200,000 breached devices – the malicious network is expanding at an incredible speed.
Cybersecurity researchers have discovered a new botnet created using small office and home network (SOHO) devices, as well as IoT devices. This botnet is believed to be operated by the Chinese hacking group Flax Typhoon, also known as Ethereal Panda or RedJuliett.
Called Raptor Train, this botnet has been active since May 2020 and peaked in June 2023 when it had around 60,000 breached devices on its network. According to Black Lotus Labs, more than 200,000 devices, including routers, IP cameras, and network data storage, were detected during this time, which became part of the botnet. This makes Raptor Train one of the largest Chinese botnets based on IoT devices.
The botnet's infrastructure is built on a three-tier architecture: the first layer consists of compromised SOHO/IoT devices, the second is made up of servers for operation and management, and the third is made up of central nodes that use a tool called Sparrow. Through it, the botnet can control its nodes, propagating commands to first-level devices.
Among the attacked devices were products from well-known manufacturers such as ASUS, DrayTek, Hikvision, TP-LINK and Synology. The bulk of the breached devices are located in the United States, Taiwan, Vietnam, and Brazil, and their average lifespan in a botnet is around 17 days.
In most cases, attackers do not use the mechanisms that persist after the device is rebooted, relying on the possibility of repeated hacking. This is due to the presence of many vulnerabilities and a huge amount of poorly protected equipment available on the network.
The basis for the spread of Raptor Train was a malicious code called Nosedive, which is a modification of the well-known Mirai botnet. This code allows hackers to execute commands, transfer files, and orchestrate DDoS attacks.
The second-tier servers that provide botnet management change every 75 days and are located in countries such as the United States, the United Kingdom, and South Korea. Over the past two years, the number of these servers has increased from a few to 60.
Since the botnet's inception, several operations have been carried out to develop it. For example, the Canary campaign (from May to August 2023) actively exploited vulnerabilities in ActionTec and ASUS devices, using complex infection chains to inject malicious code.
A distinctive feature of the latest malicious operation called Oriole was the massive popularity of the domain used to control the botnet. By June 2024, this domain was included in the ratings of trusted sites Cisco Umbrella and Cloudflare Radar, which allowed it to bypass security systems through whitelists.
Although no direct DDoS attacks using the botnet have yet been recorded, experts believe that it can be used for cyberattacks on the military and government organizations of the United States and Taiwan.
Source
Cybersecurity researchers have discovered a new botnet created using small office and home network (SOHO) devices, as well as IoT devices. This botnet is believed to be operated by the Chinese hacking group Flax Typhoon, also known as Ethereal Panda or RedJuliett.
Called Raptor Train, this botnet has been active since May 2020 and peaked in June 2023 when it had around 60,000 breached devices on its network. According to Black Lotus Labs, more than 200,000 devices, including routers, IP cameras, and network data storage, were detected during this time, which became part of the botnet. This makes Raptor Train one of the largest Chinese botnets based on IoT devices.
The botnet's infrastructure is built on a three-tier architecture: the first layer consists of compromised SOHO/IoT devices, the second is made up of servers for operation and management, and the third is made up of central nodes that use a tool called Sparrow. Through it, the botnet can control its nodes, propagating commands to first-level devices.
Among the attacked devices were products from well-known manufacturers such as ASUS, DrayTek, Hikvision, TP-LINK and Synology. The bulk of the breached devices are located in the United States, Taiwan, Vietnam, and Brazil, and their average lifespan in a botnet is around 17 days.
In most cases, attackers do not use the mechanisms that persist after the device is rebooted, relying on the possibility of repeated hacking. This is due to the presence of many vulnerabilities and a huge amount of poorly protected equipment available on the network.
The basis for the spread of Raptor Train was a malicious code called Nosedive, which is a modification of the well-known Mirai botnet. This code allows hackers to execute commands, transfer files, and orchestrate DDoS attacks.
The second-tier servers that provide botnet management change every 75 days and are located in countries such as the United States, the United Kingdom, and South Korea. Over the past two years, the number of these servers has increased from a few to 60.
Since the botnet's inception, several operations have been carried out to develop it. For example, the Canary campaign (from May to August 2023) actively exploited vulnerabilities in ActionTec and ASUS devices, using complex infection chains to inject malicious code.
A distinctive feature of the latest malicious operation called Oriole was the massive popularity of the domain used to control the botnet. By June 2024, this domain was included in the ratings of trusted sites Cisco Umbrella and Cloudflare Radar, which allowed it to bypass security systems through whitelists.
Although no direct DDoS attacks using the botnet have yet been recorded, experts believe that it can be used for cyberattacks on the military and government organizations of the United States and Taiwan.
Source
