A new two-stage malware family called RustDuck is hijacking devices worldwide. It targets home routers, IP cameras, Android boxes, and poorly secured servers. It then stitches them into a network built to knock services offline.
Researchers at QiAnXin’s XLab have tracked it since February 2026. They say the real story is how fast it keeps changing. The end goal is a distributed denial-of-service attack. That floods a target with junk traffic until it buckles.
RustDuck stands out for two reasons. It is being rewritten from the C language into Rust. Its newer versions also go to unusual lengths to avoid being studied. The malware spreads by spraying a mix of old weaknesses. First, it targets devices with weak or default Telnet and SSH passwords. Second, it hits exposed Android debugging interfaces and unpatched device bugs. It abuses years-old flaws in gear from TVT, Ruijie, TP-Link, and ZTE. It also targets holes in ThinkPHP, Jenkins, and Hadoop YARN.
The Rust core is where the real engineering lives. Rust binaries are tougher for analysts to take apart than older C code. The switch points to active development, not a quick re-skin.
The newer samples also work hard to stay hidden. Before acting, RustDuck checks if it landed in a researcher’s lab. It looks for analysis tools, debuggers, honeypots, and virtual machines. Cross a risk threshold, and it erases its traces and quits.
Its communications stay locked down too. RustDuck encrypts traffic with modern ciphers and rotates keys every ten minutes. It disguises the connection to look like ordinary web traffic. The control servers lean on free dynamic-DNS services like duckdns.org.
For now, RustDuck remains small next to record-breaking botnets. But experts warn its techniques may spread. Other crews often borrow such methods once proven.

