In a shocking revelation, cybersecurity specialists have exposed a novel botnet, comprising a vast network of small office/home office (SOHO) and Internet of Things (IoT) devices, likely commandeered by the Chinese nation-state hacker group known as Flax Typhoon (also identified as Ethereal Panda or RedJuliett).
The intricate and expansive botnet, given the codename Raptor Train by Lumen’s Black Lotus Labs, is believed to have been covertly functioning since May 2020, with a staggering surge of 60,000 devices under its control by June 2023.
“Since then, the botnet has swollen to include over 200,000 devices—ranging from SOHO routers to NVR/DVR systems, network-attached storage (NAS) servers, and IP cameras—transforming Raptor Train into one of the largest IoT botnets attributed to Chinese state-sponsored actors,” the cybersecurity firm detailed in its 81-page dossier shared with The Hacker News.
The infrastructure undergirding the botnet reportedly ensnares hundreds of thousands of devices and operates using a three-tiered architecture:
- Tier 1: Compromised SOHO and IoT devices.
- Tier 2: Servers designed for exploitation, payload distribution, and command-and-control (C2) coordination.
- Tier 3: Centralized management nodes with a cross-platform Electron application called Sparrow (also known as Node Comprehensive Control Tool, or NCCT).
The process unfolds as follows: Botnet operations originate from Tier 3 “Sparrow” management nodes, relayed through the Tier 2 C2 servers, and ultimately directed to the Tier 1 bots, which make up the bulk of the compromised network.
Among the targeted devices are routers, IP cameras, DVRs, and NAS units produced by companies like ActionTec, ASUS, DrayTek, Fujitsu, Hikvision, Mikrotik, Mobotix, Panasonic, QNAP, Ruckus Wireless, Shenzhen TVT, Synology, Tenda, TOTOLINK, TP-LINK, and Zyxel.
The bulk of the Tier 1 nodes are traced to geographic regions such as the U.S., Taiwan, Vietnam, Brazil, Hong Kong, and Turkey, with each infected node persisting for an average of 17.44 days, signifying the threat actor’s adeptness at reinfecting the devices effortlessly.
“In many cases, no persistent mechanism was embedded to withstand a system reboot,” Lumen observed.
“The confidence in re-exploitability stems from the sheer volume of exploits available for various vulnerable SOHO and IoT devices, and the overwhelming number of susceptible devices accessible via the internet. This grants Raptor Train a form of ‘inherent persistence’.”
The devices are infiltrated via an in-memory implant named Nosedive, a customized derivative of the notorious Mirai botnet, deployed from Tier 2 payload servers. This ELF binary facilitates command execution, file transfers, and Distributed Denial of Service (DDoS) attacks.
Tier 2 nodes, however, are rotated every 75 days and are primarily stationed in countries like the U.S., Singapore, the U.K., Japan, and South Korea. The quantity of C2 nodes has surged from a mere 1-5 between 2020 and 2022 to no fewer than 60 between June and August 2024.
These Tier 2 nodes are versatile, acting as exploitation hubs to conscript new devices, as well as payload distributors and reconnaissance tools for further targeting.
The Raptor Train botnet has undergone at least four distinct campaigns since mid-2020, each distinguished by unique root domains and targeted devices:
- Crossbill (May 2020 – April 2022) utilized the C2 root domain k3121.com and its subdomains.
- Finch (July 2022 – June 2023) leveraged the C2 root domain b2047.com and associated subdomains.
- Canary (May 2023 – August 2023) deployed multi-stage droppers with the C2 root domain b2047.com.
- Oriole (June 2023 – September 2024) exploited the C2 root domain w8510.com.
Notably, the Canary campaign focused on ActionTec PK5000 modems, Hikvision IP cameras, Shenzhen TVT NVRs, and ASUS routers, employing a multi-stage infection chain. It first downloaded a bash script connecting to a Tier 2 payload server to fetch Nosedive and a secondary bash script. This, in turn, triggered a third-stage script every 60 minutes from the payload server.
“The w8510.com domain used in the Oriole campaign became so prominent that by June 3, 2024, it appeared in Cisco Umbrella’s domain rankings,” Lumen revealed.
“By August 7, 2024, it was also recognized within Cloudflare Radar’s top 1 million domains—an alarming development, as domains in these lists often bypass security tools via domain whitelisting, granting them continued access and avoiding detection.”
Although there have been no confirmed DDoS attacks from the botnet thus far, evidence suggests it has been weaponized against U.S. and Taiwanese entities within military, governmental, higher education, telecommunications, defense, and information technology sectors.
Additionally, compromised bots within Raptor Train are believed to have launched potential exploitation attempts against Atlassian Confluence servers and Ivanti Connect Secure (ICS) appliances, further suggesting wide-ranging surveillance activities.
The connection to Flax Typhoon—a notorious hacking collective targeting entities in Taiwan, Southeast Asia, North America, and Africa—arises from shared tactics, language use, and overlapping victim profiles.
“This is an advanced, enterprise-level control system capable of managing upwards of 60 C2 servers and their infected nodes at any given moment,” Lumen stated.
“This infrastructure facilitates a broad array of operations, from scalable exploitation to remote file transfers and the orchestration of large-scale IoT-based DDoS attacks.”