Researchers discovered a large Chinese state-sponsored IoT botnet, “Raptor Train,” which compromised over 200,000 SOHO and IoT devices. Operated by Flax Typhoon, the botnet uses a sophisticated control system called “Sparrow” to manage its network.
Raptor Train Botnet
The botnet posed a serious threat to sectors like military, government, and IT, with potential for DDoS attacks and targeted exploitation of vulnerabilities.
The Raptor Train botnet is a three-tier network managed by “Sparrow” nodes. In Tier 1, compromised SOHO/IoT devices are infected with the custom Mirai variant “Nosedive,” using exploitation and payload servers in Tier 2.
Tier 2 C2 servers coordinate bot activities, while Tier 3 management nodes control the entire operation. Nosedive implants reside in memory and use anti-forensics techniques to evade detection, making it hard to trace infected devices. The botnet, made up of compromised SOHO and IoT devices like routers and cameras, forms Tier 1.
These devices are often vulnerable and act as nodes, regularly checking in with C2 servers. Due to the abundance of vulnerable devices, attackers can easily replace compromised ones, ensuring a steady supply of nodes.
Tier 2 consists of virtual servers that control compromised devices in Tier 1 and deliver malicious payloads. These servers include first-stage for general attacks and second-stage for targeted attacks using obfuscated exploits, both communicating over port 443 with random TLS certificates.
Tier 3 manages Tier 2 servers via port 34125 with unique certificates. The rise in Tier 2 servers over four years shows increased malware activity. Sparrow nodes in Tier 3 oversee both manual management (via SSH) and automatic control (via TLS) of Tier 2.
Sparrow nodes, including NCCT and Condor, offer a web interface for operators to manage the botnet, execute commands, transfer files, collect data, and launch DDoS attacks. Active since May 2020, the Raptor Train botnet has evolved through four campaigns—Crossbill, Finch, Canary, and Oriole—targeting SOHO and IoT devices with Mirai-based malware, Nosedive.
It operates in tiers, with Tier 3 issuing commands to Tier 2, which relays them to Tier 1 infected devices. Black Lotus Labs suggests the botnet is run by Chinese state-sponsored actors targeting critical infrastructure in the US, Taiwan, and other countries.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment