RustDuck Is a Small Botnet Engineering Like It Plans to Get Big. The Tell Isn't Its Size — It's How Hard It's Being Built.
- Patrick Duggan
- 1 minute ago
- 5 min read
# RustDuck Is a Small Botnet Engineering Like It Plans to Get Big. The Tell Isn't Its Size — It's How Hard It's Being Built.
There is a botnet called RustDuck that most defenders can safely ignore today on the numbers alone. It is not large. It is not, yet, knocking major services offline. It hijacks the usual sad inventory of the internet's underbelly — home routers, IP cameras, Android TV boxes, and poorly-secured servers — to assemble denial-of-service capacity. On a threat-severity chart it barely registers. And that is exactly why it is worth writing about, because the interesting thing about RustDuck is not its size. It is the engineering. Somebody is building this small botnet with the tooling and discipline of an operation that fully intends to be a big one. When a threat's sophistication outruns its footprint, that gap is the forecast.
What it is, on the surface
RustDuck is a two-stage malware family that has been tracked by researchers at QiAnXin's XLab since around February 2026. Its purpose, so far, is mundane: build a network of compromised devices and rent or wield their combined bandwidth to take websites and services offline. The victims are the perennial casualties of botnet economics — devices that ship with default passwords, expose management interfaces they shouldn't, and never get patched because nobody thinks of a security camera as a computer.
The infection strategy is a shotgun of the tried-and-true. It sprays weak-password attacks against Telnet and SSH. It exploits known remote-code-execution vulnerabilities across a wide spread of device ecosystems — Android's ADB debugging interface, TVT camera API endpoints, and gear from manufacturers including Ruijie, TP-Link, and ZTE. And it reaches up the stack into web-application targets: ThinkPHP, Jenkins, and Hadoop YARN. None of these are new holes. Every one of them is a door that has been standing open for years, on devices whose owners forgot they were doors.
The part that should make you pay attention
Here is where RustDuck stops being just another IoT botnet and starts being a signal. The operators are rewriting it from C into Rust, and the newer versions go to genuinely unusual lengths to resist analysis and takedown.
Rust is a deliberate choice. It is harder to reverse-engineer than the C that most of this class of malware is written in, it produces more reliable binaries across the fragmented mess of IoT architectures, and moving to it is real work — you do not rewrite a working botnet in a harder language on a whim. You do it because you are planning to maintain and grow the thing for a long time.
The engineering discipline shows up in the cryptography, too. Key derivation now uses HKDF-SHA256, and some variants employ time-based dynamic keys that rotate every ten minutes. That is not the security posture of a smash-and-grab. Ten-minute rotating keys are what you build when you expect defenders to be watching, capturing your traffic, and trying to hijack or sinkhole your command channel — and you have decided to make that expensive for them in advance. It is a botnet being hardened against a fight it has not had yet.
That mismatch is the whole story. A small botnet built like a durable product is not a small threat that will stay small. It is a large threat in its early, cheap-to-stop phase.
Why this is the shape defenders keep missing
We write about edge appliances and internet-of-things devices more than almost anything else, and the reason is always the same: the door is never where you are looking. Enterprises pour money into endpoint detection on laptops and servers while the actual perimeter — the router in the branch office, the camera in the parking lot, the forgotten Jenkins box on a lab subnet — sits unmonitored with credentials it shipped with in 2019. RustDuck does not need a clever zero-day, because it does not have to. The vulnerabilities it uses are old, published, and patched-in-theory. The devices it lands on are simply never actually patched.
The uncomfortable truth is that a botnet like this is a measurement of your hygiene, not the attacker's brilliance. Every device RustDuck recruits is one that answered a default-password login or a years-old exploit. The malware is getting more sophisticated; the way in has not changed at all.
What to actually do
Treat your edge and IoT estate like the attack surface it is, not the appliance inventory you wish it were. Change default credentials on everything that has them — routers, cameras, NVRs, the lot — and if a device cannot have its default password changed, that device does not belong on a routable network. Disable Telnet everywhere; there is no 2026 justification for it. Lock down SSH to keys and trusted management networks. Kill exposed Android ADB interfaces, which have no business being reachable. And patch the named application layers RustDuck reaches for — ThinkPHP, Jenkins, Hadoop YARN — or wall them off from the open internet if you cannot.
Then watch your egress, because a recruited device announces itself by talking to a command channel it never talked to before. Outbound connections from a camera or a router to an unfamiliar host, especially on an unusual cadence, is the signature — and the ten-minute key rotation does nothing to hide the fact that the connection is happening, only what is said inside it. You do not need to break their cryptography. You need to notice that your thermostat is phoning a stranger.
Why we are flagging a small threat now
We are not going to overstate RustDuck. On today's numbers it is a minor botnet, and it may never become a major one — plenty of well-engineered malware families flame out before they scale, and predicting which small threat grows is genuinely hard. We will cap this at ninety-five percent like everything: the forecast could be wrong.
But the pattern is worth naming while it is still cheap to act on, because that is the entire point of watching left of boom. A threat announces its ambitions in how it is built long before it announces them in how much damage it does. RustDuck is being engineered — Rust rewrite, rotating keys, analysis resistance — like something that plans to be around and plans to be big. The best time to close the doors it walks through is now, while it is small enough that closing them is just good hygiene rather than incident response. The rust-colored duck is not the threat. The unlocked door it waddled through is, and that door is on your network whether or not RustDuck ever knocks.
Her name was Renee Nicole Good.
His name was Alex Jeffery Pretti.
