Researchers at QiAnXin's XLab identified RustDuck, a new two-stage botnet written in Rust that targets consumer routers, IP cameras, Android boxes, and exposed servers to launch distributed denial-of-service attacks. The threat actors behind RustDuck have been active since February 2026, according to tracking data.

RustDuck uses a multi-stage infection process. The malware first compromises vulnerable devices through weak credentials, unpatched firmware, or exposed management interfaces. Once infected, devices become part of a larger botnet infrastructure capable of generating massive traffic floods against websites and online services.

The botnet targets diverse device categories. Home routers running outdated firmware remain a primary vector. IP cameras with default or unchanged passwords present low-hanging fruit. Android boxes marketed for streaming often ship with minimal security controls. Servers running exposed SSH, Telnet, or web services without proper authentication further expand the attack surface.

RustDuck's implementation in Rust distinguishes it from predecessors written in C or C++. The language choice offers memory safety protections and cross-platform compatibility, potentially making variants deployable across different CPU architectures and operating systems.

QiAnXin's research highlights the botnet's rapid evolution rather than its current scale. The threat actors actively modify command-and-control infrastructure, update payloads, and adjust targeting strategies. This development velocity suggests ongoing investment in the malware and active operations.

Organizations and ISPs should prioritize firmware updates across networked devices. Disabling unused management protocols like Telnet reduces exposure. Strong authentication credentials on all internet-facing services remain essential. Network operators benefit from monitoring for suspicious outbound traffic patterns that could indicate botnet participation.

Individual users need to change default passwords on routers and connected devices immediately. Enabling automatic security updates where available limits infection pathways. ISPs blocking