{"id":168563,"date":"2024-09-18T19:50:14","date_gmt":"2024-09-18T19:50:14","guid":{"rendered":"https:\/\/securityaffairs.com\/?p=168563"},"modified":"2024-09-18T19:50:16","modified_gmt":"2024-09-18T19:50:16","slug":"raptor-train-botnet-iot","status":"publish","type":"post","link":"https:\/\/securityaffairs.com\/168563\/malware\/raptor-train-botnet-iot.html","title":{"rendered":"Experts warn of China-linked APT’s Raptor Train IoT Botnet"},"content":{"rendered":"
<\/div>\n

Researchers warn of a new IoT botnet called Raptor Train that already compromised over 200,000 devices worldwide.<\/h2>\n\n\n\n

Cybersecurity researchers from Lumen’s Black Lotus Labs discovered a new botnet, named Raptor Train, composed of small office\/home office (SOHO) and IoT devices. The experts believe the botnet is controlled by a Chine-linked APT group Flax Typhoon<\/a> (also called Ethereal Panda<\/a> or RedJuliett). <\/p>\n\n\n\n

The botnet has been active since at least May 2020, reaching its peak with 60,000 compromised devices in June 2023.<\/gwmw><\/p>\n\n\n\n

Since May 2020, over 200,000 devices, including SOHO routers, NVR\/DVR devices, NAS servers, and IP cameras, have been compromised and added to the Raptor Train botnet, making it one of the largest China-linked IoT botnets discovered. A command and control (C2) domain from a recent campaign even appeared on the Cloudflare Radar and Cisco Umbrella “top 1 million” lists, indicating widespread device exploitation. Researchers estimate that hundreds of thousands of devices have likely been compromised since the botnet’s creation.<\/p>\n\n\n\n

“The botnet operators manage this large and varied network through a series of distributed payload and C2 servers, a centralized Node.js backend, and a cross-platform\u00a0Electron<\/a>\u00a0application front-end that the actors have dubbed \u201cSparrow.\u201d This is a robust, enterprise-grade control system used to manage upwards of 60 C2 servers and their infected nodes at any given time.” reads the report<\/strong><\/a> published by Lumen. “This service enables an entire suite of activities, including scalable exploitation of bots, vulnerability and exploit management, remote management of C2 infrastructure, file uploads and downloads, remote command execution, and the ability to tailor IoT-based distributed denial of service (DDoS) attacks at-scale.”<\/em><\/p>\n\n\n\n

The three-tiered architecture consists of the following levels:<\/p>\n\n\n\n