RustDuck: A Rust-Based DDoS Botnet Quietly Building Out Since February
XLab researchers say the two-stage loader is iterating faster than its install base is growing — and that's the interesting part.

A Rust-written botnet tracked by QiAnXin's XLab as RustDuck has been pulling consumer routers, IP cameras, Android TV boxes, and exposed Linux servers into a DDoS swarm since at least February 2026.
The headline number isn't the install base. It's the iteration speed.
XLab analysts describe RustDuck as a two-stage family. A small loader handles initial foothold and persistence on whatever embedded box it lands on, then pulls a second-stage payload that handles command-and-control and the actual flood logic. The split keeps the on-disk footprint small on memory-constrained devices and lets the operators swap modules without re-seeding victims.
That modularity matters. Researchers say builds have shifted noticeably across the year, with new architectures added, new C2 protocols swapped in, and the Rust toolchain itself updated between samples. Capability is moving faster than scale.
Target selection looks familiar. Home routers with default or weak credentials. IP cameras exposed to the public internet. Android-based set-top boxes that never see a vendor patch. Internet-facing servers running outdated services. The TTPs overlap with what we've seen from Mirai descendants and the Gafgyt/Bashlite lineage for years, though RustDuck's choice of Rust over C is the obvious break.
Why Rust? A few reasons worth separating from hype. Cross-compilation to MIPS, ARM, and x86 is straightforward with cargo. Static linking produces self-contained binaries that survive on minimal embedded userlands. And — for now — Rust binaries trip fewer of the YARA rules and heuristics built around the decade of C-based IoT malware corpus. None of that makes the malware more sophisticated. It just makes triage slower.
The stated end goal is DDoS-for-hire, consistent with the broader booter/stresser ecosystem. XLab has not publicly tied RustDuck to a named cluster, and at this stage attribution should sit at low confidence. The codebase reuses some logic patterns seen in earlier Mirai forks, but shared lineage in IoT botnets is the rule, not the exception. Treat any overlap claims accordingly.
Defensive guidance is unglamorous and unchanged. Pull management interfaces off the public internet. Rotate default credentials on anything with a web UI. Patch what you can, and segment what you can't. For ISPs and hosters, egress anomaly detection on known DDoS reflection ports remains the cheapest win.
What to watch next: whether RustDuck's operators add credential-stuffing or n-day exploitation to the loader. Right now the spread looks opportunistic. If that changes, the growth curve will too.
XLab says it will publish IOCs and a sample hash set as the family stabilizes. We'll update when those land.



