{ "name": "Derailing the Raptor Train", "slug": "derailing-the-raptor-train", "description": "A large, multi-tiered botnet called Raptor Train, likely operated by Chinese threat actors Flax Typhoon, has been discovered. Consisting of over 60,000 compromised SOHO and IoT devices at its peak, it's one of the largest Chinese state-sponsored IoT botnets to date. The botnet uses a sophisticated control system called Sparrow to manage its infrastructure and execute various tasks. While no DDoS attacks have been observed, the botnet has targeted U.S. and Taiwanese entities in sectors like military, government, education, and telecommunications. The network architecture includes three tiers: compromised devices, exploitation and C2 servers, and management nodes. Campaigns have evolved over four years, showing increasing sophistication in tactics and scale.", "published": "2024-09-20T09:41:41+00:00", "created_at": "2024-09-20T09:41:41+00:00", "modified_at": "2024-09-20T10:18:08+00:00", "created_at_opencti": "2024-09-20T09:41:41+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2024-09-20", "botnet", "ddos", "iot", "raptor train" ], "related_entities": { "observables": [ { "id": "", "name": "92.38.185.47" }, { "id": "", "name": "92.38.185.46" }, { "id": "", "name": "92.38.185.44" }, { "id": "", "name": "92.38.185.43" }, { "id": "", "name": "92.38.176.156" }, { "id": "", "name": "92.38.176.131" }, { "id": "", "name": "92.38.135.146" }, { "id": "", "name": "92.223.30.241" }, { "id": "", "name": "92.223.30.233" }, { "id": "", "name": "92.223.30.232" }, { "id": "", "name": "91.216.190.80" }, { "id": "", "name": "91.216.190.74" }, { "id": "", "name": "91.216.190.247" }, { "id": "", "name": "91.216.190.2" }, { "id": "", "name": "91.216.190.154" }, { "id": "", "name": "89.44.198.254" }, { "id": "", "name": "89.44.198.195" }, { "id": "", "name": "89.44.198.200" }, { "id": "", "name": "85.90.216.69" }, { "id": "", "name": "85.90.216.115" }, { "id": "", "name": "85.90.216.116" }, { "id": "", "name": "85.90.216.112" }, { "id": "", "name": "78.141.238.97" }, { "id": "", "name": "5.45.184.68" }, { "id": "", "name": "85.90.216.111" }, { "id": "", "name": "5.181.27.6" }, { "id": "", "name": "5.181.27.219" }, { "id": "", "name": "5.188.33.135" }, { "id": "", "name": "5.181.27.19" }, { "id": "", "name": "45.80.215.47" }, { "id": "", "name": "5.181.27.21" }, { "id": "", "name": "45.80.215.156" }, { "id": "", "name": "45.80.215.155" }, { "id": "", "name": "45.80.215.186" }, { "id": "", "name": "45.80.215.154" }, { "id": "", "name": "45.80.215.152" }, { "id": "", "name": "45.80.215.151" }, { "id": "", "name": "45.80.215.150" }, { "id": "", "name": "45.77.231.209" }, { "id": "", "name": "45.135.117.136" }, { "id": "", "name": "45.135.117.131" }, { "id": "", "name": "45.13.199.96" }, { "id": "", "name": "45.13.199.84" }, { "id": "", "name": "45.13.199.140" }, { "id": "", "name": "45.13.199.207" }, { "id": "", "name": "45.10.58.132" }, { "id": "", "name": "45.10.58.130" }, { "id": "", "name": "45.10.58.128" }, { "id": "", "name": "45.10.58.129" }, { "id": "", "name": "37.9.35.89" }, { "id": "", "name": "37.61.229.17" }, { "id": "", "name": "37.61.229.15" }, { "id": "", "name": "23.236.68.229" }, { "id": "", "name": "23.236.68.193" }, { "id": "", "name": "23.236.68.213" }, { "id": "", "name": "223.98.159.112" }, { "id": "", "name": "210.61.186.117" }, { "id": "", "name": "207.148.68.131" }, { "id": "", "name": "207.148.122.69" }, { "id": "", "name": "202.182.109.151" }, { "id": "", "name": "195.234.62.198" }, { "id": "", "name": "195.234.62.192" }, { "id": "", "name": "195.234.62.197" }, { "id": "", "name": "195.234.62.19" }, { "id": "", "name": "195.234.62.188" }, { "id": "", "name": "195.234.62.184" }, { "id": "", "name": "195.234.62.18" }, { "id": "", "name": "185.14.45.160" }, { "id": "", "name": "155.138.151.225" }, { "id": "", "name": "155.138.133.56" }, { "id": "", "name": "149.248.51.22" }, { "id": "", "name": "14.1.98.223" }, { "id": "", "name": "139.180.137.219" }, { "id": "", "name": "114.255.70.30" }, { "id": "", "name": "114.255.70.20" }, { "id": "", "name": "104.244.89.157" }, { "id": "", "name": "92.38.185.45" }, { "id": "", "name": "92.38.178.232" }, { "id": "", "name": "85.90.216.110" }, { "id": "", "name": "65.20.97.251" }, { "id": "", "name": "5.188.33.228" }, { "id": "", "name": "45.80.215.149" }, { "id": "", "name": "45.13.199.45" }, { "id": "", "name": "45.13.199.152" }, { "id": "", "name": "45.13.199.104" }, { "id": "", "name": "45.10.58.133" }, { "id": "", "name": "23.236.69.82" }, { "id": "", "name": "23.236.69.110" }, { "id": "", "name": "23.236.68.161" }, { "id": "", "name": "185.207.154.253" }, { "id": "", "name": "45.92.70.71" }, { "id": "", "name": "45.92.70.68" }, { "id": "", "name": "45.92.70.115" }, { "id": "", "name": "45.92.70.113" }, { "id": "", "name": "45.92.70.112" }, { "id": "", "name": "45.92.70.111" }, { "id": "", "name": "zdacxzd.w8510.com" }, { "id": "", "name": "zdacasdc.w8510.com" }, { "id": "", "name": "zasdfgasd.w8510.com" }, { "id": "", "name": "xxqw.b2047.com" }, { "id": "", "name": "xbqw.k3121.com" }, { "id": "", "name": "xaqw.k3121.com" }, { "id": "", "name": "wmllxwkg.w8510.com" }, { "id": "", "name": "voias.b2047.com" }, { "id": "", "name": "tuisasdcxzd.w8510.com" }, { "id": "", "name": "qwsd.k3121.com" }, { "id": "", "name": "oklm.k3121.com" }, { "id": "", "name": "ocmnusdjdik.w8510.com" }, { "id": "", "name": "nulp.k3121.com" }, { "id": "", "name": "mjiudwajhkf.w8510.com" }, { "id": "", "name": "mail.k3121.com" }, { "id": "", "name": "lyblqwesfawe.w8510.com" }, { "id": "", "name": "lfdx.k3121.com" }, { "id": "", "name": "kuyw.b2047.com" }, { "id": "", "name": "kliscjaisdjhi.w8510.com" }, { "id": "", "name": "hyjk.k3121.com" }, { "id": "", "name": "hume.b2047.com" }, { "id": "", "name": "hnai.k3121.com" }, { "id": "", "name": "firc.b2047.com" }, { "id": "", "name": "bzbatflwb.w8510.com" }, { "id": "", "name": "ayln.b2047.com" }, { "id": "", "name": "axqw.k3121.com" }, { "id": "", "name": "awqx.k3121.com" }, { "id": "", "name": "awerdasvbjgrt.b2047.com" }, { "id": "", "name": "awbpxtpi.w8510.com" }, { "id": "", "name": "api.k3121.com" }, { "id": "", "name": "apdfhhjcxcb.w8510.com" }, { "id": "", "name": "aewreiuicajo.w8510.com" }, { "id": "", "name": "zuszr.com" }, { "id": "", "name": "ysubryfv.com" }, { "id": "", "name": "ykcmewapc.com" }, { "id": "", "name": "wvsezu.com" }, { "id": "", "name": "woaba.com" }, { "id": "", "name": "wndaoyk.com" }, { "id": "", "name": "vgbgwzmr.com" }, { "id": "", "name": "vbbrfvhrg.com" }, { "id": "", "name": "ujrtkw.com" }, { "id": "", "name": "tvcvhzyk.com" }, { "id": "", "name": "ttcyci.com" }, { "id": "", "name": "sreudcnb.com" }, { "id": "", "name": "sbuybjv.com" }, { "id": "", "name": "saoadlg.com" }, { "id": "", "name": "rnjca.com" }, { "id": "", "name": "qsxgzu.com" }, { "id": "", "name": "qjknpv.com" }, { "id": "", "name": "osiso.com" }, { "id": "", "name": "oploz.com" }, { "id": "", "name": "omviak.com" }, { "id": "", "name": "oicdsgjxz.com" }, { "id": "", "name": "obqlibg.com" }, { "id": "", "name": "nmfagp.com" }, { "id": "", "name": "nhcmdikkd.com" }, { "id": "", "name": "mvxnspcqr.com" }, { "id": "", "name": "mudvw.com" }, { "id": "", "name": "lznmihdej.com" }, { "id": "", "name": "lomuzs.com" }, { "id": "", "name": "lofeuq.com" }, { "id": "", "name": "lfzupr.com" }, { "id": "", "name": "kmgzbowwg.com" }, { "id": "", "name": "jkwxcc.com" }, { "id": "", "name": "jgnsqihc.com" }, { "id": "", "name": "iycwqot.com" }, { "id": "", "name": "hyddh.com" }, { "id": "", "name": "hy830.com" }, { "id": "", "name": "hy92.com" }, { "id": "", "name": "hy811.com" }, { "id": "", "name": "hy529.com" }, { "id": "", "name": "hy619.com" }, { "id": "", "name": "hy424.com" }, { "id": "", "name": "hy42.com" }, { "id": "", "name": "hy324.com" }, { "id": "", "name": "hy30.com" }, { "id": "", "name": "hy229.com" }, { "id": "", "name": "hy1025.com" }, { "id": "", "name": "hfsdln.com" }, { "id": "", "name": "hersrr.com" }, { "id": "", "name": "grntjr.com" }, { "id": "", "name": "gmhrxhc.com" }, { "id": "", "name": "glxxet.com" }, { "id": "", "name": "ftcexq.com" }, { "id": "", "name": "fajxtg.com" }, { "id": "", "name": "eufcj.com" }, { "id": "", "name": "ecvkiehs.com" }, { "id": "", "name": "dvujvkfu.com" }, { "id": "", "name": "dkuwbcen.com" }, { "id": "", "name": "cvmnomvxm.com" }, { "id": "", "name": "cvgeuwo.com" }, { "id": "", "name": "clqqknzb.com" }, { "id": "", "name": "bxgtbv.com" }, { "id": "", "name": "blepmhnay.com" }, { "id": "", "name": "bkhqwfhtu.com" }, { "id": "", "name": "bcdkwwuah.com" }, { "id": "", "name": "aqakffj.com" }, { "id": "", "name": "amdord.com" }, { "id": "", "name": "adjsn.com" }, { "id": "", "name": "c6fe1748e68923f278926ee8679aaee22800b9c93c38641d12ea0e945e116bb0" }, { "id": "", "name": "546390a3a296154e36051dda745b573658311f9831789bb1faca411a3803a9bb" }, { "id": "", "name": "2aa12e5989065951be84ce932b65bd197dd6be3fa987838bad48536c0c74d145" } ], "malware": [ { "id": "legacy:malware:a26d1b547576ee3b", "name": "Nosedive", "slug": "nosedive" } ], "intrusion_sets": [ { "id": "4d332817-c82c-4998-ac0a-43045a3d9be3", "name": "Flax Typhoon", "slug": "flax-typhoon" } ], "attack_patterns": [ { "id": "7616ff60-a18f-4663-9824-b889aa01c8ce", "name": "T1588" }, { "id": "5e3b3612-8bf8-46e1-943e-b4c1524bef11", "name": "T1587" }, { "id": "a2ba5594-6293-4868-928c-ab4b31927a02", "name": "T1572" }, { "id": "16e26db7-7376-40c1-b8a9-23d56c44f7ee", "name": "T1571" }, { "id": "88fa397b-4cc9-42c0-b52d-4108f9630529", "name": "T1095" }, { "id": "a72ebeae-8e62-4039-8135-e9c611011fdc", "name": "T1573" }, { "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571", "name": "T1105" }, { "id": "8ed2b0cb-034c-4425-920d-ee06e5cf98ed", "name": "T1104" }, { "id": "dc342445-1b78-48b4-aa06-89ed2ad7c28e", "name": "T1071" }, { "id": "747c7b95-79ff-4132-8ea5-397cb6665ebd", "name": "T1498" }, { "id": "306ee8dc-1d64-4916-96be-18060d690ad7", "name": "T1499" }, { "id": "81ee4813-4f68-4984-bec1-980d7c5b56eb", "name": "T1132" }, { "id": "c340d47a-2ea8-41ca-9a0b-a72559b89bbf", "name": "T1584" }, { "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62", "name": "T1190" }, { "id": "b9eab970-53dd-4977-9a26-c4fe566e422d", "name": "T1133" }, { "id": "ca53b2fa-42a8-45ec-9682-0cf54bf280f3", "name": "T1090" } ], "vulnerabilities": [ { "id": "", "name": "CVE-2024-21887" } ], "others": [ { "id": "", "name": "Taiwan" }, { "id": "", "name": "Kazakhstan" }, { "id": "", "name": "United States of America" }, { "id": "", "name": "Technology" }, { "id": "", "name": "Defense" }, { "id": "", "name": "Education" }, { "id": "", "name": "Telecommunications" }, { "id": "", "name": "Government" } ] }, "external_refs": [ "https://blog.lumen.com/derailing-the-raptor-train", "https://otx.alienvault.com/pulse/66ed5f759cb7f49646e791b2" ] }