ForumsGeneralRustDuck: Analyzing the Two-Stage Rust Evolution in IoT Botnets

RustDuck: Analyzing the Two-Stage Rust Evolution in IoT Botnets

DevSecOps_Lin 6/30/2026 USER

Has anyone had a chance to dig into the QiAnXin XLab report on the new 'RustDuck' botnet? The shift to Rust for botnet development is accelerating, and this two-stage architecture targeting home routers, IP cameras, and Android boxes is a clear sign of the times.

The malware's use of Rust isn't just for show; it's providing cross-platform capabilities and memory safety that makes these binaries significantly more stable—and annoying to reverse engineer—than the traditional C-based Mirai variants. The 'real story' here is the rapid iteration. Since they are recompiling for different architectures (MIPS, ARM, x86) using a modern language, they can adapt to new zero-days in router firmware incredibly fast.

For those managing edge networks without EDR, I'm focusing on process anomalies on the Linux-based devices. The second stage often hides in memory or masquerades as a system service. Here is a quick baseline check I’m running on suspicious Linux nodes to flag high CPU usage indicative of DDoS activity:

# Find processes consuming >80% CPU and grep common malicious names
ps aux --sort=-%cpu | awk 'NR 80" | bc -l) )); then
    echo "High CPU PID: $pid ($comm) - $pcpu%"
  fi
done

Given the complexity of analyzing stripped Rust binaries, how is everyone handling the dynamic analysis of these payloads in sandboxes? Are you seeing standard network signatures failing due to the custom packing mentioned in the report?

DA
DarkWeb_Monitor_Eve6/30/2026

The binary size is usually the dead giveaway for Rust malware. A standard Mirai variant might be ~150KB, but a stripped Rust ELF for MIPS is often pushing 3MB+. We've started flagging any binary over 1MB downloading to /tmp or /var/tmp on our IoT segments.

For analysis, we've had luck using retdec to decompile the specific sections, but the standard library bloat makes it noisy. Has anyone tried ghidra-rust plugins yet for this specific sample?

PH
PhysSec_Marcus6/30/2026

While the Rust rewrite is interesting, the infection vector remains depressingly familiar: exposed Telnet/SSH and default credentials. I scanned a client's IP camera subnet last week and found 20 devices still using admin:123456.

If you can't patch the firmware on these legacy boxes, at least block inbound Telnet (23/TCP) and SSH (22/TCP) from the WAN at the firewall edge. The botnet can't rebuild in Rust if it can't get in the door.

WH
whatahey6/30/2026

I've noticed the DDoS patterns have changed slightly with RustDuck. Instead of just volumetric UDP floods, we're seeing more TCP SYN floods with randomized source ports that are harder to filter with simple netflow thresholds.

If you are using Zeek or Suricata, look for high packet-per-second (PPS) rates with low byte-per-second (BPS) ratios—it's a classic sign of this new generation of protocol-heavy attacks.

Verified Access Required

To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.

Request Access

Thread Stats

Created6/30/2026
Last Active6/30/2026
Replies3
Views91