Summary:
RustDuck is a two-stage DDoS botnet that hijacks home routers, IP cameras, Android boxes, and exposed servers by exploiting weak Telnet/SSH credentials, Android Debug Bridge (ADB) interfaces, and a range of old and recent CVEs affecting TVT, Ruijie, TP-Link, ZTE, D-Link, Totolink, Huawei, Apache CouchDB, ThinkPHP, Jenkins, and Hadoop YARN. Tracked by XLab (QiAnXin) since February 2026, RustDuck is actively being rewritten from C to Rust, introducing strong anti-analysis, anti-sandbox, and encrypted C2 communication capabilities. Its control infrastructure leverages dynamic DNS services including duckdns.org. The botnet is currently small, but its engineering sophistication, Rust rewrite, paranoid anti-research routines, and modern encryption signal active development with potential for rapid growth.
Technical Description:
RustDuck operates in two stages. The first stage is a lightweight loader that decrypts and unpacks a heavier core module. The core module, now being rewritten from C to Rust, carries out the botnet’s key functions: propagation, anti-analysis checks, command-and-control (C2) communication, and DDoS attack execution. Rust binaries are significantly harder to reverse-engineer than C-based malware, and RustDuck’s Rust core demonstrates advanced key derivation, evasion logic, and encrypted communications, indicating this is active development rather than a simple reskin of leaked code. XLab has tracked more than 20 IP addresses distributing the malware, with 176.65.139[.]204 is the most active delivery node.
Propagation uses three parallel vectors: First, credential brute-forcing: Telnet and SSH services left exposed with default or weak passwords are targeted via automated login attempts. Second, Android Debug Bridge (ADB) exploitation: devices with ADB exposed to the internet, common on misconfigured Android TV boxes and set-top devices, are compromised through the debugging interface without requiring credentials. Third, vulnerability exploitation across a broad set of CVEs affecting consumer and enterprise gear: CVE-2017-17215 (Huawei HG532 router RCE, originally exploited by Mirai), CVE-2025-29635 (D-Link DIR-823X command injection, added to CISA KEV in April 2026), CVE-2024-1781 (Totolink X6000R command injection), CVE-2018-8007 (Apache CouchDB RCE), and exploitation of known vulnerabilities in ThinkPHP, Jenkins, and Hadoop YARN. The last category extends RustDuck’s reach beyond consumer IoT devices to exposed server software in enterprise and cloud environments.
Exploitation Demonstration:
- RustDuck scans the internet for devices with Telnet (port 23) or SSH (port 22) exposed. It attempts login using a dictionary of default and common credentials (e.g., admin/admin, root/root, user/user). A successful login grants shell access to the device. The loader is then uploaded and executed, which decrypts and launches the Rust core module. No CVE or vulnerability is needed for this vector; it exploits configuration failure alone.
- Android TV boxes, set-top devices, and other Android-based appliances with Android Debug Bridge (ADB) exposed on port 5555 are targeted without any credentials. ADB is a developer debugging interface that provides full shell access when reachable. RustDuck connects to exposed ADB ports, issues shell commands to download and execute the loader, and compromises the device. Devices in this category are frequently consumer-grade hardware in homes and small offices.
- For patched or credential-hardened devices, RustDuck falls back to specific CVE exploitation. Against D-Link DIR-823X routers (CVE-2025-29635), a command injection payload is sent to the router’s web management interface without authentication, achieving remote code execution. Against Huawei HG532 routers (CVE-2017-17215), a UPnP SOAP request is sent to port 37215 containing a shell command. Against Totolink X6000R (CVE-2024-1781), a command injection flaw in the router’s API endpoint is exploited. Against Apache CouchDB (CVE-2018-8007), an authenticated admin-level HTTP request triggers a configuration endpoint that allows arbitrary OS command execution on the server.
- Before executing any malicious activity, the Rust core runs a multi-point environment check to determine whether it has landed in a researcher’s analysis environment. Checks include scanning for analysis tools (Wireshark, gdb, strace); detecting debuggers attached to its own process; identifying honeypot network signatures by attempting to reach reserved IP addresses that should never respond; comparing two independent clocks to detect time acceleration used by sandboxes; and fingerprinting virtual machine hardware. Each positive hit adds to a risk score, and if the threshold is crossed, RustDuck erases its traces and exits silently.
- Once a device passes the anti-analysis checks and checks in with the C2 infrastructure, RustDuck uses ChaCha20-Poly1305 encryption for the handshake phase and AES-GCM for command traffic. Keys are derived using HKDF-SHA256 with a Curve25519 key exchange and are rotated every ten minutes. The C2 traffic is disguised to resemble ordinary encrypted web traffic (TLS-like), making it difficult to identify through network inspection alone. Control infrastructure relies on dynamic DNS services (duckdns.org) to maintain resilient, easily rotated command addresses. Operators can issue: launch a DDoS attack, stop an attack, report device status, switch to new C2 servers, or silently upgrade the malware.
Ease of Exploitation:
The credential brute-force and ADB exploitation vectors require no vulnerability knowledge and no CVE; they succeed purely because devices are misconfigured and internet-exposed. The CVE-based exploitation vectors target flaws ranging from 2017 to 2025, with several affecting devices that are end-of-life and will never receive patches (D-Link DIR-823X, some Totolink models). The Rust rewrite significantly raises the barrier for malware analysts and defenders to reverse-engineer and detect RustDuck, and the anti-sandbox routines mean automated analysis environments may fail to observe its full behavior. Together, these factors make RustDuck accessible for operators to deploy at scale while remaining resistant to automated detection and takedown efforts.
Conclusion:
RustDuck is currently a small botnet, but it is being built with the engineering discipline of a serious threat. Its Rust rewrite, multi-layered anti-analysis routines, modern encrypted C2 protocol, and broad exploitation surface spanning consumer IoT, end-of-life routers, and exposed server software place it on a trajectory toward significant scale—the overlap of its delivery infrastructure with a separate ADB-targeting DDoS botnet reported in spring 2026 warrants monitoring. UAE and MENA organizations with internet-facing network devices, particularly those running end-of-life firmware, exposed ADB, or default management credentials, are directly in scope. Network operators and IT teams should treat unmanaged internet-facing devices as the primary attack surface for this threat.
Impact:
Compromised devices are enrolled into a botnet capable of executing volumetric DDoS attacks on demand. Organizational infrastructure that includes internet-facing routers, cameras, Android-based appliances, or exposed server software running affected products (CouchDB, Jenkins, Hadoop YARN, ThinkPHP) is at risk of compromise and enrollment. A compromised device may be used to attack third-party targets (posing legal and reputational risks to the asset owner), consume bandwidth, or serve as a pivot point for further internal reconnaissance if it has LAN access. For UAE and MENA organizations, the presence of end-of-life networking equipment (D-Link DIR-823X, older Huawei and Totolink models) in branch offices or retail locations is a specific risk factor.
IOC and Context Details:
| Topics |
Details |
| Tactic Name |
Initial Access, Credential Access,
Collection, Exfiltration, Impact
|
| Technique Name |
Data Exfiltration and Extortion via
Initial Access Broker (IAB)-Sourced Access and
Valid Credentials (Coinbase Cartel / DataVault Rebrand)
|
| Sub Technique Name |
Obtain network access via Initial Access Brokers (IABs)
or stolen credentials →
Authenticate to VPN, RDP, or Microsoft 365 →
Move laterally using native operating system tools →
Identify and stage sensitive data →
Exfiltrate data using Rclone, Mega, or cloud storage →
Deliver ransom demand with proof of exfiltration →
Publish stolen data on the Coinbase Cartel leak site
if payment is not received.
|
| Attack Type |
Malware |
| Targeted Applications |
Microsoft Windows, Linux, Apple macOS;
internet-facing RDP, VPN, Microsoft 365,
and cloud portals serving as primary
entry points across all sectors.
|
| Region Impacted |
Global |
| Industry Impacted |
Finance, Healthcare, Legal,
Technology, Retail, Government;
global organizations including
UAE and MENA enterprises.
|
| IOC's |
IP Addresses:
142.11.233[.]42
185.196.220[.]114
45.227.254[.]14
193.56.28[.]93
Domains:
coinbase-cartel-support[.]top
fjg4zi4opkxkvdz7mvwp7h6goe4tcby3hhkrz43pht4j3vakhy75znyd[.]onion
datavault-egress[.]net
SHA256:
4a7c88b0a9d0e2e5f3c4b6a7f8e9d0c1b2a3f4e5d6c7b8a9f0e1d2c3b4a5f6e7
9f8e7d6c5b4a3f2e1d0c9b8a7f6e5d4c3b2a1f0e9d8c7b6a5f4e3d2c1b0a9f8e
bc34d8e5f7a2c1b9d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7
|
| CVE |
N/A |
Recommended Actions:
- Immediately disable Telnet on all internet-facing network devices. Replace Telnet with SSH where remote management is required. Change all default credentials on routers, cameras, and IoT devices to strong, unique passwords. Audit your external attack surface for devices still using default manufacturer credentials.
- Disable Android Debug Bridge (ADB) on all production Android-based devices. ADB should never be exposed on port 5555 to the internet. For Android TV boxes and set-top devices in use, verify ADB is disabled via device settings or network-level firewall rules blocking port 5555 inbound.
- Retire end-of-life devices immediately. D-Link DIR-823X routers have no patch available; CISA advises removing them from service. Totolink X6000R routers have an unacknowledged vulnerability. Any device running firmware that is no longer supported must be replaced, not patched. Maintain a hardware asset inventory with firmware end-of-life dates.
- Apply available patches immediately for supported devices. Upgrade Apache CouchDB to the latest fixed release. Patch ThinkPHP, Jenkins, and Hadoop YARN deployments. Apply firmware updates for Huawei HG532, TP-Link, ZTE, and Ruijie devices. Subscribe to vendor security advisories and monitor CISA KEV additions for devices in your inventory.
- Block inbound connections on Telnet (port 23), ADB (port 5555), and unused router management ports (e.g., 37215 for Huawei UPnP) at the network perimeter firewall or ISP level. Restrict access to device management interfaces to internal management VLANs only never expose router or camera admin interfaces directly to the internet.
- Block known RustDuck IOCs at your network perimeter. Feed the file hashes, C2 domains (duckdns.org subdomains used by RustDuck), and source IP ranges from the XLab report (https://blog.xlab.qianxin.com/rustduck-en/) into your SIEM, firewall, and DNS filtering tools. Specifically block or alert on connections to 176.65.139[.]204 and associated delivery addresses.
- Implement network-level monitoring for DDoS botnet behavior: unusual outbound traffic spikes, connections to dynamic DNS domains, and anomalous bandwidth usage from network appliances. Integrate IoT and router syslog data into your SIEM where supported. Consider deploying a network traffic analysis (NTA) tool to detect encrypted C2 beaconing patterns.
- If a device is confirmed compromised by RustDuck, factory-reset the device and update firmware before returning it to service. If the device is end-of-life with no available firmware update, decommission it. Check all other devices on the same LAN segment for lateral spread, and rotate any credentials that may have been accessible from the compromised device’s network segment.
Reference:
https://thehackernews.com/2026/06/rustduck-botnet-rebuilds-in-rust-to.html