RustDuck DDoS Botnet Targeting IoT and Server Infrastructure

Red | Attack
Download Now
RustDuck DDoS Botnet Targeting IoT and Server Infrastructure | Threat Advisory TA2026183

Threat Advisory • Attack Report

RustDuck DDoS Botnet Targeting IoT and Server Infrastructure

Active since February 2026, RustDuck is a two-stage (Loader plus Core) DDoS botnet being migrated from C to Rust that hijacks routers, IP cameras, Android devices, and Linux servers worldwide through weak Telnet/SSH credentials and known flaws including CVE-2017-17215, CVE-2025-29635, CVE-2018-8007, and CVE-2024-1781, then routes encrypted command-and-control traffic disguised as ordinary TLS.

TLP: RED ADMIRALTY: A1 TA2026183 MALWARE: RUSTDUCK PLATFORM: IOT / ANDROID / LINUX REGION: WORLDWIDE 4 CVEs EXPLOITED
TA Number
TA2026183
Published
July 01, 2026
Admiralty
A1
First Seen
February 2026
Malware
RustDuck
Platform
IoT, Android, Linux Servers
Region
Worldwide
Attack Type
Distributed Denial of Service
CVEs Exploited
CVE-2017-17215, CVE-2025-29635, CVE-2018-8007, CVE-2024-1781

Summary

First seen in February 2026, RustDuck is a two-stage (Loader plus Core) botnet whose core function is large-scale distributed denial-of-service (DDoS) attacks against worldwide targets. RustDuck spreads opportunistically via weak Telnet and SSH passwords, exposed Android Debug Bridge interfaces, and a mix of historical vulnerabilities affecting routers, DVRs, IP cameras, and Linux servers, including devices from Huawei, D-Link, Totolink, TP-Link, ZTE, Ruijie, and TVT, as well as server software such as Apache CouchDB, ThinkPHP, Jenkins, and Hadoop YARN.

The RustDuck core module is being actively migrated from C to Rust and incorporates layered anti-analysis checks, HKDF-SHA256 key derivation, and encrypted command-and-control channels that masquerade as ordinary TLS traffic, making RustDuck-driven DDoS activity difficult to distinguish from legitimate encrypted network sessions.


Attack Details

Exploited CVEs
CVE IDVulnerabilityAffected ProductPatch Status
CVE-2025-29635D-Link DIR-823X Command Injection VulnerabilityD-Link DIR-823XEnd-of-Life — no patch
CVE-2017-17215Huawei HG532 Remote Code Execution VulnerabilityHuawei HG532End-of-Life — no patch
CVE-2018-8007Apache CouchDB Privilege Escalation VulnerabilityApache CouchDBFixed in 1.7.2 / 2.1.2
CVE-2024-1781Totolink Command Injection VulnerabilityTotolink X6000RSee vendor advisory
#1 — Propagation and Initial Access

RustDuck is a new two-stage malware family that hijacks home routers, IP cameras, Android boxes, and weakly secured servers, then links them into a network used to knock websites and online services offline. RustDuck does not rely on one trick: it guesses weak passwords on exposed Telnet and SSH services and exploits known remote code execution and command-injection flaws in both consumer and enterprise devices.

#2 — Targeted Vulnerabilities and Loader Structure

Those flaws include CVE-2017-17215 in Huawei HG532 routers, CVE-2025-29635 in D-Link DIR-823X routers, CVE-2024-1781 in Totolink X6000R routers, and CVE-2018-8007 in Apache CouchDB. RustDuck also abuses exposed Android Debug Bridge interfaces and other device flaws in TVT, Ruijie, TP-Link, and ZTE hardware. On the server side, RustDuck goes after ThinkPHP, Jenkins, and Hadoop YARN, extending its reach from cheap home devices to exposed enterprise servers. Once RustDuck lands on a host, it installs in two stages: a small loader holds the startup code, while the compressed core payload and a configuration block are appended to the end of the file. At runtime, the loader decrypts and unpacks the RustDuck core.

#3 — Anti-Analysis and Encrypted Handshake

Before it runs, the RustDuck core checks whether it is being watched, working through a series of environment checks and adding to a risk score as it goes; if that score passes a set limit, RustDuck wipes its traces and quits. For command and control, RustDuck follows the IK pattern of the Noise protocol, pairing a hardcoded server public key with a fresh runtime key in a Curve25519 exchange, then deriving session keys with HKDF-SHA256 and rotating them every ten minutes.

#4 — Command-and-Control Communications

A single message ID runs through every phase of the RustDuck handshake to keep messages in order and help roll new keys. The handshake uses ChaCha20 encryption and a four-step sequence (login, verify, confirm, ack) that reports the host's architecture, CPU core count, and memory, and sets a unique bot ID. After the handshake, traffic switches to an AES-GCM command loop, adding a three-byte SSL-like marker to look like normal TLS traffic and using separate keys for sending and receiving to block man-in-the-middle interception. RustDuck's C2 servers rely on free dynamic-DNS services such as duckdns.org, giving operators the ability to start or stop DDoS attacks, request status, pull new samples for a hot update, and switch to new C2 domains or IPs on the fly.


Recommendations

01
Remove Remote Management from Public Exposure

Take Telnet, SSH, and device web-configuration interfaces off the public internet and restrict them to trusted management networks or VPN access, since exposed remote-login services are RustDuck's primary entry point.

02
Eliminate Default and Weak Credentials

Enforce unique, strong passwords on all network-reachable devices and services and disable default accounts, because weak-password brute forcing against Telnet and SSH is a core RustDuck propagation method.

03
Upgrade Apache CouchDB

Update affected CouchDB instances to release 1.7.2 or 2.1.2 or later to remediate CVE-2018-8007, which allows an authenticated admin to escalate to remote code execution.

04
Retire End-of-Life D-Link DIR-823X Devices

Remove DIR-823X routers from service rather than waiting for a fix; per D-Link advisory SAP10469, the model is End-of-Life and End-of-Service across all hardware revisions, and no patch will be issued for CVE-2025-29635.

05
Monitor for TLS-Masquerading Outbound Traffic

Watch for anomalous outbound sessions that carry the SSL-like magic header but do not complete a standard TLS handshake, and for periodic beaconing to dynamic-DNS domains, to surface RustDuck C2 activity.


Indicators of Compromise (IoCs)

TypeValue
SHA1 8315f650e9e4f67c00277b076ab304eed23db47d 6aa791c76b3107fca9d57b7ecea8f46d97d83738 4d11bd496da82d15b3ed13050f414e44f5a892d4 d39a3ee96be6b8f5238cb1253514ab55c88f714c
Domains gayporn[.]twilightparadox[.]com bigniggadick[.]ignorelist[.]com ilovefemboy[.]mooo[.]com igmc[.]duckdns[.]org qewqewqewqtq[.]duckdns[.]org qewqewqewqtqthree[.]duckdns[.]org qewqewqewqtqtwo[.]duckdns[.]org disciplinenahidwin[.]st criminalcloudflare[.]online dhdsjsdjxc[.]duckdns[.]org fcfrfxrfrsfs5f[.]duckdns[.]org
IPv4 176[.]65[.]139[.]204

Potential MITRE ATT&CK TTPs

T1190
Initial Access
Exploit Public-Facing Application
T1078.001
Initial Access
Valid Accounts: Default Accounts
T1059
Execution
Command and Scripting Interpreter
T1140
Defense Evasion
Deobfuscate/Decode Files or Information
T1027.002
Defense Evasion
Obfuscated Files or Information: Software Packing
T1622
Defense Evasion
Debugger Evasion
T1497.001
Defense Evasion
Virtualization/Sandbox Evasion: System Checks
T1497.003
Defense Evasion
Virtualization/Sandbox Evasion: Time Based Evasion
T1480
Defense Evasion
Execution Guardrails
T1036
Defense Evasion
Masquerading
T1082
Discovery
System Information Discovery
T1110.001
Credential Access
Brute Force: Password Guessing
T1071
Command and Control
Application Layer Protocol
T1573.001
Command and Control
Encrypted Channel: Symmetric Cryptography
T1573.002
Command and Control
Encrypted Channel: Asymmetric Cryptography
T1568
Command and Control
Dynamic Resolution
T1008
Command and Control
Fallback Channels
T1105
Command and Control
Ingress Tool Transfer
T1498
Impact
Network Denial of Service

References & Patch Links