
RustDuck Rewrites Core in Rust with Anti-Analysis Checks Targeting Router CVEs
RustDuck is actively migrating its payload to Rust to evade analysis while reusing known router and server vulnerabilities for DDoS recruitment. The malware's environment checks and modern crypto distinguish it from prior Mirai derivatives. Continued exploitation of unpatched devices will sustain the botnet absent coordinated patching campaigns.
QiAnXin XLab has observed RustDuck since February 2026 across more than twenty C2 addresses, with the busiest at 176.65.139[.]204. The loader decrypts a Rust-compiled module that performs environment scoring before any C2 contact; points accumulate from debugger attachment, virtual hardware signatures, and an unreachable test-net probe that should never respond in production networks. Crossing the threshold triggers self-deletion. This is not a leaked Mirai reskin but active engineering that hardens against both automated sandboxes and manual reverse engineering.
The shift to Rust coincides with expanded targeting of ThinkPHP, Jenkins, and Apache CouchDB alongside legacy device flaws that remain unpatched years later. CISA added CVE-2025-29635 to its Known Exploited Vulnerabilities catalog in April 2026 after Akamai observed Mirai variants using the same D-Link vector. RustDuck's pattern shows operators prioritizing stealth and maintainability over rapid scale, a departure from earlier C-based families that collapsed once researchers obtained samples.
Operational risk centers on home and small-office routers that form the bulk of always-on bandwidth. Once enrolled, devices receive DDoS commands that blend into normal TLS traffic. Without firmware updates or network segmentation, these nodes will continue feeding volumetric attacks while owners remain unaware.
Next indicators to watch are new Rust samples on VirusTotal and fresh contract awards for router firmware security audits; sustained development suggests the operators intend to iterate rather than abandon the platform.
XLab: RustDuck C2 infrastructure will add at least three new Rust samples per month through September 2026.
Sources (3)
- [1]QiAnXin XLab RustDuck Tracking Report(https://xlab.qianxin.com/rustduck-2026)
- [2]Akamai Mirai Variant Analysis March 2026(https://akamai.com/blog/security/mirai-dlink-2026)
- [3]CISA Known Exploited Vulnerabilities Catalog(https://cisa.gov/kev)