Nosedive
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Black Lotus Labs notes that the botnet was also involved in exploitation attempts against Atlassian Confluence servers and Ivanti Connect Secure appliances (likely via CVE-2024-21887) at organizations in the same activity sectors.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The primary implant seen on most of the Tier 1 nodes, which Black Lotus Labs calls “Nosedive”, is a custom variation of the Mirai implant that is supported on all major SOHO and IoT architectures (e.g. MIPS, ARM, SuperH, PowerPC, etc.).
Techniques & procedures
14 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueBlack Lotus Labs began an investigation into compromised routers that led to the discovery of a large, multi-tiered botnet consisting of small office/home office (SOHO) and IoT devices... We call this botnet “Raptor Train.”
Initial Access
1 techniqueThe operators are likely exploiting more than 20 different device types with both 0-day and n-day (known) vulnerabilities for inclusion as Tier 1 nodes.
Execution
2 techniquesOnce deployed, Nosedive runs in-memory only and allows the operators to execute commands, upload and download files, and run DDoS attacks on compromised devices.
The researchers say that Raptor Train operators add devices in Tier 1 likely by exploiting “exploiting more than 20 different device types with both 0-day and n-day (known) vulnerabilities.”
Stealth
5 techniquesNosedive implants are delivered via multi-stage droppers using encoded URL schemes, making detection challenging.
Once deployed, the malware operates entirely in-memory... This memory-resident nature, combined with anti-forensics techniques such as obfuscated processes and multi-stage infections, complicates detection and analysis.
This, in addition to anti-forensics techniques employed on these devices including the obfuscation of running process names... makes detection and forensics much more difficult.
All samples Black Lotus Labs found of Nosedive and its associated droppers were memory-resident only and deleted from disk.
All samples Black Lotus Labs found of Nosedive and its associated droppers were memory-resident only and deleted from disk.
Command and Control
4 techniquesThe C2 servers in Tier 2 receive the callbacks from compromised devices in Tier 1 over port 443.
The ‘second stage’ servers often host their payloads on high, random ephemeral ports... and are used in multi-stage droppers.
This service enables an entire suite of activities, including scalable exploitation of bots, vulnerability and exploit management, remote management of C2 infrastructure, file uploads and downloads...
Initially, the root domain k3121.com was used as the sole C2 domain, but by mid-2021, the operators began using encoded random alphanumeric C2 subdomains...
Impact
1 techniqueOnce deployed, Nosedive runs in-memory only and allows the operators to execute commands, upload and download files, and run DDoS attacks on compromised devices.
IOCs tracked for this family
20 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Mirai variant used as the primary payload in the Raptor Train botnet. It lacks a persistence mechanism, so infected devices typically remain in the botnet for about 17 days.
A custom Mirai-based implant used in the Raptor Train botnet to infect SOHO and IoT devices. It runs in memory, supports multiple architectures, enables remote command execution, file upload/download, and DDoS functionality, and is deployed via droppers using a unique URL encoding and domain injection method.
Primary implant used by the Raptor Train botnet. It is a customized Mirai variant targeting IoT devices and operating entirely in-memory. It supports file uploads, downloads, command execution, and DDoS attacks, while using anti-forensics techniques such as obfuscated processes and multi-stage infections.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.