{
  "name": "Dissecting RapperBot Botnet: From Infection to DDoS & More",
  "slug": "dissecting-rapperbot-botnet-from-infection-to-ddos-more",
  "description": "This report details the analysis of RapperBot, a sophisticated botnet targeting IoT devices, particularly Network Video Recorders (NVRs). The malware exploits vulnerabilities in these devices to create a large-scale DDoS infrastructure. The analysis covers the botnet's infection process, command and control mechanisms, and its evolution over time. Key features include the use of NFS for malware distribution, encrypted DNS TXT records for C2 communication, and a wide range of supported device architectures. The report also discusses recent law enforcement actions against the botnet and provides recommendations for protection against such threats.",
  "published": "2025-09-03T03:57:23+00:00",
  "created_at": "2025-09-03T03:57:23+00:00",
  "modified_at": "2025-09-03T05:01:34+00:00",
  "created_at_opencti": "2025-09-03T03:57:23+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-09-03",
    "botnet",
    "ddos",
    "dns",
    "encryption",
    "exploit",
    "infrastructure",
    "iot",
    "nvr",
    "rapperbot"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "94.26.90.217"
      },
      {
        "id": "",
        "name": "82.24.200.59"
      },
      {
        "id": "",
        "name": "82.24.200.45"
      },
      {
        "id": "",
        "name": "82.24.200.141"
      },
      {
        "id": "",
        "name": "82.24.200.139"
      },
      {
        "id": "",
        "name": "82.24.200.137"
      },
      {
        "id": "",
        "name": "77.90.153.136"
      },
      {
        "id": "",
        "name": "65.21.1.106"
      },
      {
        "id": "",
        "name": "62.146.235.220"
      },
      {
        "id": "",
        "name": "45.89.63.25"
      },
      {
        "id": "",
        "name": "194.226.121.51"
      },
      {
        "id": "",
        "name": "192.145.28.71"
      },
      {
        "id": "",
        "name": "188.92.28.62"
      },
      {
        "id": "",
        "name": "185.36.81.60"
      },
      {
        "id": "",
        "name": "104.194.9.127"
      },
      {
        "id": "",
        "name": "185.218.87.29"
      },
      {
        "id": "",
        "name": "185.218.87.28"
      },
      {
        "id": "",
        "name": "185.224.3.231"
      },
      {
        "id": "",
        "name": "154.81.156.55"
      },
      {
        "id": "",
        "name": "http://77.90.153.136/ss/armv4l"
      },
      {
        "id": "",
        "name": "http://185.218.87.28"
      },
      {
        "id": "",
        "name": "yfrv.zkuafimfdwvetxjq.live"
      },
      {
        "id": "",
        "name": "yfrv.zkuafimfdwvetxjq.info"
      },
      {
        "id": "",
        "name": "yfrv.gwyhhcorybwjwuzh.live"
      },
      {
        "id": "",
        "name": "yfrv.gwyhhcorybwjwuzh.info"
      },
      {
        "id": "",
        "name": "yfrv.gaihwstpzuomtfnu.live"
      },
      {
        "id": "",
        "name": "yfrv.gaihwstpzuomtfnu.info"
      },
      {
        "id": "",
        "name": "yfrv.byxwgimpbwiskniw.live"
      },
      {
        "id": "",
        "name": "pool.rentcheapcars.sbs"
      },
      {
        "id": "",
        "name": "yfrv.byxwgimpbwiskniw.info"
      },
      {
        "id": "",
        "name": "khbw.zkuafimfdwvetxjq.live"
      },
      {
        "id": "",
        "name": "khbw.zkuafimfdwvetxjq.info"
      },
      {
        "id": "",
        "name": "khbw.gwyhhcorybwjwuzh.live"
      },
      {
        "id": "",
        "name": "khbw.gwyhhcorybwjwuzh.info"
      },
      {
        "id": "",
        "name": "khbw.gaihwstpzuomtfnu.info"
      },
      {
        "id": "",
        "name": "khbw.gaihwstpzuomtfnu.live"
      },
      {
        "id": "",
        "name": "khbw.byxwgimpbwiskniw.live"
      },
      {
        "id": "",
        "name": "khbw.byxwgimpbwiskniw.info"
      },
      {
        "id": "",
        "name": "kdxa.zkuafimfdwvetxjq.live"
      },
      {
        "id": "",
        "name": "kdxa.zkuafimfdwvetxjq.info"
      },
      {
        "id": "",
        "name": "kdxa.gwyhhcorybwjwuzh.live"
      },
      {
        "id": "",
        "name": "kdxa.gwyhhcorybwjwuzh.info"
      },
      {
        "id": "",
        "name": "kdxa.gaihwstpzuomtfnu.live"
      },
      {
        "id": "",
        "name": "kdxa.byxwgimpbwiskniw.live"
      },
      {
        "id": "",
        "name": "kdxa.gaihwstpzuomtfnu.info"
      },
      {
        "id": "",
        "name": "kdxa.byxwgimpbwiskniw.info"
      },
      {
        "id": "",
        "name": "eicp.zkuafimfdwvetxjq.live"
      },
      {
        "id": "",
        "name": "eicp.zkuafimfdwvetxjq.info"
      },
      {
        "id": "",
        "name": "eicp.gwyhhcorybwjwuzh.live"
      },
      {
        "id": "",
        "name": "eicp.gwyhhcorybwjwuzh.info"
      },
      {
        "id": "",
        "name": "eicp.gaihwstpzuomtfnu.live"
      },
      {
        "id": "",
        "name": "eicp.gaihwstpzuomtfnu.info"
      },
      {
        "id": "",
        "name": "eicp.byxwgimpbwiskniw.live"
      },
      {
        "id": "",
        "name": "eicp.byxwgimpbwiskniw.info"
      },
      {
        "id": "",
        "name": "bignum.bit"
      },
      {
        "id": "",
        "name": "f351f144a58f1fa8dcacca2dfca3697e1fb2a833d483539999f06ed12e25d40e"
      },
      {
        "id": "",
        "name": "e6651f3b71839a3017560d80b75d31d52b689ed46708a90cf6306f3997baa34f"
      },
      {
        "id": "",
        "name": "e2163251facba4440d24a5e8cebeb71055f0e96c2d1aca04ebcb99e4ecb4c226"
      },
      {
        "id": "",
        "name": "d64ce359bc97c9643e66057dbd0ea9ed69d5272487e873119dc7a01134f852bc"
      },
      {
        "id": "",
        "name": "c9e4443effd31a916b1a5f2b44c2ed541edccd396e74e91df965d11bdd1e4c90"
      },
      {
        "id": "",
        "name": "c76d487bbf7cb1a6743d397381529f945b229c7df6b2ec27111d095a448f5402"
      },
      {
        "id": "",
        "name": "c20a92cba56462f28867afa88d261d00da48127aa61af8e8ff38904493abfc91"
      },
      {
        "id": "",
        "name": "c3665cbba37d4d491c1035c76c5dc5b910d79761d75fd36854eddbcac3866f10"
      },
      {
        "id": "",
        "name": "b28b57b7fb7affa57befb35ef6287602d1e4602f555dd258ab28333379fa8143"
      },
      {
        "id": "",
        "name": "af9b191bf88db7ea0836f3186a0ffb2bf7932f5a760aad387725f61dc3ce2742"
      },
      {
        "id": "",
        "name": "af2a6f1260fdb05c2c22a0d1443a48a2c6b59a83af4db29b61ae53509246ed63"
      },
      {
        "id": "",
        "name": "ae5dbccdfcd0e48e2065b462be5879d1c103e3dc9c553ce8eb319c6385580d78"
      },
      {
        "id": "",
        "name": "ad2031698ecda33c6a70f4f63ae07bdc652f196afbf77c7e12d9c9196bbfb9c4"
      },
      {
        "id": "",
        "name": "a82594f321a14d22c63b44b8b3f4e5dcb725aeda14db201cfe59d6b37cb8093f"
      },
      {
        "id": "",
        "name": "a1a6926b93bf296992cb31de76246f26d75870245f095e6289b83d5d60c4ef48"
      },
      {
        "id": "",
        "name": "9992bb441c3d633b3b14ab98e012761d0cfab06138f405e62c1699ece80d2c18"
      },
      {
        "id": "",
        "name": "943667119371cf93171f54be0cfe586c747fd2e24745235b8b94e5dc112ba3b2"
      },
      {
        "id": "",
        "name": "7c2198f1d618c12cd7c30328f2c0821d1b0c948adba0b437c529a8272c8d612c"
      },
      {
        "id": "",
        "name": "55173c8faa1f6bc92874c55fd280be21f7e581c1076ac50f238ff1c97b9f3a9f"
      },
      {
        "id": "",
        "name": "520a8d6ba4d9f083361e3c4758e0edb59a865e772571b91500a511a13fb9295b"
      },
      {
        "id": "",
        "name": "4ddf8f2d45ab665eb03b99d0af977fd189575420b87fe3840ca6838efc66a7b6"
      },
      {
        "id": "",
        "name": "4c497190ff8e20112e557794ac48cd807872109ee43b1c17f8087f71a5806ea8"
      },
      {
        "id": "",
        "name": "48a92a17695f17e7585a3a52682dbb578379ff18964b5f651ba4d96ad3563359"
      },
      {
        "id": "",
        "name": "35c14500814ac5bc2c71312bb1323f3be34afa878c7f06cefb0bf26f983564db"
      },
      {
        "id": "",
        "name": "34bf22669c899430ece4cf3272594d75c29d8bdb1ebb26b2bf0f997f9980fdbf"
      },
      {
        "id": "",
        "name": "329b5885b7e275adac37eb18a80ecdb3caf7be655086997faa2dfbc167d32b2f"
      },
      {
        "id": "",
        "name": "176858d674f19ed1c385ebfd952caea9f6a76f4b44828d6b8f21985476a35df0"
      },
      {
        "id": "",
        "name": "115f01a1bef2044e475b1f440d33bd1c276232d8040c16e8448c8d3e1a824948"
      },
      {
        "id": "",
        "name": "067ea583e47d768d50b4cf0e55aaaa37ebdb6dcd2f7b84e890892bbdea6c9740"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:ea258614692c3fd3",
        "name": "RapperBot",
        "slug": "rapperbot"
      }
    ],
    "intrusion_sets": [
      {
        "id": "46473ce7-610c-4f94-96c6-10270edab418",
        "name": "RapperBot",
        "slug": "rapperbot"
      }
    ],
    "attack_patterns": [
      {
        "id": "e948db36-930d-4013-99ed-fdf14b65907e",
        "name": "T1589.002"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "2e0c6db7-16a7-4bf6-992e-263474014fce",
        "name": "T1059.004"
      },
      {
        "id": "dc17cbbd-40d8-43cf-b3cf-50d1276db2c7",
        "name": "T1016"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "53c193a7-f726-4bd2-ae88-4019e2604adf",
        "name": "T1046"
      },
      {
        "id": "c340d47a-2ea8-41ca-9a0b-a72559b89bbf",
        "name": "T1584"
      },
      {
        "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62",
        "name": "T1190"
      },
      {
        "id": "b9eab970-53dd-4977-9a26-c4fe566e422d",
        "name": "T1133"
      }
    ]
  },
  "external_refs": [
    "https://www.bitsight.com/blog/rapperbot-infection-ddos-split-second",
    "https://otx.alienvault.com/pulse/68b7d8c30d43bf797983c817"
  ]
}