A newly discovered botnet called RustDuck is targeting internet-connected routers, IP cameras, Android TV boxes, and exposed servers to build a DDoS attack network.
Researchers at QiAnXin XLab have been tracking the malware since February 2026. While RustDuck is still relatively small, its rapid technical evolution makes it worth watching.
Unlike many existing IoT botnets, RustDuck is being rewritten from C to Rust. The malware also incorporates advanced anti-analysis techniques, encrypted command-and-control communications, and multiple infection methods, making it more difficult for researchers to analyse and disrupt.
RustDuck spreads by exploiting weak or default Telnet and SSH credentials, exposed Android Debug Bridge (ADB) services, and known vulnerabilities in routers, cameras, and enterprise software including ThinkPHP, Jenkins, Hadoop YARN, and Apache CouchDB.
For network operators, the malware highlights a familiar problem: internet-facing devices with weak credentials or unpatched vulnerabilities continue to provide attackers with a steady supply of systems for DDoS botnets.
Although RustDuck is not yet comparable to the largest botnets seen in recent years, it demonstrates the direction IoT malware is heading. Better evasion, stronger encryption, and faster development cycles are making botnets more resilient and harder to analyse.
To reduce exposure, organisations should remove unnecessary management services such as Telnet, SSH, and ADB from the public internet, replace end-of-life networking equipment, patch supported systems promptly, and monitor their networks for signs of compromised hosts.






