Back to Intelligence

RustDuck Botnet, AsyncRAT Sideloading & Gamaredon GammaWorm: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
July 2, 2026
5 min read

Recent intelligence from the OTX community indicates a convergence of high-risk activity spanning state-sponsored espionage, financially motivated malware distribution, and infrastructure abuse.

RustDuck: A new, rapidly evolving IoT botnet written in Rust has been active since February 2026. It employs a Loader + Core architecture to conduct large-scale DDoS attacks. Its propagation relies heavily on exploiting known vulnerabilities in IoT devices (e.g., CVE-2017-17215, CVE-2018-8007) and weak password brute-forcing.

AsyncRAT Campaign: A massive supply-chain style campaign is distributing Remote Access Trojans (RATs) via typosquatted domains mimicking popular software (OBS Studio, VLC, Bandicam). The attackers use DLL sideloading, pairing a legitimate Microsoft-signed install.exe with a malicious install.res.1033.dll to execute AsyncRAT stealthily.

Gamaredon Group (FSB): The Russian APT group "Gamaredon" continues its aggressive targeting of Ukrainian entities. Their 2026 infection chain involves HTML smuggling via weaponized xHTML files, deploying GammaWorm and GammaLoad. They leverage Cloudflare tunnels (trycloudflare.com) and compromised infrastructure to maintain persistence in government and defense networks.

Threat Actor / Malware Profile

RustDuck

  • Type: IoT Botnet / DDoS
  • Origin: Unknown
  • Distribution: Exploits CVE-2017-17215, CVE-2018-8007, CVE-2024-1781, CVE-2025-29635; weak password brute-forcing.
  • Behavior: Cross-platform (Rust language), encrypted C2 communications, two-stage loader.
  • Objective: Large-scale DDoS attacks.

AsyncRAT (ScreenConnect Campaign)

  • Type: Remote Access Trojan
  • Distribution: SEO poisoning, typosquatting (e.g., vlc-player.net, corel-draw.net), fake software installers.
  • Behavior: DLL sideloading (install.exe loads install.res.1033.dll), process hollowing, PowerShell loader.
  • Objective: Remote control, data theft, likely initial access broker activity.

Gamaredon (GammaWorm/GammaPhish)

  • Type: Cyberespionage (APT)
  • Attribution: Russia's FSB (Sandworm team association)
  • Targeting: Ukrainian Government, Defense, Critical Infrastructure.
  • Distribution: Spear-phishing with HTML smuggling, weaponized xHTML files exploiting CVE-2025-8088.
  • Behavior: Drops RAR archives containing HTA files to Windows Startup folders for persistence; uses supabase.co and Cloudflare tunnels for C2.

IOC Analysis

The provided IOCs highlight a diverse attack surface:

  • Domains: A mix of typosquatted software download sites (AsyncRAT) and Dynamic DNS infrastructure (RustDuck's duckdns.org). SOC teams should block these immediately at the DNS layer.
  • File Hashes: Specific MD5 and SHA256 hashes are available for the RustDuck core and Gamaredon payloads. These should be added to EDR blocklists.
  • CVEs: Legacy CVEs (2017, 2018) are actively exploited by RustDuck, alongside 2025 vulnerabilities, emphasizing the need for patch management beyond just "recent" updates.
  • Network Infrastructure: IPs like 185.254.97.249 and tunneling endpoints (trycloudflare.com) indicate a reliance on obfuscated C2 channels. Decoding requires SSL inspection or DNS query analysis.

Detection Engineering

YAML
title: Potential Malicious DLL Sideloading via Install Binaries
id: b2a3e1d4-7f9c-4a8b-9d5e-1f2a3b4c5d6e
description: Detects suspicious DLL sideloading patterns where a signed installer loads a localized DLL, a technique used in the AsyncRAT campaign.
status: experimental
date: 2026/07/02
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6658f9e2b1e0e1f2c3d4e5f6
tags:
    - attack.defense_evasion
    - attack.t1574.001
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 7
        ImageLoaded|endswith: \\install.res.1033.dll
        Image|endswith: \\install.exe
    condition: selection
falsepositives:
    - Legitimate software installations (rare for this specific pattern in non-app directories)
level: high
---
title: Suspicious HTA File Creation in Startup Folder
id: c3b4f2e1-8a0d-5b9c-e6f2-2a3b4c5d6e7f
description: Detects creation of HTA files in Windows Startup folders, indicative of Gamaredon GammaWorm persistence.
status: experimental
date: 2026/07/02
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6658f9e2b1e0e1f2c3d4e5f7
tags:
    - attack.persistence
    - attack.t1547.001
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 11
        TargetFilename|contains: '\\Microsoft\Windows\Start Menu\Programs\Startup\\'
        TargetFilename|endswith: '.hta'
    condition: selection
falsepositives:
    - Administrative scripts
level: critical
---
title: Network Connection to DuckDNS C2 Infrastructure
id: d4c5g3f2-9b1e-6c0d-f7e3-3b4c5d6e7f8a
description: Detects processes connecting to DuckDNS domains, frequently used by IoT botnets like RustDuck for C2.
status: experimental
date: 2026/07/02
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6658f9e2b1e0e1f2c3d4e5f5
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 3
        DestinationHostname|endswith: '.duckdns.org'
    filter:
        Image|endswith: \\chrome.exe
    condition: selection and not filter
falsepositives:
    - Legitimate personal use of DuckDNS
level: medium


kql
// Hunt for typosquatted domains and C2 infrastructure
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("vlc-player.net", "km-player.com", "corel-draw.net", "defender-control.com", "processhacker.net", "duckdns.org", "trycloudflare.com", "supabase.co")
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, RemoteUrl, RemoteIP
| order by Timestamp desc


powershell
# IOC Hunter for Gamaredon and RustDuck Hashes
$TargetHashes = @(
    "b519ae088ee0fd4658c16aab474d51c6acdc5c9cd7fab3fd69032d05a45ffd9b", # RustDuck SHA256
    "1794369214b7f62e70a0485e61335c61", # Gamaredon MD5
    "8e1624d110c090ff57d4b493a9107c66"  # Gamaredon MD5
)

Write-Host "[+] Scanning for specific malware hashes..."

# Scan C:\ Drive (adjust as needed)
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | Where-Object { 
    $_.Length -gt 0kb -and $TargetHashes -contains (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash 
} | ForEach-Object {
    Write-Host "[!] MALWARE FOUND: $($_.FullName)" -ForegroundColor Red
}

# Check Startup Folders for suspicious HTA files (Gamaredon Persistence)
Write-Host "[+] Checking Startup folders for HTA persistence..."
$StartupPaths = @("$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup", "$env:PROGRAMDATA\Microsoft\Windows\Start Menu\Programs\Startup")
foreach ($path in $StartupPaths) {
    if (Test-Path $path) {
        Get-ChildItem -Path $path -Filter "*.hta" -ErrorAction SilentlyContinue | ForEach-Object {
            Write-Host "[!] SUSPICIOUS FILE: $($_.FullName)" -ForegroundColor Yellow
        }
    }
}


# Response Priorities

*   **Immediate**: Block all identified typosquatted domains and DuckDNS infrastructure at the perimeter. Hunt for the specific file hashes provided in the IOCs across endpoints.
*   **24h**: If AsyncRAT activity is suspected, initiate credential resets for affected accounts and review logs for process hollowing artifacts. Investigate any HTA files in Startup folders linked to Gamaredon.
*   **1 week**: Conduct a vulnerability scan specifically targeting IoT devices for CVE-2017-17215, CVE-2018-8007, and CVE-2025-29635. Implement application control policies to block the execution of unsigned DLLs alongside legitimate installers to mitigate DLL sideloading.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwarerustduckasyncratgamaredondll-sideloadingiot-botnet

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.