Cybersecurity researchers from Lumen’s Black Lotus Labs have uncovered a large-scale IoT botnet named Raptor Train, which has compromised over 200,000 devices globally since its discovery in May 2020. The botnet is believed to be controlled by the China-linked Advanced Persistent Threat (APT) group, Flax Typhoon, also known as Ethereal Panda or RedJuliett.
The Raptor Train botnet primarily targets small office/home office (SOHO) devices and IoT devices, such as routers, NAS servers, NVR/DVR devices, and IP cameras. It is one of the largest China-linked IoT botnets discovered to date, with 60,000 compromised devices at its peak in June 2023. The botnet’s command-and-control (C2) infrastructure has even appeared on Cloudflare Radar and Cisco Umbrella’s “top 1 million” lists, indicating the significant reach and impact of this botnet.
Researchers estimate that hundreds of thousands of devices may have been compromised since the botnet’s inception, making it a serious global threat. The compromised devices are spread across various sectors, including military, government, education, telecommunications, and defense industries, with notable targeting in the U.S. and Taiwan.
The Raptor Train botnet operates using a three-tiered architecture, enabling sophisticated control and exploitation of compromised devices. The structure is designed to be scalable, allowing attackers to manage large networks of infected IoT devices with ease:
The Raptor Train botnet has compromised a wide range of devices from leading manufacturers, including:
These devices, often poorly secured or running outdated firmware, make attractive targets for attackers to build botnets capable of launching large-scale cyberattacks, such as Distributed Denial of Service (DDoS) attacks.
The attribution of Raptor Train to the Flax Typhoon APT group is based on multiple indicators, including:
The botnet has primarily targeted entities in the U.S. and Taiwan, likely in efforts to gather intelligence and possibly prepare for future cyber operations.
The Raptor Train botnet is controlled via a robust enterprise-grade infrastructure. The Sparrow management tool allows attackers to:
According to Lumen’s Black Lotus Labs, the operators of Raptor Train manage this botnet through 60+ C2 servers, utilizing a sophisticated backend system to maintain control and execute attacks across compromised networks.
While the Raptor Train botnet has not yet been observed conducting large-scale DDoS attacks, experts warn that this capability could be leveraged in the future. Given the size and scope of the botnet, it has the potential to disrupt critical infrastructure or amplify cyberattacks targeting geopolitical interests.
With many of the compromised devices located in sensitive sectors, such as defense and telecommunications, the botnet could be used for espionage, data theft, or even cyber sabotage. As the botnet evolves, it could become a key tool for state-sponsored cyber warfare operations.
Organizations and individuals with IoT devices or SOHO equipment should take proactive measures to protect their systems from becoming part of botnets like Raptor Train:
The discovery of the Raptor Train botnet further highlights the growing threat posed by IoT devices in the cyber domain. With over 200,000 compromised devices globally, this botnet has the potential to carry out massive DDoS attacks and other cyber operations, particularly as it is linked to a China-based APT group. Organizations must remain vigilant and implement strong security practices to protect their infrastructure from this evolving and dangerous threat.