Welcome to the world of cybersecurity, where new threats are constantly emerging. In a recent discovery, cybersecurity researchers have unearthed a never-before-seen botnet that is causing quite a stir. This botnet, named Raptor Train by Lumen’s Black Lotus Labs, is believed to be operated by a Chinese nation-state threat actor known as Flax Typhoon.
The Raptor Train botnet is a sophisticated network of small office/home office (SOHO) and IoT devices that have been compromised by the threat actor. Since its inception in May 2020, the botnet has grown to include over 200,000 devices, making it one of the largest Chinese state-sponsored IoT botnets discovered to date.
The infrastructure behind the botnet is complex, consisting of three tiers: compromised devices, exploitation servers, payload servers, command-and-control servers, and centralized management nodes. This multi-layered architecture allows the threat actor to control a vast network of devices and execute various cyber attacks.
Devices from various manufacturers such as ActionTec, ASUS, Hikvision, and TP-LINK have been targeted by the Raptor Train botnet. The majority of compromised devices are located in the U.S., Taiwan, Vietnam, Brazil, Hong Kong, and Turkey.
The threat actor’s ability to reinfect devices at will is a cause for concern, as it indicates a high level of persistence. The botnet uses an in-memory implant called Nosedive, a custom variant of the Mirai botnet, to execute commands, upload/download files, and launch DDoS attacks.
Several campaigns have been linked to the Raptor Train botnet, each targeting different devices and utilizing unique infection chains. The most recent campaign, Oriole, has garnered attention for its sophisticated tactics and use of multi-stage droppers.
While no DDoS attacks have been detected from the botnet yet, evidence suggests that it has been weaponized to target entities in various sectors, including military, government, telecommunications, and IT.
The connections to Flax Typhoon, a known hacking crew with a history of targeting entities in multiple regions, further highlight the severity of the threat posed by the Raptor Train botnet.
As cybersecurity threats continue to evolve, it is crucial for organizations and individuals to stay vigilant and protect their devices from potential attacks. The discovery of the Raptor Train botnet serves as a stark reminder of the importance of cybersecurity in today’s interconnected world.