MalwareExploits 4 CVEs

RustDuck

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

EXPLOITED CVES

Vulnerabilities exploited

4 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

4 CVES

CVE-2017-17215Remote Code Execution in Huawei HG532 SOAP Service

A new two-stage malware family called RustDuck is hijacking home routers, IP cameras, Android boxes, and poorly secured servers, then stitching them into a network built to knock websites and online services offline.

via the hacker newsthehackernews.com

CVE-2024-1781Command Injection in TOTOLINK X6000R AX3000 setWizardCfg

via the hacker newsthehackernews.com

CVE-2025-29635Command Injection in D-Link DIR-823X /goform/set_prohibiting

via the hacker newsthehackernews.com

CVE-2018-8007Privilege Escalation and RCE via HTTP API in Apache CouchDB

via the hacker newsthehackernews.com

MITRE ATT&CK

Techniques & procedures

10 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1190Exploit Public-Facing ApplicationEvidence1

The second is unpatched device bugs... RustDuck goes after exposed Android debugging interfaces and flaws in gear from TVT (DVRs and cameras), Ruijie, TP-Link, and ZTE, plus a handful of named, years-old vulnerabilities... The third path is web software. RustDuck also targets known holes in ThinkPHP, Jenkins, and Hadoop YARN

Execution

1 technique

T1059Command and Scripting InterpreterEvidence1

CVE-2025-29635, a command-injection flaw in discontinued D-Link DIR-823X routers... CVE-2024-1781, a command-injection bug in Totolink X6000R routers

Stealth

3 techniques

T1070Indicator RemovalEvidence1

Cross a threshold, and the malware erases its traces and quits before anyone can watch it run.

T1497Virtualization/Sandbox EvasionEvidence1

Before doing anything, RustDuck runs a checklist to decide whether it has landed in a security researcher's lab instead of on a real victim's device. It looks for analysis tools like Wireshark and gdb, for debuggers attached to its own process, for the fingerprints of a honeypot trap, even for virtual-machine hardware.

T1622Debugger EvasionEvidence1

It looks for analysis tools like Wireshark and gdb, for debuggers attached to its own process... Each hit adds points to a risk score. Cross a threshold, and the malware erases its traces and quits before anyone can watch it run.

Credential Access

1 technique

T1110Brute ForceEvidence1

The first is the oldest in the book: devices left on the internet with weak or default passwords on their remote-login services (Telnet and SSH). Guess the password, walk in.

Discovery

2 techniques

T1497Virtualization/Sandbox EvasionEvidence1

T1622Debugger EvasionEvidence1

Command and Control

3 techniques

T1071Application Layer ProtocolEvidence1

It derives its keys with HKDF-SHA256 and a Curve25519 exchange, rotates them every ten minutes, and dresses the connection up to look like ordinary encrypted web traffic so it blends in.

T1105Ingress Tool TransferEvidence1

Once a device checks in, the operators can send a short list of orders: start an attack, stop it, report status, switch to new control servers, or quietly upgrade the malware to a newer build.

T1568Dynamic ResolutionEvidence1

The control addresses lean on free dynamic-DNS services like duckdns.org, which is where the "Duck" in the name comes from.

Impact

1 technique

T1498Network Denial of ServiceEvidence1

The end goal is a distributed denial-of-service (DDoS) attack: flooding a target with junk traffic from the infected machines until it buckles.

INDICATORS OF COMPROMISE

IOCs tracked for this family

1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

1 tracked

IPs, domains, and DNS infrastructure linked to this family.

TypeValueLatest sighting

ip.v4●●●●●●●●●●●●View more in apptoday

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

the hacker newsNews

Jun 30, 2026

RustDuck Botnet Rebuilds in Rust to Hijack Routers and Servers for DDoS

A two-stage malware family that compromises internet-exposed devices and servers to build a DDoS botnet. It spreads via weak/default Telnet and SSH credentials, exposed Android debugging interfaces, and exploitation of known vulnerabilities in routers and server software. It uses a loader plus a heavier core module, includes anti-analysis and anti-sandbox checks, and uses encrypted C2 communications to receive commands such as launching attacks, updating malware, and changing control servers.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching1

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities4

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping10

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.