{
  "name": "RustDuck: An In-Depth Analysis of a Two-Stage Botnet",
  "slug": "rustduck-an-in-depth-analysis-of-a-two-stage-botnet",
  "description": "Since February 2026, a new malware family utilizing a Loader plus Core two-stage architecture has been detected, primarily conducting large-scale DDoS attacks with strong cross-platform capabilities. The family is transitioning from C to Rust programming language, demonstrating rapid evolution in anti-defense and traffic encryption techniques. Propagation methods include weak password brute-forcing via Telnet and SSH, exploitation of IoT device vulnerabilities affecting Android ADB, TVT API, Ruijie, TP-Link, and ZTE devices, plus web component vulnerabilities in ThinkPHP, Jenkins, and YARN. The botnet employs sophisticated anti-debugging mechanisms including environment checks, honeypot detection, and timing verification. Communication protocols leverage Curve25519 key exchange, ChaCha20-Poly1305 and AES-GCM encryption, implementing strict handshake verification processes. Over 20 IPs have been observed spreading the botnet, with multiple variants showing increasingly complex encryption and obfuscation techn",
  "published": "2026-07-02T09:56:55.843000+00:00",
  "created_at": "2026-07-02T10:13:57.009000+00:00",
  "modified_at": null,
  "created_at_opencti": "2026-07-02T10:13:57.009000+00:00",
  "author": "AlienVault",
  "confidence": 100,
  "report_types": [
    "threat-report"
  ],
  "labels": [
    "anti-debugging",
    "cross-platform",
    "cve-2017-17215",
    "cve-2018-8007",
    "cve-2024-1781",
    "cve-2025-29635",
    "ddos botnet",
    "encrypted c2",
    "iot compromise",
    "rustduck",
    "two-stage loader",
    "weak password attacks"
  ],
  "tags": [],
  "related_entities": {
    "vulnerabilities": [
      {
        "id": "7a6d9b7f-523a-4990-8636-ff2565e99d0e",
        "name": "CVE-2017-17215"
      },
      {
        "id": "73e5ed03-de54-40af-81e3-a1e3b7a459d9",
        "name": "CVE-2024-1781"
      },
      {
        "id": "af8afdd3-3b17-47af-9b62-2b3ff0728568",
        "name": "CVE-2025-29635"
      },
      {
        "id": "448c9037-59e4-407d-a419-46f55edfb627",
        "name": "CVE-2018-8007"
      }
    ],
    "indicators": [
      {
        "id": "188b1829-9346-4b5c-87c3-f9d84469fbbc",
        "name": "igmc.duckdns.org"
      },
      {
        "id": "88bc473c-31d1-4b41-a07a-29612c21322f",
        "name": "b519ae088ee0fd4658c16aab474d51c6acdc5c9cd7fab3fd69032d05a45ffd9b"
      },
      {
        "id": "b300313b-e65e-4db9-bcb6-91d12e21dc7b",
        "name": "a5d1b65b1055677156cd87b357ef488704115a2cbf52044dbb041072efed2f9d"
      },
      {
        "id": "5c24143b-76f4-4c06-aadc-2db1c4dd5306",
        "name": "disciplinenahidwin.st"
      },
      {
        "id": "5c8cfb84-cdbf-49bd-bb51-26f452a97898",
        "name": "qewqewqewqtqtwo.duckdns.org"
      },
      {
        "id": "f6f67ed6-72ce-411c-ac0e-6fe2ba47be44",
        "name": "fcfrfxrfrsfs5f.duckdns.org"
      },
      {
        "id": "d126cbb4-208b-415c-ba0b-4c3f0edf8deb",
        "name": "ilovefemboy.mooo.com"
      },
      {
        "id": "628293b5-2e9d-4de8-b1f8-2f449291b0a8",
        "name": "gayporn.twilightparadox.com"
      },
      {
        "id": "ec302b11-a7a6-4d66-be8e-84551e737022",
        "name": "criminalcloudflare.online"
      },
      {
        "id": "b9b6a87c-213b-45cb-97d5-a31866042ae7",
        "name": "qewqewqewqtq.duckdns.org"
      },
      {
        "id": "ceb72619-cf7e-4c7c-bb8f-d0e1b607e9ae",
        "name": "qewqewqewqtqthree.duckdns.org"
      },
      {
        "id": "5dd05553-f011-4155-9c71-e4c0953108b2",
        "name": "dhdsjsdjxc.duckdns.org"
      },
      {
        "id": "ebb58e10-79f1-4423-ba58-b29fefdb0814",
        "name": "bigniggadick.ignorelist.com"
      }
    ],
    "attack_patterns": [
      {
        "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1",
        "name": "T1057"
      },
      {
        "id": "9f11a241-9abc-4c57-95dd-33955ab08826",
        "name": "T1078"
      },
      {
        "id": "32817170-4c07-427e-b8a5-80a733ae2550",
        "name": "T1497"
      },
      {
        "id": "747c7b95-79ff-4132-8ea5-397cb6665ebd",
        "name": "T1498"
      },
      {
        "id": "444de5e0-bd7f-4700-b700-26320057dd80",
        "name": "T1110"
      },
      {
        "id": "7d7ac733-6442-416f-8669-c302dd0843b9",
        "name": "T1036"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "a72ebeae-8e62-4039-8135-e9c611011fdc",
        "name": "T1573"
      },
      {
        "id": "ca53b2fa-42a8-45ec-9682-0cf54bf280f3",
        "name": "T1090"
      },
      {
        "id": "dc17cbbd-40d8-43cf-b3cf-50d1276db2c7",
        "name": "T1016"
      },
      {
        "id": "a2ba5594-6293-4868-928c-ab4b31927a02",
        "name": "T1572"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62",
        "name": "T1190"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      },
      {
        "id": "dc342445-1b78-48b4-aa06-89ed2ad7c28e",
        "name": "T1071"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "e46a9411-d2a1-47c9-8820-c7f818f4c0b5",
        "name": "T1203"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      }
    ],
    "malware": [
      {
        "id": "4e1f9d5d-2ab5-4881-8d1a-818172b8ac3d",
        "name": "RustDuck"
      }
    ],
    "observables": [
      {
        "id": "51a47d86-bb5a-4a41-9c43-3ede516bc340",
        "name": "disciplinenahidwin.st"
      },
      {
        "id": "933ed5f6-156a-4bdb-ab16-f85dfe7f9608",
        "name": "criminalcloudflare.online"
      },
      {
        "id": "d1ef1037-7a0b-40b0-a569-8c80d9176a2a",
        "name": "ilovefemboy.mooo.com"
      },
      {
        "id": "5ff9f59c-1eec-4183-bfc3-e3e6a69523a0",
        "name": "bigniggadick.ignorelist.com"
      },
      {
        "id": "52cc2cfb-0730-4797-b2cf-ea86274ee202",
        "name": "qewqewqewqtqthree.duckdns.org"
      },
      {
        "id": "ea88a650-42e1-42b1-a82b-2ed077e0da29",
        "name": "qewqewqewqtq.duckdns.org"
      },
      {
        "id": "07c32aa1-2c3d-47e8-958a-f9152ed7eb84",
        "name": "igmc.duckdns.org"
      },
      {
        "id": "84a22297-057b-42c7-a563-6b8f25735701",
        "name": "fcfrfxrfrsfs5f.duckdns.org"
      },
      {
        "id": "0865168c-be2d-4fcb-a576-0e20c23cbc68",
        "name": "dhdsjsdjxc.duckdns.org"
      },
      {
        "id": "048be09d-93e1-4cb4-82c4-41caa34eb68b",
        "name": "gayporn.twilightparadox.com"
      },
      {
        "id": "e65df20b-0e51-42c1-909f-d45a71992e24",
        "name": "qewqewqewqtqtwo.duckdns.org"
      }
    ]
  },
  "external_refs": [
    {
      "id": "9a873c8d-a080-477f-af0d-52dadaf9f3df",
      "standard_id": "external-reference--0d6fb107-30fa-5f0b-8032-58a836ad0369",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://blog.xlab.qianxin.com/rustduck-en/",
      "hash": null,
      "external_id": null,
      "created": "2026-07-02T10:13:56.938Z",
      "modified": "2026-07-02T10:13:56.938Z",
      "createdById": null
    },
    {
      "id": "d1ba84b1-95ac-49e9-b616-eb4e91ad2289",
      "standard_id": "external-reference--66dd99f8-4349-5c9d-8d23-37847ae07416",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://otx.alienvault.com/pulse/6a4635e7998db450b0ccdee2",
      "hash": null,
      "external_id": "6a4635e7998db450b0ccdee2",
      "created": "2026-07-02T10:13:56.904Z",
      "modified": "2026-07-02T10:13:56.904Z",
      "createdById": null
    }
  ]
}