
Security researchers have identified a new 2-stage malware family called RustDuck, which is infecting home routers, IP cameras, Android TV boxes and poorly secured servers to build a botnet capable of launching Distributed Denial-of-Service (DDoS) attacks. Researchers at QiAnXin’s XLab have been tracking the malware since February 2026, noting that its rapid evolution poses a growing cybersecurity concern.
RustDuck spreads by exploiting weak or default credentials on Telnet and SSH services, targeting exposed Android Debug Bridge (ADB) interfaces and taking advantage of known vulnerabilities in devices from TVT, Ruijie, TP-Link, ZTE, Huawei, D-Link, Totolink and Apache CouchDB. It also targets vulnerable web applications, including ThinkPHP, Jenkins and Hadoop YARN, expanding its reach from consumer devices to enterprise servers.
According to XLab, the malware is being rewritten from the C programming language into Rust, making it more difficult for security researchers to analyse. The malware is delivered through a lightweight loader that installs a more advanced core module, which includes stronger encryption, anti-analysis capabilities and secure communication with attacker-controlled servers.
RustDuck uses multiple techniques to avoid detection. Before executing, it checks for analysis tools, debuggers, honeypots and virtual machines. If it detects a research environment, it deletes its traces and exits without running. The malware also disguises its network traffic as normal encrypted web activity by using modern encryption technologies and rotating encryption keys every 10 minutes.
Once an infected device connects to its command server, attackers can launch or stop DDoS attacks, update the malware, retrieve system information or redirect infected systems to new control servers. Researchers noted that the malware relies on free dynamic DNS services such as duckdns.org to manage its command-and-control infrastructure.
Although RustDuck is currently smaller than some of the world’s largest botnets, researchers warn that its advanced techniques and active development make it a threat to watch. They recommend disabling unnecessary remote management services, replacing unsupported hardware, applying available security patches and monitoring systems for known indicators of compromise to reduce the risk of infection.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream LinkedIn | The Mainstream Facebook | The Mainstream Youtube | The Mainstream Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.

