Derailing the Raptor Train
Essential information
- Published
- 20/09/2024 11:41
- Modified
- 20/09/2024 12:18
- Tags
- 2024-09-20 botnet ddos iot raptor train
- Related entities
- 1 vulnerabilities (cve), 198 observables, 1 intrusion sets (apt), 16 techniques (mitre), 1 malware, 8 others
Description
A large, multi-tiered botnet called Raptor Train, likely operated by Chinese threat actors Flax Typhoon, has been discovered. Consisting of over 60,000 compromised SOHO and IoT devices at its peak, it's one of the largest Chinese state-sponsored IoT botnets to date. The botnet uses a sophisticated control system called Sparrow to manage its infrastructure and execute various tasks. While no DDoS attacks have been observed, the botnet has targeted U.S. and Taiwanese entities in sectors like military, government, education, and telecommunications. The network architecture includes three tiers: compromised devices, exploitation and C2 servers, and management nodes. Campaigns have evolved over four years, showing increasing sophistication in tactics and scale.