RustDuck Botnet Evolves with Rust Programming to Evade Detection

RustDuck Botnet Evolves with Rust Programming to Evade Detection

RustDuck is a sophisticated two-part malware targeting IoT devices like home routers, security cameras, Android TV boxes, and vulnerable servers to build a botnet for launching distributed denial of service attacks. First observed by QiAnXin XLab researchers in February 2026, the malware spreads through three primary attack vectors: brute forcing weak or default credentials on internet-exposed devices, exploiting unpatched vulnerabilities in Android systems and hardware from manufacturers including TVT, Ruijie, TP-Link, and ZTE, and targeting known security flaws in server applications like ThinkPHP, Jenkins, and Hadoop YARN. The malware distribution infrastructure includes over twenty command addresses, with the most active being 176.65.139[.]204.

What makes RustDock particularly noteworthy is its ongoing migration from C to the Rust programming language and its extensive anti-analysis capabilities. The infection occurs in two stages, with an initial lightweight dropper downloading and deploying the main payload, which is increasingly being rewritten in Rust to complicate reverse engineering efforts. The malware implements multiple detection mechanisms to identify researcher environments, including scanning for analysis tools, virtual machines, sandbox indicators, and even comparing system clocks to detect time manipulation techniques used in malware analysis. When defensive measures are detected, RustDuck self-destructs to avoid examination.

The malware's operational security is equally advanced, employing strong encryption for command and control communications, rotating cryptographic keys every ten minutes, and disguising its network traffic as legitimate HTTPS browsing activity. Infected devices can receive commands to initiate or halt attacks, report system status, switch control servers, or download updated versions. While RustDuck currently operates at a smaller scale than the massive botnets responsible for recent record-breaking DDoS campaigns, its technical sophistication and rapid evolution present a concerning development in the botnet landscape.

Protection against RustDuck requires fundamental security hygiene rather than a single software patch, including changing default credentials, disabling unnecessary remote access features, and maintaining current firmware and software versions across all network-connected devices. The emergence of Rust-based botnets like RustDuck and its predecessor RustoBot from 2025 signals a troubling trend, as the advanced evasion techniques and language migration demonstrated by this malware will likely be adopted by other threat actors seeking to evade detection and analysis by security researchers.

Stay secure — stay Wavasec. 🔐