New "Raptor Train" IoT Botnet Compromises Over 200,000 Devices Worldwide

Cybersecurity researchers have uncovered an unprecedented botnet, composed of compromised small office/home office (SOHO) devices and Internet of Things (IoT) systems, believed to be operated by a Chinese nation-state threat actor known as Flax Typhoon (aka Ethereal Panda or RedJuliett). The sophisticated botnet, dubbed Raptor Train, has been operational since at least May 2020 and reached its peak in June 2023, with 60,000 active devices under its control.

A Growing Threat: Raptor Train Botnet

Lumen's Black Lotus Labs reported that over 200,000 SOHO routers, DVR devices, NAS servers, and IP cameras have been conscripted into this massive botnet, making it one of the largest state-sponsored IoT botnets ever discovered. Since its inception, Raptor Train has infected hundreds of thousands of devices, organized into a three-tiered architecture:

1. Tier 1: Compromised SOHO/IoT devices
2. Tier 2: Exploitation, payload, and command-and-control (C2) servers
3. Tier 3: Centralized management nodes using a cross-platform Electron application, known as Sparrow or NCCT (Node Comprehensive Control Tool)

Bot tasks are initiated from Tier 3 "Sparrow" management nodes, routed through Tier 2 servers, and executed on the compromised devices (Tier 1). These devices include routers, IP cameras, DVRs, and NAS systems from manufacturers like ASUS, TP-Link, Hikvision, and QNAP. A significant portion of these Tier 1 nodes are located in the U.S., Taiwan, Brazil, and other countries, with each infected device lasting approximately 17.44 days before re-infection, indicating a strong re-exploitability feature in the botnet.

The Botnet's Lifeblood: Nosedive Malware

Infections are propagated by an in-memory implant called Nosedive, a custom variant of the notorious Mirai botnet. The malware is delivered via Tier 2 payload servers and includes capabilities such as command execution, file transfers, and Distributed Denial-of-Service (DDoS) attacks. The Tier 2 nodes are highly flexible, rotating approximately every 75 days and doubling as reconnaissance tools and exploit servers to co-opt new devices.

A Changing Landscape: Raptor Train Campaigns

Raptor Train has seen at least four major campaigns since 2020, each targeting different devices and leveraging distinct root domains for C2 communication:

• Crossbill (May 2020–April 2022): C2 domain k3121.com
• Finch (July 2022–June 2023): C2 domain b2047.com
• Canary (May 2023–August 2023): C2 domain b2047.com, with multi-stage droppers
• Oriole (June 2023–September 2024): C2 domain w8510.com

The Canary campaign was particularly notable for its multi-layered infection chain, heavily targeting devices like Hikvision IP cameras and ASUS routers. This campaign's C2 domain became so popular that it was listed in Cisco Umbrella's domain rankings and Cloudflare Radar's top one million domains, allowing it to evade detection through domain whitelisting.

Nation-State Ties and Targeted Attacks

Raptor Train has been linked to Flax Typhoon, a Chinese hacking group known for targeting critical sectors such as government, telecommunications, and defense in Taiwan and North America. While no DDoS attacks have been confirmed, the botnet has likely been used to conduct exploitation attempts on servers within these sectors. The Chinese language usage and victimology overlap further connect Flax Typhoon to these activities.

FBI Dismantles Flax Typhoon Botnet

In a major law enforcement operation, the FBI, with the U.S. Department of Justice (DoJ), dismantled the Raptor Train botnet in 2024. The operation seized the botnet’s infrastructure, issuing disabling commands to the malware on infected devices. Despite the threat actors attempting to interfere with a DDoS attack, the FBI successfully took down the botnet.

The botnet, operated by the Integrity Technology Group, a publicly-traded Beijing company, consisted of over 260,000 devices at its height, with victims scattered across North America, Europe, Asia, and other regions. The infected devices were controlled using an online application called KRLab, which offered a suite of malicious tools, including vulnerability exploitation and remote command execution.

Implications and Future Threats

The discovery and dismantling of Raptor Train highlight the increasing sophistication of state-sponsored botnets targeting IoT devices. These botnets, such as Raptor Train and KV-Botnet, serve as ideal proxies for cybercriminals to mask their identities and stage large-scale attacks. FBI Director Christopher Wray emphasized that the Chinese government would likely continue using such proxies to target critical infrastructure worldwide.

The takedown of Raptor Train represents a significant victory for global cybersecurity efforts, but it also serves as a stark reminder of the growing threat posed by nation-state cyber activities. With millions of IoT devices vulnerable to exploitation, vigilance and robust defenses are more critical than ever in the face of increasingly sophisticated cyber operations.

Cybersecurity researchers have uncovered an unprecedented botnet, composed of compromised small office/home office (SOHO) devices and Internet of Things (IoT) systems, believed to be operated by a Chinese nation-state threat actor known as Flax Typhoon (aka Ethereal Panda or RedJuliett). The sophisticated botnet, dubbed Raptor Train, has been operational since at least May 2020 and reached its peak in June 2023, with 60,000 active devices under its control.

A Growing Threat: Raptor Train Botnet

Lumen's Black Lotus Labs reported that over 200,000 SOHO routers, DVR devices, NAS servers, and IP cameras have been conscripted into this massive botnet, making it one of the largest state-sponsored IoT botnets ever discovered. Since its inception, Raptor Train has infected hundreds of thousands of devices, organized into a three-tiered architecture:

1. Tier 1: Compromised SOHO/IoT devices
2. Tier 2: Exploitation, payload, and command-and-control (C2) servers
3. Tier 3: Centralized management nodes using a cross-platform Electron application, known as Sparrow or NCCT (Node Comprehensive Control Tool)

Bot tasks are initiated from Tier 3 "Sparrow" management nodes, routed through Tier 2 servers, and executed on the compromised devices (Tier 1). These devices include routers, IP cameras, DVRs, and NAS systems from manufacturers like ASUS, TP-Link, Hikvision, and QNAP. A significant portion of these Tier 1 nodes are located in the U.S., Taiwan, Brazil, and other countries, with each infected device lasting approximately 17.44 days before re-infection, indicating a strong re-exploitability feature in the botnet.

The Botnet's Lifeblood: Nosedive Malware

Infections are propagated by an in-memory implant called Nosedive, a custom variant of the notorious Mirai botnet. The malware is delivered via Tier 2 payload servers and includes capabilities such as command execution, file transfers, and Distributed Denial-of-Service (DDoS) attacks. The Tier 2 nodes are highly flexible, rotating approximately every 75 days and doubling as reconnaissance tools and exploit servers to co-opt new devices.

A Changing Landscape: Raptor Train Campaigns

Raptor Train has seen at least four major campaigns since 2020, each targeting different devices and leveraging distinct root domains for C2 communication:

• Crossbill (May 2020–April 2022): C2 domain k3121.com
• Finch (July 2022–June 2023): C2 domain b2047.com
• Canary (May 2023–August 2023): C2 domain b2047.com, with multi-stage droppers
• Oriole (June 2023–September 2024): C2 domain w8510.com

The Canary campaign was particularly notable for its multi-layered infection chain, heavily targeting devices like Hikvision IP cameras and ASUS routers. This campaign's C2 domain became so popular that it was listed in Cisco Umbrella's domain rankings and Cloudflare Radar's top one million domains, allowing it to evade detection through domain whitelisting.

Nation-State Ties and Targeted Attacks

Raptor Train has been linked to Flax Typhoon, a Chinese hacking group known for targeting critical sectors such as government, telecommunications, and defense in Taiwan and North America. While no DDoS attacks have been confirmed, the botnet has likely been used to conduct exploitation attempts on servers within these sectors. The Chinese language usage and victimology overlap further connect Flax Typhoon to these activities.

FBI Dismantles Flax Typhoon Botnet

In a major law enforcement operation, the FBI, with the U.S. Department of Justice (DoJ), dismantled the Raptor Train botnet in 2024. The operation seized the botnet’s infrastructure, issuing disabling commands to the malware on infected devices. Despite the threat actors attempting to interfere with a DDoS attack, the FBI successfully took down the botnet.

The botnet, operated by the Integrity Technology Group, a publicly-traded Beijing company, consisted of over 260,000 devices at its height, with victims scattered across North America, Europe, Asia, and other regions. The infected devices were controlled using an online application called KRLab, which offered a suite of malicious tools, including vulnerability exploitation and remote command execution.

Implications and Future Threats

The discovery and dismantling of Raptor Train highlight the increasing sophistication of state-sponsored botnets targeting IoT devices. These botnets, such as Raptor Train and KV-Botnet, serve as ideal proxies for cybercriminals to mask their identities and stage large-scale attacks. FBI Director Christopher Wray emphasized that the Chinese government would likely continue using such proxies to target critical infrastructure worldwide.

The takedown of Raptor Train represents a significant victory for global cybersecurity efforts, but it also serves as a stark reminder of the growing threat posed by nation-state cyber activities. With millions of IoT devices vulnerable to exploitation, vigilance and robust defenses are more critical than ever in the face of increasingly sophisticated cyber operations.