Dissecting RapperBot Botnet: From Infection to DDoS & More

Sept. 3, 2025, 7:01 a.m.

Description

This report details the analysis of RapperBot, a sophisticated botnet targeting IoT devices, particularly Network Video Recorders (NVRs). The malware exploits vulnerabilities in these devices to create a large-scale DDoS infrastructure. The analysis covers the botnet's infection process, command and control mechanisms, and its evolution over time. Key features include the use of NFS for malware distribution, encrypted DNS TXT records for C2 communication, and a wide range of supported device architectures. The report also discusses recent law enforcement actions against the botnet and provides recommendations for protection against such threats.

External References

https://www.bitsight.com/blog/rapperbot-infection-ddos-split-second
https://otx.alienvault.com/pulse/68b7d8c30d43bf797983c817
Tags
exploit
dns
encryption
ddos
iot
botnet
infrastructure
2025-09-03
nvr
rapperbot

Date

  • Created: Sept. 3, 2025, 5:57 a.m.
  • Published: Sept. 3, 2025, 5:57 a.m.
  • Modified: Sept. 3, 2025, 7:01 a.m.

Indicators

  • f351f144a58f1fa8dcacca2dfca3697e1fb2a833d483539999f06ed12e25d40e
  • e6651f3b71839a3017560d80b75d31d52b689ed46708a90cf6306f3997baa34f
  • e2163251facba4440d24a5e8cebeb71055f0e96c2d1aca04ebcb99e4ecb4c226
  • d64ce359bc97c9643e66057dbd0ea9ed69d5272487e873119dc7a01134f852bc
  • c9e4443effd31a916b1a5f2b44c2ed541edccd396e74e91df965d11bdd1e4c90
  • c76d487bbf7cb1a6743d397381529f945b229c7df6b2ec27111d095a448f5402
  • c20a92cba56462f28867afa88d261d00da48127aa61af8e8ff38904493abfc91
  • c3665cbba37d4d491c1035c76c5dc5b910d79761d75fd36854eddbcac3866f10
  • b28b57b7fb7affa57befb35ef6287602d1e4602f555dd258ab28333379fa8143
  • af9b191bf88db7ea0836f3186a0ffb2bf7932f5a760aad387725f61dc3ce2742
  • af2a6f1260fdb05c2c22a0d1443a48a2c6b59a83af4db29b61ae53509246ed63
  • ae5dbccdfcd0e48e2065b462be5879d1c103e3dc9c553ce8eb319c6385580d78
  • ad2031698ecda33c6a70f4f63ae07bdc652f196afbf77c7e12d9c9196bbfb9c4
  • a82594f321a14d22c63b44b8b3f4e5dcb725aeda14db201cfe59d6b37cb8093f
  • a1a6926b93bf296992cb31de76246f26d75870245f095e6289b83d5d60c4ef48
  • 9992bb441c3d633b3b14ab98e012761d0cfab06138f405e62c1699ece80d2c18
  • 943667119371cf93171f54be0cfe586c747fd2e24745235b8b94e5dc112ba3b2
  • 7c2198f1d618c12cd7c30328f2c0821d1b0c948adba0b437c529a8272c8d612c
  • 55173c8faa1f6bc92874c55fd280be21f7e581c1076ac50f238ff1c97b9f3a9f
  • 520a8d6ba4d9f083361e3c4758e0edb59a865e772571b91500a511a13fb9295b
  • 4ddf8f2d45ab665eb03b99d0af977fd189575420b87fe3840ca6838efc66a7b6
  • 4c497190ff8e20112e557794ac48cd807872109ee43b1c17f8087f71a5806ea8
  • 48a92a17695f17e7585a3a52682dbb578379ff18964b5f651ba4d96ad3563359
  • 35c14500814ac5bc2c71312bb1323f3be34afa878c7f06cefb0bf26f983564db
  • 34bf22669c899430ece4cf3272594d75c29d8bdb1ebb26b2bf0f997f9980fdbf
  • 329b5885b7e275adac37eb18a80ecdb3caf7be655086997faa2dfbc167d32b2f
  • 176858d674f19ed1c385ebfd952caea9f6a76f4b44828d6b8f21985476a35df0
  • 115f01a1bef2044e475b1f440d33bd1c276232d8040c16e8448c8d3e1a824948
  • 067ea583e47d768d50b4cf0e55aaaa37ebdb6dcd2f7b84e890892bbdea6c9740
  • 94.26.90.217
  • 82.24.200.59
  • 82.24.200.45
  • 82.24.200.141
  • 82.24.200.139
  • 82.24.200.137
  • 77.90.153.136
  • 65.21.1.106
  • 62.146.235.220
  • 45.89.63.25
  • 194.226.121.51
  • 192.145.28.71
  • 188.92.28.62
  • 185.36.81.60
  • 104.194.9.127
  • 185.218.87.29
  • 185.218.87.28
  • 185.224.3.231
  • 154.81.156.55
  • http://77.90.153.136/ss/armv4l
  • http://185.218.87.28
  • yfrv.zkuafimfdwvetxjq.live
  • yfrv.zkuafimfdwvetxjq.info
  • yfrv.gwyhhcorybwjwuzh.live
  • yfrv.gwyhhcorybwjwuzh.info
  • yfrv.gaihwstpzuomtfnu.live
  • yfrv.gaihwstpzuomtfnu.info
  • yfrv.byxwgimpbwiskniw.live
  • pool.rentcheapcars.sbs
  • yfrv.byxwgimpbwiskniw.info
  • khbw.zkuafimfdwvetxjq.live
  • khbw.zkuafimfdwvetxjq.info
  • khbw.gwyhhcorybwjwuzh.live
  • khbw.gwyhhcorybwjwuzh.info
  • khbw.gaihwstpzuomtfnu.info
  • khbw.gaihwstpzuomtfnu.live
  • khbw.byxwgimpbwiskniw.live
  • khbw.byxwgimpbwiskniw.info
  • kdxa.zkuafimfdwvetxjq.live
  • kdxa.zkuafimfdwvetxjq.info
  • kdxa.gwyhhcorybwjwuzh.live
  • kdxa.gwyhhcorybwjwuzh.info
  • kdxa.gaihwstpzuomtfnu.live
  • kdxa.byxwgimpbwiskniw.live
  • kdxa.gaihwstpzuomtfnu.info
  • kdxa.byxwgimpbwiskniw.info
  • eicp.zkuafimfdwvetxjq.live
  • eicp.zkuafimfdwvetxjq.info
  • eicp.gwyhhcorybwjwuzh.live
  • eicp.gwyhhcorybwjwuzh.info
  • eicp.gaihwstpzuomtfnu.live
  • eicp.gaihwstpzuomtfnu.info
  • eicp.byxwgimpbwiskniw.live
  • eicp.byxwgimpbwiskniw.info
  • bignum.bit
Download all indicators here!

Attack Patterns

  • RapperBot
  • RapperBot