A Chinese botnet, dubbed “Raptor Train,” has infected over 260,000 networking devices globally, including SOHO routers and IP cameras. According to experts, the botnet, which has been active since May 2020, has primarily targeted critical infrastructure across various sectors in the U.S. and Taiwan, including military, government, telecommunications, and higher education entities. The botnet’s operators are believed to be state-sponsored Chinese hackers from the Flax Typhoon group.
Raptor Train has evolved into a sophisticated, multi-layered network over the past four years. Its architecture includes three distinct tiers responsible for sending commands, managing exploitation servers, and overseeing command-and-control (C2) systems.
A variant of the well-known Mirai malware, called Nosedive, is the primary payload used in the botnet’s activities, although it has not yet been seen launching distributed denial-of-service (DDoS) attacks, which Mirai is typically associated with.
Raptor Train botnet hits 200,000 devices, expands with Oriole campaign.
At its peak in mid-2023, Raptor Train controlled over 60,000 active devices, and it continues to infect new devices regularly, with over 200,000 systems compromised over its lifetime. A recent campaign called Oriole added another 30,000 devices to the botnet’s infrastructure.
The FBI initiated a number of operations to prevent Raptor Train’s operations in response to this increasing threat. Using court-approved methods, the FBI seized control of several key parts of the botnet’s infrastructure and removed malware from thousands of infected devices. The operation also uncovered a database with over 1.2 million records of compromised devices, including nearly 400,000 systems in the U.S.
Researchers have identified over 20 different device types that the botnet exploits, including routers, modems, and IP cameras. Vulnerabilities range from zero-day to known security flaws, allowing Raptor Train to maintain a persistent presence. However, the botnet’s payloads are typically short-lived, with infected devices remaining compromised for about 17 days before being replaced by new ones.
In addition to targeting U.S. military and government systems, Raptor Train has also launched attacks on entities in other countries, including Kazakhstan. The botnet was also involved in exploitation attempts against major software platforms like Atlassian Confluence and Ivanti Connect Secure.
To defend against such threats, security experts recommend regularly rebooting devices, applying updates from manufacturers, and replacing outdated equipment. Monitoring network activity for unusual data transfers can also help mitigate the risk of infection.