Rapper Bot
Rapper Bot is a DDoS botnet, also referred to as the Eleven Eleven Botnet and CowBot. Authorities described it as among the most powerful DDoS botnets on record. It primarily infected internet-connected IoT devices, especially digital video recorders (DVRs) and Wi‑Fi routers, with estimates ranging from roughly 65,000 to 95,000 compromised devices worldwide. Reporting states the botnet had been operating since at least 2021.
Its primary capability was large-scale distributed denial-of-service activity. Authorities said Rapper Bot regularly generated attacks in the 2–3 Tbps range, with its largest attack possibly exceeding 6 Tbps. From April to early August, officials alleged it conducted more than 370,000 attacks against about 18,000 unique victims across 1,000 autonomous system numbers in 80 countries, with attack concentration noted in China, Japan, the United States, Ireland, and Hong Kong. One report also states the botnet targeted the Pentagon.
Investigators alleged Ethan Foltz of Eugene, Oregon, was the developer and primary administrator, and that he admitted being the primary administrator during a recorded interview. He identified a partner known as "SlayKings." Authorities said the botnet code was derived from Mirai, Tsunami, and fBot. The U.S. Department of Justice said authorities gained control of the botnet and stopped attacks after a warrant was served on Aug. 6, at which point Foltz allegedly disabled outbound attack capability and transferred administrative control to DCIS personnel.
The content also notes that the seizure of Rapper Bot and arrest of its alleged leader in August paved the way for Aisuru and Kimwolf to gain strength. Private-sector assistance to the investigation included Akamai, Amazon Web Services, Cloudflare, Digital Ocean, Flashpoint, Google, PayPal, and Unit 221B.
High-confidence indicators and identifiers mentioned in the content include the aliases Eleven Eleven Botnet and CowBot, the malware name Rapper Bot / RapperBot, and its association with compromised DVRs and Wi‑Fi routers.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
1 distinct technique documented for this family, organized by ATT&CK tactic.
Impact
1 technique
Impact
Authorities claim they’ve gained control of Rapper Bot and stopped attacks emanating from what they described as “among the most powerful DDoS botnets to have ever existed.” ... Rapper Bot allegedly conducted more than 370,000 attacks... Officials said Rapper Bot regularly conducted DDoS attacks measured between two to three terabits per second, adding that Rapper Bot’s largest attack may have exceeded six terabits per second.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named as one of the botnets disrupted as part of broader law enforcement action against cybercrime infrastructure.
A botnet referenced as having been seized; its takedown and the arrest of its alleged leader reportedly created conditions that enabled Aisuru and Kimwolf to grow stronger.
A large DDoS botnet/booter service composed of compromised internet-connected devices, used to launch high-volume traffic-flooding attacks (reported up to ~2 Tbps) against targets including U.S. government infrastructure.
Large-scale IoT DDoS botnet primarily infecting digital video recorders and Wi‑Fi routers to conduct high-tempo volumetric DDoS attacks (reported commonly 2–3 Tbps, with a peak possibly exceeding 6 Tbps).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.