A new two-stage malware family called RustDuck is hijacking home routers, IP cameras, Android boxes, and poorly secured servers, then stitching them into a network built to knock websites and online services offline.
Researchers at QiAnXin’s XLab have tracked it since February 2026, and say the real story is not how big it is today, but how fast it is changing.
The end goal is a distributed denial-of-service (DDoS) attack: flooding a target with junk traffic from the infected machines until it buckles.
RustDuck is one more entrant in a crowded field, but it stands out for two reasons. It is being rewritten from the C programming language into Rust, and its newer versions go to unusual lengths to avoid being studied or shut down.
How it spreads
RustDuck does not lean on a single clever trick. It sprays a mix of old, well-known weaknesses and hopes one sticks. The first is the oldest in the book: devices left on the internet with weak or default passwords on their remote-login services (Telnet and SSH). Guess the password, walk in.
The second is unpatched device bugs. XLab says RustDuck goes after exposed Android debugging interfaces and flaws in gear from TVT (DVRs and cameras), Ruijie, TP-Link, and ZTE, plus a handful of named, years-old vulnerabilities that still litter the internet:
The third path is web software. RustDuck also targets known holes in ThinkPHP, Jenkins, and Hadoop YARN, which stretches its reach from cheap home hardware to exposed server software.
XLab counted more than 20 internet addresses spreading the malware, with the busiest at 176.65.139[.]204.
What makes it tricky
RustDuck installs in two stages: a small loader that decrypts and unpacks a heavier core module. That core is where the interesting engineering lives, and it is the part being rewritten in Rust.
Rust binaries are generally tougher for analysts to take apart than the C that has powered device malware for years, and XLab says RustDuck’s Rust core shows real depth in how it derives its keys, hides from analysis, and talks to its servers. The switch points to active development, not a quick re-skin of leaked code.
The bigger tell is how hard the newer samples work to stay hidden. Before doing anything, RustDuck runs a checklist to decide whether it has landed in a security researcher’s lab instead of on a real victim’s device. It looks for analysis tools like Wireshark and gdb, for debuggers attached to its own process, for the fingerprints of a honeypot trap, even for virtual-machine hardware.
Each hit adds points to a risk score. Cross a threshold, and the malware erases its traces and quits before anyone can watch it run.
Two of those checks stand out. One quietly tries to reach an internet address that is reserved for testing and should never answer; if something replies, RustDuck knows it is inside a fake network built to fool malware, and bails.
Another compares two clocks to catch sandboxes that speed up time to rush malware into…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
