The RapperBot botnet has orchestrated an aggressive campaign, executing more than 50,000 attacks against network edge devices globally, as first detailed by researchers at QiAnXin XLab.
The botnet, which first came to prominence in 2022, continues its evolution in both scale and sophistication, posing a significant risk to enterprise and residential network security.
Evolving Tactics
RapperBot is believed to be a variant stemming from the infamous Mirai botnet lineage, known for leveraging weak credentials and exploiting vulnerabilities in IoT devices.
Since its emergence, the botnet has adapted with new infection techniques and payloads. Initially, RapperBot focused primarily on brute-forcing Telnet credentials on internet-connected devices.
However, recent campaigns have seen it diversify its attack surface to include SSH brute-force attacks and the exploitation of various vulnerabilities in routers, DVRs, and other edge devices.
QiAnXin XLab reports a marked spike in attack traffic beginning in late 2024, with more than 50,000 unique attack attempts logged.
The botnet targets a variety of architectures, including MIPS, ARM, x86, and PowerPC, enhancing its reach across a wide range of hardware.
Infected devices become part of a coordinated botnet army, primarily used for further propagation, launching distributed denial-of-service (DDoS) attacks, and maintaining persistent access on compromised networks.
Command Infrastructure
Investigations have revealed that RapperBot’s infrastructure relies on both hardcoded command-and-control (C2) addresses and dynamically updated lists.
Compromised devices communicate with these servers, receiving instructions to download new malware variants or participate in coordinated attacks.
Payloads are frequently updated, with authors introducing obfuscation such as encrypting configuration files and employing custom communication protocols to evade detection by traditional security tools.
Security teams have noted that the operators behind RapperBot also implement time-based and region-specific targeting to maximize the effectiveness of their campaigns.
This strategic approach increases the likelihood of breaching vulnerable targets during off-hours and in regions with typically less network oversight.
Given the rapid adaptation and expansion of RapperBot, security professionals are urged to prioritize the defense of network edge devices, particularly those exposed to the public internet.
Key recommendations include using strong, unique passwords for all IoT devices, disabling unnecessary remote access protocols, and keeping firmware up-to-date with the latest security patches.
Enhanced network monitoring and the use of intrusion detection/prevention systems can also help identify and mitigate malicious activity associated with RapperBot infections.
Organizations are further advised to review Indicators of Compromise (IOCs) tied to RapperBot, actively scanning for suspicious activity, and promptly isolating affected systems to prevent lateral movement within the network.
Security teams should remain vigilant and update blocklists and detection signatures accordingly to mitigate the risk posed by the RapperBot botnet.
Indicators of Compromise (IOCs)
| Type | IOC Value | Description |
|---|---|---|
| IP Address | 193.38.52.227, 103.150.225.234 | Command-and-control Servers |
| File Hash (SHA1) | 7e1f21ef5f0a01d25d0ec7d0df66f6141c12f99c | RapperBot Malware Sample |
| Domain | botae.kqv8[.]com, botnet.control[.]org | C2 Domains |
| File Path | /tmp/bins/rapper, /home/bot/rapper | Malware Installation Path |
| Port | 48101, 48102 | C2 Communication Ports |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Warning for WordPress Admins – Fake SEO Plugins Hijacking Websites")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Apache APISIX Flaw Enables Unauthorized Cross-Issuer Access Due to Misconfigurations")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Instagram Adopts Daily TLS Certificate Rotation with One-Week Validity")
