Massive ‘Raptor Train’ Botnet Hijacks Over 200,000 IoT Devices

Cybersecurity experts have uncovered a sophisticated botnet, dubbed “Raptor Train,” that has infected more than 200,000 small office/home office (SOHO) and Internet of Things (IoT) devices globally.

This botnet is believed to be operated by a suspected Chinese state-sponsored group known as Flax Typhoon. It has been active since at least May 2020, with its reach peaking at 60,000 active devices in June 2023.

The botnet uses a complex, three-tiered architecture. The first tier consists of compromised devices like routers, IP cameras, and network-attached storage (NAS) systems. The second tier involves exploitation and command-and-control servers that issue instructions to these devices. The third tier, referred to as “Sparrow,” acts as the central management node, orchestrating the entire network.

Researchers report that the botnet has primarily affected devices in the U.S., Taiwan, Vietnam, Brazil, Hong Kong, and Turkey, with each infected node averaging a lifespan of 17 days. This short duration highlights the attacker’s ability to easily re-infect devices due to the vast number of vulnerabilities present in SOHO and IoT systems.

The botnet’s infection method involves an in-memory implant called Nosedive, a variant of the notorious Mirai botnet. This implant is delivered through Tier 2 payload servers and is capable of executing commands, transferring files, and launching DDoS attacks. The number of command-and-control servers has surged from just a few in 2020 to over 60 by mid-2024, showing the rapid expansion of the botnet’s infrastructure.

Since 2020, the botnet has been linked to four distinct campaigns, each targeting different devices and using different root domains. The most recent campaign, known as Oriole, was so widespread that its command-and-control domain was included in prominent domain rankings, potentially bypassing security measures through whitelisting.

Although no DDoS attacks have been observed from Raptor Train, its compromised devices have likely been used to exploit vulnerabilities in systems belonging to government, military, and telecommunications sectors in the U.S. and Taiwan. The botnet’s operations are linked to the group Flax Typhoon due to similarities in tactics and targets.

To prevent similar attacks, it’s crucial to maintain strong security practices for all connected devices. This includes regularly updating firmware, using complex and unique passwords, and disabling unnecessary features on IoT devices. Implementing network segmentation and employing intrusion detection systems can also help mitigate the risk.