Cybersecurity researchers have discovered a new botnet called “Raptor Train” created using small office and home networks ( SOHO ) and IoT devices. The botnet is believed to be operated by the Chinese hacker group Flax Typhoon, also known as Ethereal Panda or RedJuliett.
Active since May 2020, Raptor Train hit its zenith in June 2023, with approximately 60,000 compromised devices. However, recent data from Black Lotus Labs Shows that the botnet has since grown to include over 200,000 devices, encompassing routers, IP cameras, and network storage systems. This rapid expansion positions Raptor Train as one of the most formidable Chinese botnets leveraging IoT devices.
The architecture of Raptor Train is structured into three tiers. The first tier contains the compromised SOHO and IoT devices. The second tier includes servers responsible for operational management. Finally, the third tier consists of central nodes utilizing a tool known as Sparrow, which facilitates command propagation and control of the botnet’s nodes.
Among the targeted devices are products from well-known manufacturers such as ASUS, DrayTek, Hikvision, TP-LINK, and Synology. The majority of compromised devices are located in the United States, Taiwan, Vietnam, and Brazil, with each device typically remaining part of the botnet for about 17 days.
Rather than relying on mechanisms that persist after the device reboots, the attackers exploit vulnerabilities for repeated access. This strategy is made possible by the prevalence of poorly secured devices across the network.
The botnet’s spread is fueled by a malicious code dubbed Nosedive, a derivative of the infamous Mirai botnet. This code enables hackers to execute commands, transfer files, and launch Distributed Denial of Service (DDoS) attacks.
