A new cyber threat has emerged, drawing attention from experts. Lumen’s Black Lotus Labs has identified a botnet named Raptor Train, which is composed of IoT and small office/home office (SOHO) devices. Analysts suspect that Raptor Train is linked to the China-based APT group Flax Typhoon (also known as RedJuliett or Ethereal Panda).
Overview of the Raptor Train Botnet
The Raptor Train Botnet is designed to execute coordinated cyber-attacks, including data theft, espionage, and DDoS assaults. Experts believe the botnet has been active since May 2020 and peaked in June 2023 with around 60,000 compromised devices.
Since May 2020, over 200,000 devices—including NVR/DVR systems, NAS servers, IP cameras, and SOHO routers—have been compromised and integrated into Raptor Train, making it one of the largest IoT botnets linked to China.
A command-and-control (C2) domain from a recent campaign was listed among the “top 1 million” on Cisco and Cloudflare’s Radar Umbrella, indicating significant device exploitation. Analysts estimate that Raptor Train has compromised more than 100,000 devices.
Flax Typhoon: The APT Behind the Botnet
Flax Typhoon is notorious for its cyber-espionage activities, targeting various sectors such as telecommunications, government agencies, and defense contractors. The group is recognized for its stealthy approach and sophisticated malware, which it employs to gain access and extract sensitive data.
Raptor Train exploits vulnerabilities in IoT devices; once a device is compromised, it joins the botnet and receives instructions from C2 servers, enabling a range of malicious activities:
-Espionage: Tracking and stealing data from organizations.
-DDoS Attacks: Overloading the target network with traffic to render it inaccessible.
-Data Theft: Extracting sensitive information from victims’ devices.