Malik Haidar is a veteran cybersecurity expert who has spent years in the trenches of multinational corporations, merging high-level business strategy with deep-dive threat intelligence. With a career built on dismantling complex hacking operations and securing global infrastructure, he offers a unique vantage point on the evolving arms race between malware developers and security researchers. Today, he breaks down the emergence of RustDuck, a sophisticated two-stage botnet that signals a paradigm shift in how modular threats are built, hidden, and deployed against modern networks.
We are seeing a significant trend where malware developers are ditching traditional languages like C in favor of Rust. From your perspective in the trenches, what makes this shift so alarming for the people tasked with analyzing these threats?
The shift to Rust is a calculated move that adds a thick layer of frustration for anyone trying to reverse-engineer a binary. While C has been the backbone of device malware for decades, its structures are well-understood and relatively predictable under a microscope. Rust, however, produces binaries that are fundamentally more complex and harder to take apart, which is exactly what we are seeing with the core module of RustDuck. Since researchers at XLab began tracking this family in February 2026, it has become clear that this isn’t just a quick “re-skin” of leaked code, but a meticulously engineered tool built for longevity. When a developer chooses Rust, they are choosing to make every minute an analyst spends on the code feel like an uphill battle, showing a level of active development that we usually only see in top-tier cybercrime syndicates.
RustDuck seems to cast an incredibly wide net, targeting everything from home routers to enterprise-grade server software. How does it manage to successfully compromise such a diverse range of hardware without a single “silver bullet” exploit?
It succeeds through sheer persistence and a “spray and pray” methodology that exploits the basic hygiene failures of the internet. First, it hammers away at remote-login services like Telnet and SSH, betting on the fact that many users still leave their devices reachable with weak or default passwords. Beyond that, it carries a toolbox of unpatched bugs, including the 2017 Huawei router flaw known as CVE-2017-17215 and the more recent command-injection vulnerability in D-Link DIR-823X routers, labeled CVE-2025-29635. It even reaches into the server world by targeting Jenkins and Hadoop YARN, proving that it doesn’t care if it’s hijacking a cheap IP camera or a powerful server as long as it can use that machine’s bandwidth. By the time it tries to exploit the Totolink X6000R via CVE-2024-1781 or an Apache CouchDB instance through CVE-2018-8007, it has already checked dozens of other doors, making it a highly efficient scavenger of digital vulnerabilities.
The evasion techniques used by this botnet have been described as exceptionally “paranoid.” Could you walk us through the specific methods it uses to sniff out a researcher’s lab and decide whether to self-destruct?
The level of self-awareness in RustDuck is truly chilling because it runs a comprehensive checklist before it ever reveals its true purpose. It scans the environment for tell-tale signs of a fight, looking for analysis tools like Wireshark or the gdb debugger, and it can even sense if it’s running inside a virtual machine or a honeypot trap. One of its most clever tricks involves reaching out to a specific internet address reserved for testing that should never actually respond; if it gets a reply, the malware knows it is trapped in a simulated network and immediately erases its traces. It even compares two different internal clocks to see if they are out of sync, a move designed to catch sandboxes that try to “fast-forward” time to force the malware to act. Every hit on this checklist adds to a risk score, and once that threshold is crossed, the malware simply quits, leaving the researcher with nothing but a dead end and a clean system.
Once a device is successfully infected, the malware has to communicate with its controllers to receive orders. How does RustDuck keep these communications hidden from modern network monitoring tools?
The developers have implemented a communication stack that looks more like something from a high-end encrypted messaging app than a simple botnet. They use modern ciphers like ChaCha20-Poly1305 for the initial handshake and AES-GCM for the actual command-and-control traffic, ensuring that even if we intercept the packets, we can’t see what’s inside. To make things even more difficult, they rotate their encryption keys every ten minutes using HKDF-SHA256 and a Curve25519 exchange, which is a level of cryptographic discipline that is rare in the botnet world. On top of that, they dress the connection up to look like ordinary, everyday web traffic, so it blends in perfectly with the millions of other encrypted requests leaving a network. It’s a surgical approach that allows the operators to quietly send orders to start a DDoS attack or switch to a new server without raising a single red flag.
While RustDuck is currently smaller than massive botnets like AISURU, it shares some DNA with other recent threats. How do you view its place in the current global landscape of denial-of-service attacks?
Even though RustDuck is relatively small compared to the AISURU cluster, which hijacked over three million devices to launch massive 30 Tbps attacks, its engineering suggests it is built for a similar trajectory. We’ve seen this pattern before, notably with RustoBot in April 2025, which also used Rust and targeted Totolink routers to build a DDoS engine. There is also a suspicious overlap in infrastructure; RustDuck’s most active delivery address, 176.65.139.204, sits in the same small IP block as a server used by another ADB-targeting botnet earlier in 2026. This tells me that while the botnet might be “tiny” today, it is part of a broader, more professionalized ecosystem where developers are sharing bulletproof hosting and refined techniques. It represents the “premium” end of the botnet market, where quality of code is being prioritized over sheer quantity of infected nodes.
For those managing network infrastructure or even just home users with a few connected devices, what are the most critical steps to take to ensure they don’t become a part of this botnet?
The most vital action is to stop treating your hardware like a “set it and forget it” appliance and start treating it like a front line in a war. You must get remote-management interfaces like Telnet, SSH, and the Android Debug Bridge off the public internet entirely; if they aren’t absolutely necessary, turn them off, and if they are, never leave them with a factory-default password. You also have to be ruthless about patching your software, whether it’s CouchDB or your home router, and if a manufacturer stops providing updates—like with the discontinued D-Link and Totolink models—you must replace that hardware immediately. There is no patch for the malware itself once it’s in, so defense is about closing the specific doors it uses to walk through. Finally, network administrators should proactively block the known file hashes and control domains linked to the “Duck” infrastructure to catch any attempted check-ins before they can escalate.
What is your forecast for the evolution of botnets like RustDuck?
I expect we are entering an era of “boutique” botnets that are harder to find but much more resilient once they take hold. We will likely see a surge in malware authors adopting Rust and Go to bypass traditional signature-based detection, and the “paranoid” evasion routines we see in RustDuck will become the standard baseline for any serious operation. As automated tools make it easier for attackers to find and exploit years-old vulnerabilities across millions of IoT devices, the frequency of massive DDoS attacks will increase, even as the botnets themselves become more fragmented and specialized. The cat-and-mouse game is shifting from a battle of scale to a battle of sophistication, and the defenders who fail to upgrade their monitoring and hardware will find themselves unknowingly fueling the next record-breaking digital flood.

