RustDuck: An In-Depth Analysis of a Two-Stage Botnet
Essential information
- Published
- 02/07/2026 11:56
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- anti-debugging cross-platform cve-2017-17215 cve-2018-8007 cve-2024-1781 cve-2025-29635 ddos botnet encrypted c2 iot compromise rustduck two-stage loader weak password attacks
- Related entities
- 4 vulnerabilities (cve), 13 indicators, 11 observables, 20 techniques (mitre), 1 malware
Description
Since February 2026, a new malware family utilizing a Loader plus Core two-stage architecture has been detected, primarily conducting large-scale DDoS attacks with strong cross-platform capabilities. The family is transitioning from C to Rust programming language, demonstrating rapid evolution in anti-defense and traffic encryption techniques. Propagation methods include weak password brute-forcing via Telnet and SSH, exploitation of IoT device vulnerabilities affecting Android ADB, TVT API, Ruijie, TP-Link, and ZTE devices, plus web component vulnerabilities in ThinkPHP, Jenkins, and YARN. The botnet employs sophisticated anti-debugging mechanisms including environment checks, honeypot detection, and timing verification. Communication protocols leverage Curve25519 key exchange, ChaCha20-Poly1305 and AES-GCM encryption, implementing strict handshake verification processes. Over 20 IPs have been observed spreading the botnet, with multiple variants showing increasingly complex encryption and obfuscation techn