Cybersecurity experts have recently discovered a new botnet made up of small office/home office (SOHO) and IoT devices, believed to be controlled by a Chinese state-sponsored threat group known as Flax Typhoon (also known as Ethereal Panda or RedJuliett).
Named Raptor Train by Lumen’s Black Lotus Labs, this sophisticated botnet has been in operation since at least May 2020, reaching a peak of 60,000 compromised devices in June 2023. According to a detailed 81-page report shared with The Hacker News, over 200,000 SOHO routers, NVR/DVR devices, NAS servers, and IP cameras have been recruited into the botnet, making it one of the largest Chinese state-sponsored IoT botnets identified so far.
The infrastructure supporting the botnet is estimated to have ensnared hundreds of thousands of devices, utilizing a three-tiered architecture:
– Tier 1: Compromised SOHO/IoT devices
– Tier 2: Exploitation servers, payload servers, and command-and-control (C2) servers
– Tier 3: Centralized management nodes and a cross-platform Electron application front-end referred to as Sparrow (also known as Node Comprehensive Control Tool, or NCCT)
The bot tasks are initiated from Tier 3 “Sparrow” management nodes, routed through Tier 2 C2 servers, and then transmitted to the bots in Tier 1, which form a significant portion of the botnet.
Various devices from manufacturers such as ActionTec, ASUS, DrayTek, Hikvision, Mikrotik, Panasonic, QNAP, and TP-LINK have been targeted by the botnet. The majority of Tier 1 nodes are geolocated in the U.S., Taiwan, Vietnam, Brazil, Hong Kong, and Turkey, with an average lifespan of 17.44 days, indicating the threat actor’s ability to reinfect devices at will.
The botnet infects nodes with an in-memory implant called Nosedive, a customized version of the Mirai botnet, through Tier 2 payload servers. The ELF binary enables executing commands, uploading and downloading files, and launching DDoS attacks.
Tier 2 nodes are rotated approximately every 75 days and are mainly located in the U.S., Singapore, the U.K., Japan, and South Korea. The number of C2 nodes has increased significantly from 2020 to 2024.
Several campaigns have been associated with the evolving Raptor Train botnet since mid-2020, each identified by the root domains used and the targeted devices. The Canary campaign, for example, targeted ActionTec PK5000 modems, Hikvision IP cameras, Shenzhen TVT NVRs, and ASUS routers, employing a multi-layered infection chain.
While no DDoS attacks have been observed from the botnet so far, it has been utilized to target entities in various sectors. The connections to Flax Typhoon are established through victimology, language use, and tactical similarities.
According to Lumen, the Raptor Train botnet is a sophisticated control system capable of managing numerous C2 servers and infected nodes, enabling a wide range of activities including exploitation, vulnerability management, remote command execution, and IoT-based DDoS attacks at scale.
For more exclusive content, follow us on Twitter and LinkedIn.