I caught a Rust DDoS botnet on my honeypot, reverse engineered it, and now I’m monitoring its targets in real-time

During routine threat hunting on my Beelzebub honeypot, I caught something interesting: a Rust-based DDoS bot with 0 detections across 60+ AV engines at the time of capture. TL;DR: The malware exploits exposed Docker APIs on port 2375 Written in Rust using Tokio for async networking, bincode for the custom C2 protocol, and obfstr for string obfuscation Same server (196.251.100.116) for malware distribution (port 80) and C2 (port 8080), single point of failure. I decoded the C2 protocol and found it surprisingly weak: no encryption, predictable nonce, hardcoded username (“client_user”) I built a honeypot that impersonates a bot to monitor DDoS attack targets 👀 In the post you’ll find: Full attack chain of the Docker API exploitation Sandbox setup for dynamic analysis (Docker inside an isolated VM) Complete C2 protocol decoding YARA rule and Snort rule for detection All IoCs The fact that no AV detected it shows that Rust + string obfuscation is making life hard for traditional detection engines. Questions? AMA! submitted by /u/mario_candela [link] [comments]Technical Information Security Content & DiscussionRead More