Today > 3 Critical | 10 High | 7 Medium | 4 Low vulnerabilities   -   You can now download lists of IOCs here!

Derailing the Raptor Train

Sept. 20, 2024, 12:18 p.m.

Description

A large, multi-tiered botnet called Raptor Train, likely operated by Chinese threat actors Flax Typhoon, has been discovered. Consisting of over 60,000 compromised SOHO and IoT devices at its peak, it's one of the largest Chinese state-sponsored IoT botnets to date. The botnet uses a sophisticated control system called Sparrow to manage its infrastructure and execute various tasks. While no DDoS attacks have been observed, the botnet has targeted U.S. and Taiwanese entities in sectors like military, government, education, and telecommunications. The network architecture includes three tiers: compromised devices, exploitation and C2 servers, and management nodes. Campaigns have evolved over four years, showing increasing sophistication in tactics and scale.

Date

Published: Sept. 20, 2024, 11:41 a.m.

Created: Sept. 20, 2024, 11:41 a.m.

Modified: Sept. 20, 2024, 12:18 p.m.

Indicators

c6fe1748e68923f278926ee8679aaee22800b9c93c38641d12ea0e945e116bb0

546390a3a296154e36051dda745b573658311f9831789bb1faca411a3803a9bb

2aa12e5989065951be84ce932b65bd197dd6be3fa987838bad48536c0c74d145

92.38.185.47

92.38.185.46

92.38.185.44

92.38.185.43

92.38.176.156

92.38.176.131

92.38.135.146

92.223.30.241

92.223.30.233

92.223.30.232

91.216.190.80

91.216.190.74

91.216.190.247

91.216.190.2

91.216.190.154

89.44.198.254

89.44.198.195

89.44.198.200

85.90.216.69

85.90.216.115

85.90.216.116

85.90.216.112

78.141.238.97

5.45.184.68

85.90.216.111

5.181.27.6

5.181.27.219

5.188.33.135

5.181.27.19

45.80.215.47

5.181.27.21

45.80.215.156

45.80.215.155

45.80.215.186

45.80.215.154

45.80.215.152

45.80.215.151

45.80.215.150

45.77.231.209

45.135.117.136

45.135.117.131

45.13.199.96

45.13.199.84

45.13.199.140

45.13.199.207

45.10.58.132

45.10.58.130

45.10.58.128

45.10.58.129

37.9.35.89

37.61.229.17

37.61.229.15

23.236.68.229

23.236.68.193

23.236.68.213

223.98.159.112

210.61.186.117

207.148.68.131

207.148.122.69

202.182.109.151

195.234.62.198

195.234.62.192

195.234.62.197

195.234.62.19

195.234.62.188

195.234.62.184

195.234.62.18

185.14.45.160

155.138.151.225

155.138.133.56

149.248.51.22

14.1.98.223

139.180.137.219

114.255.70.30

114.255.70.20

104.244.89.157

92.38.185.45

92.38.178.232

85.90.216.110

65.20.97.251

5.188.33.228

45.80.215.149

45.13.199.45

45.13.199.152

45.13.199.104

45.10.58.133

23.236.69.82

23.236.69.110

23.236.68.161

185.207.154.253

45.92.70.71

45.92.70.68

45.92.70.115

45.92.70.113

45.92.70.112

45.92.70.111

zdacxzd.w8510.com

zdacasdc.w8510.com

zasdfgasd.w8510.com

xxqw.b2047.com

xbqw.k3121.com

xaqw.k3121.com

wmllxwkg.w8510.com

voias.b2047.com

tuisasdcxzd.w8510.com

qwsd.k3121.com

oklm.k3121.com

ocmnusdjdik.w8510.com

nulp.k3121.com

mjiudwajhkf.w8510.com

mail.k3121.com

lyblqwesfawe.w8510.com

lfdx.k3121.com

kuyw.b2047.com

kliscjaisdjhi.w8510.com

hyjk.k3121.com

hume.b2047.com

hnai.k3121.com

firc.b2047.com

bzbatflwb.w8510.com

ayln.b2047.com

axqw.k3121.com

awqx.k3121.com

awerdasvbjgrt.b2047.com

awbpxtpi.w8510.com

api.k3121.com

apdfhhjcxcb.w8510.com

aewreiuicajo.w8510.com

zuszr.com

ysubryfv.com

ykcmewapc.com

wvsezu.com

woaba.com

wndaoyk.com

vgbgwzmr.com

vbbrfvhrg.com

ujrtkw.com

tvcvhzyk.com

ttcyci.com

sreudcnb.com

sbuybjv.com

saoadlg.com

rnjca.com

qsxgzu.com

qjknpv.com

osiso.com

oploz.com

omviak.com

oicdsgjxz.com

obqlibg.com

nmfagp.com

nhcmdikkd.com

mvxnspcqr.com

mudvw.com

lznmihdej.com

lomuzs.com

lofeuq.com

lfzupr.com

kmgzbowwg.com

jkwxcc.com

jgnsqihc.com

iycwqot.com

hyddh.com

hy830.com

hy92.com

hy811.com

hy529.com

hy619.com

hy424.com

hy42.com

hy324.com

hy30.com

hy229.com

hy1025.com

hfsdln.com

hersrr.com

grntjr.com

gmhrxhc.com

glxxet.com

ftcexq.com

fajxtg.com

eufcj.com

ecvkiehs.com

dvujvkfu.com

dkuwbcen.com

cvmnomvxm.com

cvgeuwo.com

clqqknzb.com

bxgtbv.com

blepmhnay.com

bkhqwfhtu.com

bcdkwwuah.com

aqakffj.com

amdord.com

adjsn.com

Attack Patterns

Nosedive

Flax Typhoon

T1588

T1587

T1572

T1571

T1095

T1573

T1105

T1104

T1071

T1498

T1499

T1132

T1584

T1190

T1133

T1090

CVE-2024-21887

Additional Informations

Technology

Defense

Education

Telecommunications

Government

Taiwan

Kazakhstan

United States of America