Intelligence Briefing

By Threatsys Technologies Pvt Ltd
7 min read
RustDuck Unmasked: Inside the Rust-Powered Botnet Hijacking Routers and Servers
How a fast-evolving IoT malware family is teaching itself to hide and what it means for anyone running a router, a camera, or a server.
Published July 2026 • Threatsys Threat Intelligence Team • Category: Botnets & DDoS
THREATSYS THREAT INTELLIGENCE
Contents
01_ Executive Summary_
02_ The Quiet Rise of IoT Botnets_
03_ Inside RustDuck's Two-Stage Design_
04_ How RustDuck Gets In_
05_ Built to Hide: Anti-Analysis Engineering_
06_ Locked-Down, Camouflaged Communications_
07_ Part of a Larger, More Dangerous Trend_
08_ Threatsys Recommendations_
09_ How Threatsys Can Help_
10_ Conclusion_
11_ About Threatsys Technologies_
THREATSYS THREAT INTELLIGENCE
EXECUTIVE SUMMARY
A Small Botnet With Serious Engineering Behind It
Threatsys' threat intelligence desk has been tracking a fast-moving IoT malware family named RustDuck. First spotted by independent researchers in February 2026, RustDuck compromises home routers, IP cameras, Android-based set-top boxes, and exposed servers, then folds them into a network used to launch distributed denial-of-service (DDoS) attacks against websites and online services.
What earns RustDuck a closer look isn't its current scale it is still modest compared to the largest botnets on record but the direction of its development. Its authors are actively rewriting the malware's core from C into Rust, and recent builds go well out of their way to detect and evade security researchers. Both choices point to a criminal operation investing in longevity, not a one-off campaign.
BACKGROUND
The Quiet Rise of IoT Botnets
Millions of routers, cameras, and other internet-connected devices sit on home and business networks with outdated firmware and rarely-changed default credentials. For attackers, that combination is a standing invitation: compromise enough of these low-value devices and the combined bandwidth becomes a weapon capable of overwhelming far larger targets. RustDuck is the latest entrant in this well-worn playbook, but its craftsmanship sets it apart from typical smash-and-grab IoT malware.
TECHNICAL PROFILE
Inside RustDuck's Two-Stage Design
RustDuck infects a device in two steps. A lightweight loader lands first, whose only job is to decrypt and unpack a heavier core module. That core the part now being rewritten in Rust is where the malware's real capability lives: command handling, encrypted communications, and an increasingly elaborate set of defenses against being studied.
The choice of Rust is notable in its own right. Rust binaries are generally harder for malware analysts to reverse-engineer than the C code that has powered device-targeting malware for years. Combined with the sophistication researchers observed in its key derivation and network protocol, the rewrite points to a team actively investing in the project rather than recycling leaked source code.
ATTACK SURFACE
How RustDuck Gets In
RustDuck doesn't rely on a single technique. Instead, it sprays a mix of long-standing weaknesses across three broad categories and takes whichever door opens first.
1. Weak or Default Credentials
The simplest path remains the most effective: devices left reachable on the open internet with factory-default or easily guessed passwords on Telnet and SSH. No exploit is required the malware simply logs in.
2. Unpatched Device Vulnerabilities
XLab says RustDuck goes after exposed Android debugging interfaces and flaws in gear from TVT (DVRs and cameras), Ruijie, TP-Link, and ZTE, plus a handful of named, years-old vulnerabilities that still litter the internet: RustDuck also targets exposed Android debugging interfaces and a set of years-old, well-documented vulnerabilities in consumer and small-business network gear. Several of these have no vendor fix available at all.
Identifier, Affected Product, Nature of Flaw
CVE-2017–17215, Huawei HG532 routers, Remote code execution; a legacy favorite of Mirai-style botnets
CVE-2025–29635, D-Link DIR-823X routers (discontinued), Command injection; added to CISA's Known Exploited list in 2026
CVE-2024–1781, Totolink X6000R routers, Command injection; vendor never responded to disclosure
CVE-2018–8007, Apache CouchDB, Authenticated remote code execution
3. Exposed Web Software
Beyond consumer hardware, RustDuck also probes for known flaws in self-hosted web platforms such as ThinkPHP, Jenkins, and Hadoop YARN extending its reach from cheap home electronics to under-maintained enterprise infrastructure.
TRADECRAFT
Built to Hide: Anti-Analysis Engineering
The most striking part of RustDuck's evolution is how hard newer samples work to avoid being watched. Before doing anything else, the malware runs through a checklist designed to determine whether it has landed on a genuine victim's device or inside a security researcher's lab.
- Scans for analysis tools such as Wireshark and gdb running on the host.
- Checks for a debugger attached to its own process.
- Looks for tell-tale fingerprints of honeypot environments.
- Probes for signs of virtual-machine hardware rather than a physical device.
- Reaches out to a reserved test-only internet address that should never respond a reply signals it is trapped inside a fake network built to study malware.
- Compares two internal clocks to detect sandboxes that accelerate time to force malware into revealing itself quickly.
Each check adds to an internal risk score. Once that score crosses a threshold, RustDuck erases its traces and shuts itself down before an analyst can observe it in action.
COMMAND & CONTROL
Locked-Down, Camouflaged Communications
RustDuck's network traffic is encrypted to a standard well above what's typical for consumer-device malware. It uses ChaCha20-Poly1305 to secure its initial handshake and AES-GCM once it begins receiving instructions, with keys derived through HKDF-SHA256 and a Curve25519 key exchange. Session keys rotate roughly every ten minutes, and the traffic is shaped to resemble ordinary encrypted web browsing so it doesn't stand out on a network monitor.
Once a compromised device checks in, operators can issue a short menu of commands: launch an attack, stop one in progress, report status, switch to a new control server, or silently upgrade the malware to a newer build. Control infrastructure leans heavily on free dynamic-DNS services the likely source of the "Duck" in the malware's name.
INDUSTRY CONTEXT
Part of a Larger, More Dangerous Trend
RustDuck is not the first botnet to move to Rust a related family named RustoBot was documented in 2025 using a similar recipe of vulnerable routers, a memory-safe language, and on-demand flood attacks. It also arrives during an unusually severe year for DDoS activity: a cluster of related botnets built from more than three million hijacked devices generated record-breaking attacks earlier this year before a coordinated law-enforcement takedown dismantled their infrastructure.
Set against that backdrop, RustDuck's current footprint is small. What concerns Threatsys' analysts is the trajectory: a Rust rewrite and a genuinely paranoid anti-analysis routine are exactly the kind of engineering investments that tend to get copied by other criminal groups, regardless of what becomes of this particular botnet.
GUIDANCE
Threatsys Recommendations
There is no patch for RustDuck itself it's malware, not a single vulnerability. Defense means closing the doors it depends on:
- Take remote-management interfaces off the public internet. Disable Android Debug Bridge, Telnet, and SSH wherever they aren't operationally required, and never leave them reachable on default credentials.
- Patch what can be patched, and retire what can't. Apache CouchDB has fixed releases available; several of the routers named above are past end-of-life and should be replaced rather than left in service.
- Segment IoT and OT devices onto their own network zone, away from critical systems, so a compromised camera or router can't become a stepping stone.
- Monitor for the malware's known indicators file hashes, control domains, and source addresses and feed them into existing security monitoring.
- Rehearse DDoS response before you need it: confirm upstream scrubbing or CDN protections are active and tested, not just provisioned.
THREATSYS SERVICES
How Threatsys Can Help
Identifying exposure to threats like RustDuck before an attacker does is the core of what we do. Threatsys' Vulnerability Assessment & Penetration Testing (VAPT) practice tests network perimeters, exposed management interfaces, and web-facing applications for exactly the kinds of misconfigurations and unpatched flaws this botnet relies on. Our Network Security Testing engagements specifically assess device hardening, segmentation, and remote-access exposure across IoT and traditional infrastructure alike.
For organisations that need always-on visibility rather than a point-in-time assessment, our CYQER SOC platform combines SIEM and XDR capabilities to detect anomalous outbound traffic, command-and-control beaconing, and early signs of botnet recruitment before a device is weaponised against someone else's infrastructure.
Talk to Our Threat Intelligence Team
If you'd like RustDuck's known indicators checked against your environment, or want a scoped VAPT engagement on your network perimeter, reach out to sales@threatsys.co.in or support@threatsys.co.in.
CLOSING THOUGHTS
Conclusion
RustDuck is, for now, a small botnet wearing the engineering of a much more serious one. Whether it grows into a headline-grabbing threat or fades into obscurity, the techniques it is testing a memory-safe rewrite and a genuinely defensive posture against researchers are the parts most likely to reappear in the next campaign. Organisations that treat IoT and edge devices as low-risk afterthoughts remain the easiest targets. Threatsys recommends closing that gap before it's tested by someone less friendly than a research team.
Threatsys Technologies Pvt. Ltd.
THREATSYS THREAT INTELLIGENCE
ABOUT US
About Threatsys Technologies
Threatsys Technologies Pvt. Ltd. is a full-service cybersecurity firm headquartered in Bhubaneswar, India, with a growing presence in Dubai and Europe. We help enterprises, governments, and financial institutions identify vulnerabilities, mitigate risk, and defend critical digital assets through penetration testing, security audits, compliance consulting, and managed security services. Threatsys is CERT-IN empanelled and ISO 27001, ISO 20000, and SOC 2 Type II certified.
Corporate Office: 3rd Floor, F3, Ryan Tower, Technology Corridor, Infocity, Bhubaneswar, Odisha 751024
Phone: +91–9668200222 | +91–8018482222
Email: sales@threatsys.co.in | support@threatsys.co.in
© 2026 Threatsys Technologies Pvt. Ltd. — Mitigating Risks, Overcoming Threats.