TA2026183
Threat Advisory • Attack Report
Active since February 2026, RustDuck is a two-stage (Loader plus Core) DDoS botnet being migrated from C to Rust that hijacks routers, IP cameras, Android devices, and Linux servers worldwide through weak Telnet/SSH credentials and known flaws including CVE-2017-17215, CVE-2025-29635, CVE-2018-8007, and CVE-2024-1781, then routes encrypted command-and-control traffic disguised as ordinary TLS.
TA2026183A1RustDuckCVE-2017-17215, CVE-2025-29635, CVE-2018-8007, CVE-2024-1781Section 01
First seen in February 2026, RustDuck is a two-stage (Loader plus Core) botnet whose core function is large-scale distributed denial-of-service (DDoS) attacks against worldwide targets. RustDuck spreads opportunistically via weak Telnet and SSH passwords, exposed Android Debug Bridge interfaces, and a mix of historical vulnerabilities affecting routers, DVRs, IP cameras, and Linux servers, including devices from Huawei, D-Link, Totolink, TP-Link, ZTE, Ruijie, and TVT, as well as server software such as Apache CouchDB, ThinkPHP, Jenkins, and Hadoop YARN.
The RustDuck core module is being actively migrated from C to Rust and incorporates layered anti-analysis checks, HKDF-SHA256 key derivation, and encrypted command-and-control channels that masquerade as ordinary TLS traffic, making RustDuck-driven DDoS activity difficult to distinguish from legitimate encrypted network sessions.
Section 02
| CVE ID | Vulnerability | Affected Product | Patch Status |
|---|---|---|---|
CVE-2025-29635 | D-Link DIR-823X Command Injection Vulnerability | D-Link DIR-823X | End-of-Life — no patch |
CVE-2017-17215 | Huawei HG532 Remote Code Execution Vulnerability | Huawei HG532 | End-of-Life — no patch |
CVE-2018-8007 | Apache CouchDB Privilege Escalation Vulnerability | Apache CouchDB | Fixed in 1.7.2 / 2.1.2 |
CVE-2024-1781 | Totolink Command Injection Vulnerability | Totolink X6000R | See vendor advisory |
RustDuck is a new two-stage malware family that hijacks home routers, IP cameras, Android boxes, and weakly secured servers, then links them into a network used to knock websites and online services offline. RustDuck does not rely on one trick: it guesses weak passwords on exposed Telnet and SSH services and exploits known remote code execution and command-injection flaws in both consumer and enterprise devices.
Those flaws include CVE-2017-17215 in Huawei HG532 routers, CVE-2025-29635 in D-Link DIR-823X routers, CVE-2024-1781 in Totolink X6000R routers, and CVE-2018-8007 in Apache CouchDB. RustDuck also abuses exposed Android Debug Bridge interfaces and other device flaws in TVT, Ruijie, TP-Link, and ZTE hardware. On the server side, RustDuck goes after ThinkPHP, Jenkins, and Hadoop YARN, extending its reach from cheap home devices to exposed enterprise servers. Once RustDuck lands on a host, it installs in two stages: a small loader holds the startup code, while the compressed core payload and a configuration block are appended to the end of the file. At runtime, the loader decrypts and unpacks the RustDuck core.
Before it runs, the RustDuck core checks whether it is being watched, working through a series of environment checks and adding to a risk score as it goes; if that score passes a set limit, RustDuck wipes its traces and quits. For command and control, RustDuck follows the IK pattern of the Noise protocol, pairing a hardcoded server public key with a fresh runtime key in a Curve25519 exchange, then deriving session keys with HKDF-SHA256 and rotating them every ten minutes.
A single message ID runs through every phase of the RustDuck handshake to keep messages in order and help roll new keys. The handshake uses ChaCha20 encryption and a four-step sequence (login, verify, confirm, ack) that reports the host's architecture, CPU core count, and memory, and sets a unique bot ID. After the handshake, traffic switches to an AES-GCM command loop, adding a three-byte SSL-like marker to look like normal TLS traffic and using separate keys for sending and receiving to block man-in-the-middle interception. RustDuck's C2 servers rely on free dynamic-DNS services such as duckdns.org, giving operators the ability to start or stop DDoS attacks, request status, pull new samples for a hot update, and switch to new C2 domains or IPs on the fly.
Section 03
Take Telnet, SSH, and device web-configuration interfaces off the public internet and restrict them to trusted management networks or VPN access, since exposed remote-login services are RustDuck's primary entry point.
Enforce unique, strong passwords on all network-reachable devices and services and disable default accounts, because weak-password brute forcing against Telnet and SSH is a core RustDuck propagation method.
Update affected CouchDB instances to release 1.7.2 or 2.1.2 or later to remediate CVE-2018-8007, which allows an authenticated admin to escalate to remote code execution.
Remove DIR-823X routers from service rather than waiting for a fix; per D-Link advisory SAP10469, the model is End-of-Life and End-of-Service across all hardware revisions, and no patch will be issued for CVE-2025-29635.
Watch for anomalous outbound sessions that carry the SSL-like magic header but do not complete a standard TLS handshake, and for periodic beaconing to dynamic-DNS domains, to surface RustDuck C2 activity.
Section 04
| Type | Value |
|---|---|
| SHA1 |
8315f650e9e4f67c00277b076ab304eed23db47d
6aa791c76b3107fca9d57b7ecea8f46d97d83738
4d11bd496da82d15b3ed13050f414e44f5a892d4
d39a3ee96be6b8f5238cb1253514ab55c88f714c
|
| Domains |
gayporn[.]twilightparadox[.]com
bigniggadick[.]ignorelist[.]com
ilovefemboy[.]mooo[.]com
igmc[.]duckdns[.]org
qewqewqewqtq[.]duckdns[.]org
qewqewqewqtqthree[.]duckdns[.]org
qewqewqewqtqtwo[.]duckdns[.]org
disciplinenahidwin[.]st
criminalcloudflare[.]online
dhdsjsdjxc[.]duckdns[.]org
fcfrfxrfrsfs5f[.]duckdns[.]org
|
| IPv4 | 176[.]65[.]139[.]204 |
Section 05
Section 06