A recent presentation at Botconf 2025 in Angers shed light on the ongoing threat posed by RapperBot, a sophisticated botnet that has been actively exploiting vulnerabilities in Digital Video Recorders (DVRs) to commandeer surveillance cameras for malicious activities, including video capture and distributed denial-of-service (DDoS) attacks.
As a Mirai variant, RapperBot demonstrates advanced capabilities and persistent evolution, posing a significant risk to global IoT infrastructure.
DVRs, devices commonly used to manage and record surveillance camera footage, have become an attractive target for threat actors due to their ubiquitous internet connectivity and often weak security posture.
Many older DVR models suffer from open Telnet/HTTP ports and default, easily guessable credentials. Even when security updates are issued, they are rarely adopted by end-users, leaving millions of devices exposed.
The complexity is further exacerbated by the OEM (Original Equipment Manufacturer) ecosystem, where a single vulnerability in the firmware can propagate across dozens of brands and models.
This fragmentation makes comprehensive patching and response efforts challenging on a global scale.
Tactical Exploitation: From Brute Force to Zero-Days
RapperBot employs a multi-pronged attack strategy, initially leveraging brute force login attempts using default credentials a tactic already prominent in the Mirai codebase, where up to 40% of passwords are known DVR defaults.
The botnet is also capable of exploiting known vulnerabilities (CVEs) and deploying zero-day exploits, often verifying device specifics before launching an exploit to evade detection and honeypot analysis.
A recent investigation, triggered by a domestic retailer’s report, led to the discovery of four vulnerabilities two of which were zero-days in DVRs manufactured by Korea’s ITX Security.
Remediation required coordinated efforts due to the involvement of over 28 OEMs, further highlighting the challenge of securing the DVR ecosystem.
The NICT CSRI analysis team has meticulously tracked RapperBot’s progression since 2022, noting the use of four malware types, differentiated by their scanning and infection capabilities.
The most prevalent is the “Recon” variant, which after gaining access, collects device metadata and relays it to a loader server. This enables targeted exploitation based on inferred device types and vulnerabilities.
Recent infection trend analysis (Oct–Dec 2024) shows the Recon type leading, followed by Telnet and, to a lesser extent, SSH variants.
Notably, RapperBot’s infection chain is explicitly designed to obscure details of its zero-day exploitation techniques, complicating forensic efforts and vulnerability mapping.
DDoS as a Service: A Global Disruption Vector
RapperBot’s malicious reach extends beyond mere device compromise. The botnet has been documented launching DDoS attacks against a wide variety of targets, including gaming servers, CDNs, and notably, social platforms such as X (formerly Twitter).
DDoS attack on X
A coordinated attack on March 10, 2025, caused measurable disruptions, with attack commands precisely aligned with observed service outages.
In addition to conventional attack methods, the newest RapperBot builds have incorporated HTTPS-based DDoS attacks.
This innovation makes traffic analysis and mitigation significantly harder, as the attack traffic can closely mimic legitimate user behavior.
The malware’s TLS implementation leverages randomized fingerprinting, further obfuscating its presence from automated detection systems.
The security landscape is further complicated by RapperBot’s ability to rapidly update its command and control (C2) infrastructure.
The latest versions have moved away from fixed domain lists, instead leveraging randomized fully qualified domain names (FQDNs) and encrypting C2 server information within DNS TXT records.
The NICT CSRI analysis underscores the global, multi-brand exposure arising from vulnerabilities in core DVR firmware.
Ultimately, the study highlights the urgent need for cross-industry collaboration, continuous vulnerability research, and proactive end-user education to mitigate the evolving threats posed by botnets like RapperBot.
Indicators of Compromise (IoC)
| Version | Type | SHA256 Hash |
|---|---|---|
| Feb 2025 Version | No Scan | 7e536cc15ebac6dbbf8e597dc41a20fac460c892cb5488849ed221a6b352f6a6 |
| Feb 2025 Version | Telnet | ae3d740fc5a9fac12d1ef7c9204a0e25574d095a803baa988e093b8f577fb3bc |
| Feb 2025 Version | SSH | cc022c57fe74fbb9cc58ea57a4e1debe70fbc5f589b4f2f1987f36989eb4cc85 |
| Feb 2025 Version | Recon | d822048a8eb925046edc4e5e72c41d82c56093dd87bb22f49685326d85986769 |
| Apr 2025 Version | No Scan | 200e571bc0a6d2562563022dfcc60ac5ac8c2e40eb73a053be8555349a674a69 |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
