Ddos 
FortiGuard Labs recently discovered RustoBot, written in Rust, a memory-safe language known for its performance and security, a sophisticated botnet exploiting vulnerabilities in TOTOLINK and DrayTek routers to gain a foothold in tech infrastructures across Japan, Taiwan, Vietnam, and Mexico.
In early 2025, FortiGuard analysts noticed a sharp uptick in attack attempts exploiting long-standing vulnerabilities in TOTOLINK’s cstecgi.cgi script. This component, responsible for configuration changes and authentication, harbored multiple command injection flaws.
Among the key vulnerabilities used:
- CVE-2022-26210 (via setUpgradeFW)
- CVE-2022-26187 (via pingCheck)
- CVE-2024-12987 (affecting DrayTek routers through /cgi-bin/mainfunction.cgi/apmcfgupload)
These weaknesses allowed attackers to gain remote code execution capabilities, planting the seeds of the RustoBot infection.
Once initial access is obtained, RustoBot is deployed using one of four downloader scripts, retrieved via wget or tftp. The malware targets multiple architectures—arm5, arm6, arm7, mips, mpsl, and x86—ensuring broad compatibility with vulnerable routers.
“Most of the observed incident payloads specifically target TOTOLINK devices using the mpsl architecture,” Fortinet noted.
What sets RustoBot apart is its use of Rust. Its binary structure, obfuscated through XOR-based encryption and Global Offset Table (GOT) manipulation, enables stealth and complicates reverse engineering.
The decrypted configuration reveals RustoBot’s true intent. It performs two core malicious actions:
- Resolves multiple C2 domains like dvrhelper[.]anondns[.]net, all pointing to 5[.]255[.]125[.]150
- Launches DDoS attacks on command
The bot first retrieves the public IP of the infected device using DNS-over-HTTPS (DoH), cleverly blending malicious traffic with normal HTTPS activity. It then receives attack instructions from the C2 server, including:
- DDoS method (e.g., UDP)
- Target IP and port
- Attack duration
- Packet length
“It can launch DDoS attacks using three different protocols: Raw IP, TCP, and UDP,” stated Fortinet.
The RustoBot campaign has so far affected:
- TOTOLINK models: N600R, A830R, A3100R, A950RG, A800R, A3000RU, A810R
- DrayTek models: Vigor2960, Vigor300B
Victims were primarily located in technology sectors across Japan, Taiwan, Vietnam, and Mexico, indicating a possibly targeted campaign.
With RustoBot, attackers are embracing Rust not just for novelty, but for its performance and resistance to memory-based attacks. As Fortinet warns:
“IoT and network devices are often poorly defended endpoints, making them attractive targets… Strengthening endpoint monitoring and authentication can significantly reduce the risk.”
Organizations should immediately patch known vulnerabilities, audit exposed devices, and monitor outbound traffic patterns to detect unusual behavior—especially DNS-over-HTTPS activity or unauthorized firmware updates.
Donate