Back to Intelligence

RustDuck Botnet: Detection and Hunting for Rust-Based IoT DDoS Malware

SA
Security Arsenal Team
June 30, 2026
7 min read

Introduction

Since February 2026, security researchers at QiAnXin's XLab have been tracking a sophisticated and rapidly evolving threat known as RustDuck. This is not just another run-of-the-mill script-kiddie botnet; it represents a significant escalation in attacker capability due to its underlying architecture. Written in Rust, a memory-safe language increasingly favored by sophisticated threat actors for its performance and cross-platform compilation features, RustDuck is actively hijacking home routers, IP cameras, Android set-top boxes, and poorly secured Linux servers.

The primary objective of this campaign is to stitch compromised devices into a massive network capable of launching volumetric DDoS attacks against websites and online services. For defenders, the shift to Rust poses new challenges: static analysis is more difficult, and the binaries are often highly optimized and obfuscated. If you manage Linux infrastructure or IoT fleets, you need to act now to identify if your assets are being recruited into this criminal enterprise.

Technical Analysis

Affected Products and Platforms

RustDuck is a cross-platform threat targeting a wide spectrum of Linux-based environments:

  • Home/SOHO Routers: Various MIPS and ARM-based devices running embedded Linux.
  • IoT Devices: IP cameras and Android-based set-top boxes.
  • Servers: Generic Linux servers (x86_64) exposed to the internet with weak security configurations.

Vulnerability and Exploitation Status

While the specific CVEs exploited in the initial access vector were not disclosed in the XLab report, the infection vector is characteristic of IoT botnets:

  1. Brute Force: Exploiting weak or default credentials on SSH and Telnet services.
  2. Unpatched Services: Leveraging known command injection vulnerabilities in exposed web interfaces of routers and cameras.

Attack Chain

  1. Initial Access: The botnet scans for exposed services (SSH/Telnet/HTTP) and attempts brute-force login or exploits unpatched web interfaces.
  2. Stage 1 (Dropper): Upon gaining a shell, a malicious script (usually Bash or Shell) is downloaded and executed. This dropper handles the logic of removing competitors (killing other malware processes) and downloading the main payload.
  3. Stage 2 (Rust Payload): The core malware, written in Rust, is downloaded. It is typically a statically linked ELF binary, ensuring it runs on diverse Linux architectures without library dependencies.
  4. C2 Communication: The binary establishes a connection to the Command and Control (C2) server to receive target lists for DDoS attacks and updates.
  5. DDoS Execution: The device awaits commands to launch traffic floods (likely UDP/TCP floods) against指定的 targets.

Exploitation Status

  • Confirmed Active Exploitation: Yes, tracked in the wild since February 2026.
  • KEV Status: Not yet explicitly added to major catalogs (e.g., CISA KEV) at the time of writing, likely due to the reliance on credential stuffing rather than a single specific CVE.

Detection & Response

Detecting Rust-based malware on Linux and IoT devices requires identifying anomalies in process execution and file behavior. Since the binaries are often downloaded to temporary directories and executed, file creation and process lineage are key detection points.

SIGMA Rules

YAML
---
title: Potential RustDuck Botnet Infection - Linux Shell Spawning Binary in /tmp
id: 8a4b2c1d-9e3f-4a5b-8c6d-1e2f3a4b5c6d
status: experimental
description: Detects a shell process (sh/bash) spawning an executable from temporary directories (/tmp, /var/tmp, /dev/shm). This is a common TTP for botnet droppers including RustDuck.
references:
  - https://thehackernews.com/2026/06/rustduck-botnet-rebuilds-in-rust-to.html
author: Security Arsenal
date: 2026/06/18
tags:
  - attack.execution
  - attack.t1059.004
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    ParentImage|endswith:
      - '/sh'
      - '/bash'
      - '/dash'
    Image|contains:
      - '/tmp/'
      - '/var/tmp/'
      - '/dev/shm/'
  condition: selection
falsepositives:
  - Legitimate software installations or updates
  - Administrative scripts using temp dirs
level: high
---
title: Potential RustDuck - Suspicious High Port Connection from Generic Process Name
id: 9b5c3d2e-0f4a-5b6c-9d7e-2f3a4b5c6d7e
status: experimental
description: Detects network connections initiated by processes with names mimicking system daemons (e.g., ksoftirqd) running from non-standard paths, or connections to non-standard high ports from unknown binaries. RustDuck often obscures its process name.
references:
  - https://thehackernews.com/2026/06/rustduck-botnet-rebuilds-in-rust-to.html
author: Security Arsenal
date: 2026/06/18
tags:
  - attack.command_and_control
  - attack.t1071
logsource:
  category: network_connection
  product: linux
detection:
  selection_generic:
    Image|endswith:
      - '/ksoftirqd'
      - '/kworker'
      - '/systemd'
  selection_path:
    Image|notcontains:
      - '/sbin/'
      - '/usr/bin/'
      - '/usr/sbin/'
  selection_port:
    DestinationPort|gte: 10000
  condition: 1 of selection*
falsepositives:
  - Legitimate cloud agent daemons
  - Custom administrative utilities
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for shell processes spawning executables in /tmp or /dev/shm
Syslog  
| where ProcessName contains "sh" or ProcessName contains "bash"  
| extend ExecutedCommand = parse_svv(ProcessMessage, ".*?exec (?<ExecCmd>\S+).*")
| where ExecutedCommand has "/tmp/" or ExecutedCommand has "/dev/shm/" 
| project TimeGenerated, Computer, ExecutedCommand, ProcessName, ProcessMessage
| sort by TimeGenerated desc

// Hunt for outbound connections on high ports from unusual parent processes
DeviceNetworkEvents  
| where RemotePort >= 10000  
| where InitiatingProcessFileName !in ("ssh", "apt", "yum", "dockerd", "nginx", "apache2")  
| where InitiatingProcessFolderPath contains "/tmp/" or InitiatingProcessFolderPath contains "/var/tmp/"
| project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessFolderPath, RemotePort, RemoteIP
| summarize count() by DeviceName, InitiatingProcessFileName, RemoteIP

Velociraptor VQL

VQL — Velociraptor
-- Hunt for processes running from /tmp, /var/tmp, or /dev/shm
SELECT Pid, Name, Exe, Cmdline, Username, Ctime
FROM pslist()
WHERE Exe =~ '/tmp/' OR Exe =~ '/dev/shm/' OR Exe =~ '/var/tmp/'

-- Hunt for deleted executables still running in memory (common botnet persistence)
SELECT Pid, Name, Exe, Username, Ctime
FROM pslist()
WHERE Exe =~ '(deleted)'

Remediation Script (Bash)

This script is designed to hunt for and neutralize common botnet artifacts associated with Rust-based threats like RustDuck on Linux servers.

Bash / Shell
#!/bin/bash

# Security Arsenal - RustDuck Response Script
# Run with root privileges

echo "[*] Starting RustDuck Botnet Hunt and Remediation..."

# 1. Identify and Kill Suspicious Processes running from /tmp or /dev/shm
SUSP_PIDS=$(ps ax -o pid= -o exe= | awk '$2 ~ /^(\/tmp|\/dev\/shm|\/var\/tmp)/ {print $1}')

if [ -n "$SUSP_PIDS" ]; then
    echo "[!] Found suspicious processes. Killing PIDs: $SUSP_PIDS"
    echo "$SUSP_PIDS" | xargs -r kill -9
else
    echo "[+] No suspicious processes found in temp directories."
fi

# 2. Check for common botnet Cron Jobs (persistence)
echo "[*] Checking for suspicious cron jobs..."
crontab -l 2>/dev/null | grep -E '(wget|curl|bash|sh).*http' > /tmp/suspicious_cron.txt
if [ -s /tmp/suspicious_cron.txt ]; then
    echo "[!] Suspicious cron entries found:"
    cat /tmp/suspicious_cron.txt
    # Warning: clearing crontab is aggressive. Comment out the next line for review only.
    # crontab -r 
    echo "[!] Please review /tmp/suspicious_cron.txt and remove malicious entries manually."
else
    echo "[+] No obvious malicious cron jobs detected."
fi

# 3. Network Hygiene - Block common botnet C2 ports (Optional/Firewall Dependent)
echo "[*] Checking for established outbound connections on high ports..."
ss -tulwn | awk '{print $5}' | grep -oE '[0-9]+$' | sort -nu | awk '$1 > 1024'

echo "[*] Remediation complete."

Remediation

To defend against RustDuck and similar IoT-focused botnets, immediate and long-term actions are required:

  1. Credential Hygiene: Immediately change default credentials on all routers, IP cameras, and IoT devices. Enforce strong, unique passwords for SSH access on Linux servers. Implement SSH key-based authentication and disable password authentication where possible.

  2. Network Segmentation: Isolate IoT devices on a separate VLAN (Guest Network). They should not have unrestricted access to the internal LAN or the ability to initiate connections to the internet on arbitrary ports unless necessary.

  3. Disable Unused Services: Ensure Telnet is disabled on all devices. Use SSHv2 only. If a web interface is not required for daily operations, block access to it from the internet via firewall ACLs.

  4. Firmware Updates: Check for firmware updates for routers and cameras. Vendors often patch the vulnerabilities used by bots like RustDuck in newer releases.

  5. Firewall Egress Filtering: Configure firewalls to block outbound traffic from IoT devices and servers to known non-business IP ranges, specifically limiting traffic on high ports that are not required for device functionality.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

sigma-rulekql-detectionthreat-huntingdetection-engineeringsiem-detectionrustduckddosiot-security

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.