Full Report
A new two-stage malware family called RustDuck is hijacking home routers, IP cameras, Android boxes, and poorly secured servers, then stitching them into a network built to knock websites and online services offline. Researchers at QiAnXin's XLab have tracked it since February 2026, and say the real story is not how big it is today, but how fast it is changing. The end goal is a
Analysis Summary
# Tool/Technique: RustDuck
## Overview
RustDuck is a sophisticated, two-stage malware family primarily designed to recruit IoT devices and servers into a botnet for Distributed Denial-of-Service (DDoS) attacks. First tracked in February 2026, the malware is notable for its transition from C to the Rust programming language and its inclusion of advanced anti-analysis and anti-sandbox features.
## Technical Details
- **Type:** Malware family (Botnet / DDoS)
- **Platform:** Linux (IoT: Home routers, IP cameras, Android boxes) and Server environments (Apache CouchDB, ThinkPHP, Jenkins, Hadoop YARN).
- **Capabilities:** Anti-debugging, anti-sandbox, encrypted C2 communications, and DDoS execution.
- **First Seen:** February 2026
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1190 - Exploit Public-Facing Application]
- [T1110.001 - Brute Force: Password Guessing] (Telnet/SSH)
- **[TA0005 - Defense Evasion]**
- [T1497 - Virtualization/Sandbox Evasion]
- [T1622 - Debugger Evasion]
- [T1140 - Deobfuscate/Decode Files or Information]
- [T1027 - Obfuscated Files or Information]
- **[TA0011 - Command and Control]**
- [T1573.002 - Encrypted Channel: Asymmetric Cryptography]
- [T1001.003 - Data Steganography: Protocol Impersonation] (HTTPS/TLS blending)
- [T1568.002 - Dynamic DNS]
- **[TA0040 - Impact]**
- [T1498 - Network Denial of Service]
## Functionality
### Core Capabilities
- **Multi-Vector Exploitation:** Targets weak Telnet/SSH credentials and various N-day vulnerabilities (CVE-2017-17215, CVE-2025-29635, CVE-2024-1781, CVE-2018-8007).
- **Two-Stage Deployment:** Utilizes a lightweight loader to decrypt and execute a complex core module.
- **DDoS Execution:** Capable of flooding targets with junk traffic upon command.
- **C2 Communication:** Supports commands for starting/stopping attacks, reporting status, switching C2 servers, and self-updating.
### Advanced Features
- **Sophisticated Anti-Analysis:** Employs a scoring system to detect researchers. It checks for Wireshark, gdb, honeypot fingerprints, and VM hardware.
- **Time-Drift Detection:** Compares two internal clocks to identify sandboxes that accelerate time to trigger malware behavior.
- **Canary Network Checks:** Attempts to connect to reserved, non-routable IP addresses to detect simulated network environments.
- **High-Grade Encryption:** Uses a combination of Curve25519, HKDF-SHA256, ChaCha20-Poly1305, and AES-GCM for communications, with 10-minute key rotation.
## Indicators of Compromise
- **File Hashes:** [Specific hashes not provided in the source text]
- **File Names:** [Specific binary names not provided in the source text]
- **Network Indicators:**
- `176.65.139[.]204` (Distribution IP)
- C2 domains often utilize the `duckdns[.]org` dynamic DNS service.
- **Behavioral Indicators:**
- Rapid self-deletion/termination upon detection of analysis tools.
- Periodic encrypted traffic spikes every 10 minutes (key rotation).
- Outbound traffic to reserved/testing IP ranges.
## Associated Threat Actors
- Unknown (Ongoing research by QiAnXin XLab).
## Detection Methods
- **Signature-based detection:** Scanning for the Rust-based core module and specific decryption routines used by the two-stage loader.
- **Behavioral detection:** Monitoring for processes that perform "environment checks" (scanning for debuggers/VM artifacts) immediately followed by self-termination or encrypted C2 calls.
- **Network Detection:** Identifying traffic patterns consistent with ChaCha20-Poly1305 handshakes and dynamic DNS resolutions to `duckdns[.]org`.
## Mitigation Strategies
- **Prevention:** Disable Telnet and SSH on public-facing interfaces or enforce strong, non-default passwords and MFA.
- **Patch Management:** Prioritize updates for D-Link, Huawei, TP-Link, Totolink, Ruijie, and ZTE devices, as well as Apache CouchDB and ThinkPHP frameworks.
- **Hardening:** Disable Android Debug Bridge (ADB) on devices where it is not required. Block outbound traffic to unused dynamic DNS services at the network perimeter.
## Related Tools/Techniques
- **Mirai:** Shares similar target pools and some exploits (e.g., CVE-2017-17215).
- **GoBrute/Other Rust Malwares:** Represents the trend of rewriting botnet code in memory-safe/performant languages like Rust or Go to complicate reverse engineering.