- A new botnet called RustDuck is hijacking home routers and servers to launch DDoS attacks, rapidly evolving with a switch to the Rust programming language.
- The malware is designed to be stealthy, performing extensive checks to detect if it’s in a researcher’s lab or honeypot environment before activating.
- It spreads by exploiting weak/default passwords, unpatched bugs in devices from brands like TP-Link and ZTE, and vulnerabilities in web software like Jenkins.
A new two-stage malware family called RustDuck has been targeting IoT devices and poorly secured servers since February 2026 to build a botnet for DDoS attacks. Researchers at QiAnXin’s XLab tracked its evolution, noting its primary goal is to flood targets with junk traffic.
The malware stands out because it is being actively rewritten from C into Rust, making analysis more difficult. Consequently, its newer versions implement sophisticated anti-analysis features to avoid detection and shutdown. Before executing, it runs a checklist for signs of a security research environment, such as analysis tools or virtual machines.
If its risk score crosses a threshold, the malware erases its traces and stops. Two specific checks involve probing a reserved internet address and comparing system clocks to catch sandbox environments. Its communications are also locked down with modern encryption, using ChaCha20-Poly1305 and AES-GCM to blend in with regular web traffic.
Operators control infected devices via a short list of commands sent from servers using free dynamic-DNS services. According to XLab’s report, the busiest delivery address for the malware is 176.65.139[.]204. This address shares a network block with a separate DDoS botnet server reported in spring 2026.
This fits a larger trend, as documented by Fortinet in April 2025 regarding the Rust-based RustoBot. Meanwhile, defense against RustDuck requires closing the doors it uses to spread. This includes removing remote-management interfaces from the public internet and patching or replacing vulnerable, end-of-life hardware.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
