A new and fast mutating botnet that researchers call RustDuck has been spreading across home routers, IP cameras, Android devices, and enterprise servers since February 2026, conscripting them into a network built mainly to launch distributed denial of service (DDoS) attacks. Analysts at QiAnXin's XLAB, who named the family in a detailed report, say what stands out is not its size, which is still modest, but the speed at which it is rebuilding itself in the Rust programming language to frustrate analysis.
How it spreads
RustDuck casts a wide net, pairing weak password brute forcing over Telnet and SSH with remote code execution exploits against a long list of devices and web software. XLAB observed it hitting Android ADB interfaces and gear from TVT, Ruijie, TP-Link, and ZTE, as well as web components such as ThinkPHP, Jenkins, and Hadoop YARN. It also folds in several older vulnerabilities, including CVE-2025-29635, CVE-2017-17215, CVE-2018-8007, and CVE-2024-1781, to widen its reach. More than 20 IP addresses have been seen pushing the malware, with the most active loader source at 176[.]65[.]139[.]204.
A moving target
The malware uses a two stage Loader plus Core design. The Loader is a small ELF file that carries the real payload as compressed, encrypted data tacked onto the end of the file. XLAB clustered four generations of the Loader whose encryption keeps getting tougher, starting with a simple linear congruential generator and XOR paired with LZ4 compression, then moving through the Xoshiro128 algorithm with per sample constants, and finally to the strong ChaCha20 stream cipher in the latest variant. Each step makes it harder for researchers to bulk decrypt samples. The second stage Core, now written in Rust, layers on complex key derivation, anti analysis tricks, and encrypted command and control traffic. Early cores hard coded three DuckDNS control domains, which is how the family got its name.
The shift from C to Rust mirrors a broader move among malware authors, who increasingly favor Rust because its binaries are harder to reverse engineer and to fingerprint with signatures. RustDuck joins a crowded field of router and IoT botnets such as AryStinger and TheMoon, but its rapid technical iteration is what XLAB flags as worth watching.
What you should do
Owners of routers, cameras, and other internet facing devices should change default Telnet and SSH credentials, disable remote management and Android ADB where they are not needed, and apply firmware updates that close the vulnerabilities listed above. Network defenders can block and alert on traffic to and from the loader IP 176[.]65[.]139[.]204.
Indicators of compromise
Loader samples (SHA1): 8315f650e9e4f67c00277b076ab304eed23db47d, 6aa791c76b3107fca9d57b7ecea8f46d97d83738, 4d11bd496da82d15b3ed13050f414e44f5a892d4, d39a3ee96be6b8f5238cb1253514ab55c88f714c. Active loader IP: 176[.]65[.]139[.]204.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.