Derailing the Raptor Train

Sept. 20, 2024, 12:18 p.m.

Description

A large, multi-tiered botnet called Raptor Train, likely operated by Chinese threat actors Flax Typhoon, has been discovered. Consisting of over 60,000 compromised SOHO and IoT devices at its peak, it's one of the largest Chinese state-sponsored IoT botnets to date. The botnet uses a sophisticated control system called Sparrow to manage its infrastructure and execute various tasks. While no DDoS attacks have been observed, the botnet has targeted U.S. and Taiwanese entities in sectors like military, government, education, and telecommunications. The network architecture includes three tiers: compromised devices, exploitation and C2 servers, and management nodes. Campaigns have evolved over four years, showing increasing sophistication in tactics and scale.

External References

https://blog.lumen.com/derailing-the-raptor-train
https://otx.alienvault.com/pulse/66ed5f759cb7f49646e791b2
Tags
ddos
iot
botnet
2024-09-20
raptor train

Date

  • Created: Sept. 20, 2024, 11:41 a.m.
  • Published: Sept. 20, 2024, 11:41 a.m.
  • Modified: Sept. 20, 2024, 12:18 p.m.

Indicators

  • c6fe1748e68923f278926ee8679aaee22800b9c93c38641d12ea0e945e116bb0
  • 546390a3a296154e36051dda745b573658311f9831789bb1faca411a3803a9bb
  • 2aa12e5989065951be84ce932b65bd197dd6be3fa987838bad48536c0c74d145
  • 92.38.185.47
  • 92.38.185.46
  • 92.38.185.44
  • 92.38.185.43
  • 92.38.176.156
  • 92.38.176.131
  • 92.38.135.146
  • 92.223.30.241
  • 92.223.30.233
  • 92.223.30.232
  • 91.216.190.80
  • 91.216.190.74
  • 91.216.190.247
  • 91.216.190.2
  • 91.216.190.154
  • 89.44.198.254
  • 89.44.198.195
  • 89.44.198.200
  • 85.90.216.69
  • 85.90.216.115
  • 85.90.216.116
  • 85.90.216.112
  • 78.141.238.97
  • 5.45.184.68
  • 85.90.216.111
  • 5.181.27.6
  • 5.181.27.219
  • 5.188.33.135
  • 5.181.27.19
  • 45.80.215.47
  • 5.181.27.21
  • 45.80.215.156
  • 45.80.215.155
  • 45.80.215.186
  • 45.80.215.154
  • 45.80.215.152
  • 45.80.215.151
  • 45.80.215.150
  • 45.77.231.209
  • 45.135.117.136
  • 45.135.117.131
  • 45.13.199.96
  • 45.13.199.84
  • 45.13.199.140
  • 45.13.199.207
  • 45.10.58.132
  • 45.10.58.130
  • 45.10.58.128
  • 45.10.58.129
  • 37.9.35.89
  • 37.61.229.17
  • 37.61.229.15
  • 23.236.68.229
  • 23.236.68.193
  • 23.236.68.213
  • 223.98.159.112
  • 210.61.186.117
  • 207.148.68.131
  • 207.148.122.69
  • 202.182.109.151
  • 195.234.62.198
  • 195.234.62.192
  • 195.234.62.197
  • 195.234.62.19
  • 195.234.62.188
  • 195.234.62.184
  • 195.234.62.18
  • 185.14.45.160
  • 155.138.151.225
  • 155.138.133.56
  • 149.248.51.22
  • 14.1.98.223
  • 139.180.137.219
  • 114.255.70.30
  • 114.255.70.20
  • 104.244.89.157
  • 92.38.185.45
  • 92.38.178.232
  • 85.90.216.110
  • 65.20.97.251
  • 5.188.33.228
  • 45.80.215.149
  • 45.13.199.45
  • 45.13.199.152
  • 45.13.199.104
  • 45.10.58.133
  • 23.236.69.82
  • 23.236.69.110
  • 23.236.68.161
  • 185.207.154.253
  • 45.92.70.71
  • 45.92.70.68
  • 45.92.70.115
  • 45.92.70.113
  • 45.92.70.112
  • 45.92.70.111
  • zdacxzd.w8510.com
  • zdacasdc.w8510.com
  • zasdfgasd.w8510.com
  • xxqw.b2047.com
  • xbqw.k3121.com
  • xaqw.k3121.com
  • wmllxwkg.w8510.com
  • voias.b2047.com
  • tuisasdcxzd.w8510.com
  • qwsd.k3121.com
  • oklm.k3121.com
  • ocmnusdjdik.w8510.com
  • nulp.k3121.com
  • mjiudwajhkf.w8510.com
  • mail.k3121.com
  • lyblqwesfawe.w8510.com
  • lfdx.k3121.com
  • kuyw.b2047.com
  • kliscjaisdjhi.w8510.com
  • hyjk.k3121.com
  • hume.b2047.com
  • hnai.k3121.com
  • firc.b2047.com
  • bzbatflwb.w8510.com
  • ayln.b2047.com
  • axqw.k3121.com
  • awqx.k3121.com
  • awerdasvbjgrt.b2047.com
  • awbpxtpi.w8510.com
  • api.k3121.com
  • apdfhhjcxcb.w8510.com
  • aewreiuicajo.w8510.com
  • zuszr.com
  • ysubryfv.com
  • ykcmewapc.com
  • wvsezu.com
  • woaba.com
  • wndaoyk.com
  • vgbgwzmr.com
  • vbbrfvhrg.com
  • ujrtkw.com
  • tvcvhzyk.com
  • ttcyci.com
  • sreudcnb.com
  • sbuybjv.com
  • saoadlg.com
  • rnjca.com
  • qsxgzu.com
  • qjknpv.com
  • osiso.com
  • oploz.com
  • omviak.com
  • oicdsgjxz.com
  • obqlibg.com
  • nmfagp.com
  • nhcmdikkd.com
  • mvxnspcqr.com
  • mudvw.com
  • lznmihdej.com
  • lomuzs.com
  • lofeuq.com
  • lfzupr.com
  • kmgzbowwg.com
  • jkwxcc.com
  • jgnsqihc.com
  • iycwqot.com
  • hyddh.com
  • hy830.com
  • hy92.com
  • hy811.com
  • hy529.com
  • hy619.com
  • hy424.com
  • hy42.com
  • hy324.com
  • hy30.com
  • hy229.com
  • hy1025.com
  • hfsdln.com
  • hersrr.com
  • grntjr.com
  • gmhrxhc.com
  • glxxet.com
  • ftcexq.com
  • fajxtg.com
  • eufcj.com
  • ecvkiehs.com
  • dvujvkfu.com
  • dkuwbcen.com
  • cvmnomvxm.com
  • cvgeuwo.com
  • clqqknzb.com
  • bxgtbv.com
  • blepmhnay.com
  • bkhqwfhtu.com
  • bcdkwwuah.com
  • aqakffj.com
  • amdord.com
  • adjsn.com
Download all indicators here!

Attack Patterns

  • Nosedive
  • Flax Typhoon

Additional Informations

  • Technology
  • Defense
  • Education
  • Telecommunications
  • Government
  • Taiwan
  • Kazakhstan
  • United States of America

Linked vulnerabilities

CVE-2024-21887

None
Published: