Today's cybersecurity headlines are brought to you by ThreatPerspective


Ethical Hacking News

RustDuck Botnet Rebuilds in Rust to Hijack Routers and Servers for DDoS: A Growing Concern for Cybersecurity


The RustDuck botnet poses a significant threat to cybersecurity, as it has been hijacking devices and creating a network of infected machines that can be used to launch DDoS attacks. This malware, built in Rust programming language, employs advanced techniques to evade analysis and detection, making it a formidable challenge for security experts.

  • The RustDuck botnet is a sophisticated malware that poses a significant challenge to security experts and individuals alike.
  • The botnet targets vulnerable devices such as home routers, IP cameras, Android boxes, and poorly secured servers to create a network of infected devices for DDoS attacks.
  • The malware exploits known weaknesses including weak passwords, exposed Android debugging interfaces, and old vulnerabilities still present in the internet.
  • The RustDuck botnet uses advanced techniques such as encryption methods, evasion methods, and key rotation to evade analysis and detection.
  • The malware's sophistication and development in Rust indicate a clear intention to make it more resilient to analysis and detection.
  • Precautions include ensuring remote-management interfaces are off public internet, patching vulnerable devices, blocking known indicators, and replacing unsupported gear with new hardware.



  • The cybersecurity landscape is ever-evolving, with new threats emerging daily. One such threat that has gained significant attention in recent times is the RustDuck botnet. This sophisticated malware, built from scratch in Rust programming language, poses a formidable challenge to security experts and individuals alike.

    According to researchers at QiAnXin's XLab, who have been tracking the RustDuck botnet since February 2026, this new malware family has been hijacking home routers, IP cameras, Android boxes, and poorly secured servers. The primary goal of this botnet is to create a network of infected devices that can be used to launch distributed denial-of-service (DDoS) attacks.

    The RustDuck botnet's strategy involves exploiting a mix of old and well-known weaknesses, including weak or default passwords on remote-login services such as Telnet and SSH. It also targets exposed Android debugging interfaces and vulnerabilities in various device manufacturers' products, including those from TVT, Ruijie, TP-Link, and ZTE.

    Furthermore, the RustDuck malware takes advantage of named, years-old vulnerabilities that still litter the internet, including CVE-2017-17215, a remote code execution bug in Huawei HG532 routers, and CVE-2025-29635, a command-injection flaw in discontinued D-Link DIR-823X routers.

    In addition to its targeting of vulnerable devices, the RustDuck botnet also employs advanced techniques to evade analysis and detection. The malware runs a checklist before landing on a device, assessing whether it has been detected by security researchers or not. If it determines that it is inside a fake network designed to fool malware, it bails.

    The RustDuck malware's most notable feature is its use of modern encryption methods to communicate with its operators. It uses ChaCha20-Poly1305 for the handshake and AES-GCM once it begins taking commands. The malware derives its keys using HKDF-SHA256 and rotates them every ten minutes, making it difficult for analysts to track.

    The RustDuck botnet is notable not only for its sophistication but also because it is being rewritten in Rust, a language known for its security features. This switch indicates active development and a clear intention to make the malware more resilient to analysis and detection.

    Interestingly, the RustDuck malware's behavior bears some resemblance to that of a previous botnet called RustoBot, which was documented by Fortinet in April 2025. The RustoBot malware also targeted cheap routers, modern languages like Rust, and flood traffic on demand.

    However, while RustoBot was relatively small compared to the RustDuck botnet, which has already infected over 20 internet addresses, the latter poses a more significant threat due to its advanced techniques and evasion methods. The fact that RustDuck's busiest delivery address sits in the same small block of addresses as a separate ADB-targeting DDoS botnet reported in spring 2026 raises concerns about potential shared bulletproof hosting.

    To mitigate this threat, security experts recommend several steps. First, individuals should ensure that their remote-management interfaces are off the public internet and that weak or default passwords on remote-login services like Telnet and SSH are changed immediately. Second, patching what can be patched is essential, as some of these devices have fixed releases available.

    Third, blocking known indicators is crucial, as XLab's report lists the malware's file hashes, control domains, and source addresses that can be used to monitor for this botnet. Finally, it is recommended that individuals replace unsupported gear with new hardware rather than trying to fix or patch old devices.

    In conclusion, the RustDuck botnet represents a growing concern in the cybersecurity world due to its advanced techniques, evasion methods, and potential to launch DDoS attacks. As security experts continue to monitor this threat, it is essential for individuals to take proactive measures to secure their devices and networks against this menace.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/RustDuck-Botnet-Rebuilds-in-Rust-to-Hijack-Routers-and-Servers-for-DDoS-A-Growing-Concern-for-Cybersecurity-ehn.shtml

  • https://thehackernews.com/2026/06/rustduck-botnet-rebuilds-in-rust-to.html

  • https://nvd.nist.gov/vuln/detail/CVE-2017-17215

  • https://www.cvedetails.com/cve/CVE-2017-17215/

  • https://nvd.nist.gov/vuln/detail/CVE-2025-29635

  • https://www.cvedetails.com/cve/CVE-2025-29635/


  • Published: Wed Jul 1 12:11:55 2026 by llama3.2 3B Q4_K_M













    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us