216.73.216.133

RustDuck: An In-Depth Analysis of a Two-Stage Botnet

· Published 02/07/2026 11:56

Export JSON

Essential information

Published
02/07/2026 11:56
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
anti-debugging cross-platform cve-2017-17215 cve-2018-8007 cve-2024-1781 cve-2025-29635 ddos botnet encrypted c2 iot compromise rustduck two-stage loader weak password attacks
Related entities
4 vulnerabilities (cve), 13 indicators, 11 observables, 20 techniques (mitre), 1 malware

Description

Since February 2026, a new malware family utilizing a Loader plus Core two-stage architecture has been detected, primarily conducting large-scale DDoS attacks with strong capabilities. The family is transitioning from C to Rust programming language, demonstrating rapid evolution in anti-defense and traffic encryption techniques. Propagation methods include weak password brute-forcing via Telnet and SSH, exploitation of IoT device vulnerabilities affecting Android ADB, TVT API, Ruijie, TP-Link, and ZTE devices, plus web component vulnerabilities in ThinkPHP, Jenkins, and YARN. The botnet employs sophisticated mechanisms including environment checks, honeypot detection, and timing verification. Communication protocols leverage Curve25519 key exchange, ChaCha20-Poly1305 and AES-GCM encryption, implementing strict handshake verification processes. Over 20 IPs have been observed spreading the botnet, with multiple variants showing increasingly complex encryption and obfuscation techn

External references