Raptor Train

Raptor Train, a Chinese state-sponsored botnet, has emerged as a significant threat actor in the cybersecurity landscape. Since its inception in May 2020, it has compromised over 200,000 devices worldwide, including Small Office/Home Office (SOHO) routers, Network Video Recorder/Digital Video Recorder (NVR/DVR) devices, Network Attached Storage (NAS) servers, and IP cameras. By June 2023, at the height of its activity, Raptor Train had infiltrated more than 60,000 additional devices, bringing the total number of compromised devices to over 260,000. This vast network of infected IoT and office network devices has been used to target critical infrastructure on a global scale, making Raptor Train one of the largest China-linked IoT botnets ever discovered. The discovery of Raptor Train was made by Lumen's Black Lotus Labs through their monitoring of malicious activity in mid-2023. Their in-depth investigation into the botnet's infrastructure revealed that Raptor Train operates using a multitiered approach. Tier 1 devices consist of consumer-grade hardware, while Tier 2 and Tier 3 nodes are dedicated servers that manage payload distribution, exploit management, and botnet command execution. Observations indicate that the operators, likely based in China, manage Tier 2 nodes via Secure Shell connections during Chinese working hours. Despite the absence of any confirmed distributed denial-of-service (DDoS) attacks from Raptor Train to date, Black Lotus Labs warns that the botnet is potentially capable of scaling such attacks and exploiting vulnerabilities across a large number of devices. This capability suggests that Raptor Train could be a formidable tool for disruptive operations in the future. Therefore, ongoing vigilance and robust cybersecurity measures are crucial to mitigate this threat.