Raptor Train

Raptor Train is a large China-linked botnet active since at least May 2020 and disrupted by the FBI and Black Lotus Labs in 2024. It infected more than 200,000 devices worldwide over its lifetime, with reporting citing more than 260,000 compromised networking and IoT devices and a peak of over 60,000 active devices in June 2023. The botnet targeted critical infrastructure and strategic sectors including military, government, telecommunications, higher education, defense industrial base, and IT organizations, with primary targeting observed against entities in the United States and Taiwan and at least one government target in Kazakhstan.

The botnet infected SOHO routers, modems, IP cameras, NVRs, DVRs, firewalls, and NAS devices from numerous vendors including ActionTec, ASUS, TP-LINK, DrayTek, Tenda, Ruijie, Zyxel, Ruckus, Hikvision, D-LINK, AXIS, Panasonic, Shenzhen TVT, QNAP, Fujitsu, and Synology. Researchers reported exploitation of more than 20 device types using both zero-day and known vulnerabilities. The primary payload was a Mirai variant called Nosedive. Although Nosedive is associated with DDoS capability, researchers did not observe Raptor Train conducting DDoS attacks in the wild.

Black Lotus Labs described Raptor Train as a sophisticated multi-tiered botnet with enterprise-grade control infrastructure. Its architecture included Tier 1 bots on infected edge and IoT devices, Tier 2 nodes for second-stage delivery and command-and-control, and Tier 3 management systems referred to by the operators as Sparrow nodes. The Sparrow nodes were manually operated over SSH or TLS and included a web interface, backend services, and tooling to generate payloads and exploits. Tier 1 infections were typically short-lived, averaging about 17 days because the Nosedive payload lacked persistence, while Tier 2 and Tier 3 nodes persisted longer. The botnet’s command-and-control footprint expanded significantly over time, growing from a handful of nodes to more than 60 in 2024.

Observed activity included scanning of U.S. military and government networks, targeting of IT providers and defense industrial base organizations, and exploitation attempts against Atlassian Confluence servers and Ivanti Connect Secure appliances, likely including CVE-2024-21887. In the Canary campaign beginning in May 2023, operators focused on ActionTec PK5000 modems, Hikvision IP cameras, Shenzhen TVT NVRs, and ASUS RT and GT routers; one Tier 2 server infected at least 16,000 devices over nearly two months. Another campaign, Oriole, ran from June 2023 until September 2024 and used infrastructure including the domain w8510[.]com.

The FBI linked Raptor Train with high confidence to the Chinese state-sponsored Flax Typhoon threat group and stated that the botnet was controlled through infrastructure operated by Integrity Technology Group using China Unicom Beijing Province Network IP addresses. Reporting also noted Chinese-language code comments and interface text, and that Tier 3 to Tier 2 SSH connections occurred almost exclusively during China’s normal workweek hours. During disruption efforts, the FBI conducted court-authorized operations to seize infrastructure and remove malware from infected devices, while Black Lotus Labs null-routed traffic to known management, command-and-control, payload, and exploitation infrastructure. The FBI also reported that operators attempted to migrate infected devices to new servers during the takedown.