A newly uncovered botnet, dubbed “Raptor Train,” has compromised more than 200,000 IoT devices globally, marking one of the largest state-sponsored botnets discovered to date. The botnet, operational since 2020, primarily targets small office/home office (SOHO) routers, IP cameras, DVRs, and NAS devices. Researchers at Lumen’s Black Lotus Labs attribute the botnet to Flax Typhoon, a Chinese nation-state hacking group also known as Ethereal Panda. Raptor Train’s infrastructure relies on a three-tiered architecture that enables large-scale exploitation of devices, with the compromised devices functioning as an army for malicious activities.
The botnet operates using a custom variant of the notorious Mirai malware called “Nosedive,” which allows the attackers to execute commands, upload and download files, and mount distributed denial-of-service (DDoS) attacks. A key feature of the botnet is its re-exploitability—despite lacking persistent malware that survives device reboots, attackers can reinfect devices at will. Raptor Train targets devices from manufacturers like ASUS, Hikvision, TP-Link, and Synology, with compromised devices primarily located in the U.S., Taiwan, Vietnam, and Brazil.
Recent law enforcement action led to a significant takedown of the botnet’s infrastructure. The FBI, in coordination with other agencies, seized servers linked to Raptor Train and disabled the malware on infected devices. Investigations revealed that the botnet was controlled by Integrity Technology Group, a Beijing-based company. This firm used the botnet for cyber espionage and reconnaissance, targeting entities in the military, government, education, telecommunications, and defense sectors, particularly in the U.S. and Taiwan.
The scale of the botnet is alarming, with over 260,000 devices affected by June 2024. Its operational reach is vast, using sophisticated management tools like the Sparrow application to oversee command-and-control servers and infected nodes. U.S. officials have warned that botnets like Raptor Train are likely to continue evolving, posing a persistent threat to critical infrastructure worldwide.
