RapperBot Botnet Attack Peaks 50,000+ Attacks Targeting Network Edge Devices
The RapperBot botnet has reached unprecedented scale, with security researchers observing over 50,000 active bot infections targeting network edge devices across the globe.
This sophisticated malware campaign represents one of the most persistent and evolving cyber threats currently plaguing internet-connected infrastructure, demonstrating remarkable adaptability and technical sophistication since its initial emergence.
First disclosed by CNCERT in July 2022, RapperBot’s activities can be traced back to 2021 according to previous security research.
.png
"RapperBot Botnet Attack Peaks 50,000+ Attacks Targeting Network Edge Devices 2")
The botnet has maintained consistent evolution through multiple variants, with seven distinct iterations captured by researchers over the past year alone.
What sets RapperBot apart from typical botnets is its provocative nature, with malware authors embedding taunting messages and references to rap music, including links to songs and challenges directed at security researchers.
Qi’anxin X Lab analysts identified that RapperBot has recently escalated beyond traditional distributed denial-of-service attacks to include extortion tactics, demanding $5,000 in Monero cryptocurrency from victims to avoid continued attacks.
The botnet has demonstrated its capability by targeting high-profile platforms including the artificial intelligence service DeepSeek during February 2025 and social media platform Twitter in mid-March.
Geographic analysis reveals that China faces the highest concentration of attacks, though the botnet’s reach extends globally across various industry sectors including public administration, manufacturing, and financial services.
The infection scale became apparent when researchers proactively registered unused command-and-control domain names, revealing peak bot populations exceeding 50,000 unique IP addresses.
Primary targets include IoT devices with public network access, particularly network cameras, home routers, and enterprise networking equipment that typically possess weak default credentials or unpatched firmware vulnerabilities.
Infection Mechanisms and Vulnerability Exploitation
RapperBot employs a multi-vector approach for initial device compromise, primarily leveraging weak Telnet credentials combined with exploitation of known security vulnerabilities.
The botnet systematically targets devices through automated scanning for default or easily guessable authentication credentials, a technique that proves remarkably effective against poorly secured IoT infrastructure.
.webp "RapperBot Botnet Attack Peaks 50,000+ Attacks Targeting Network Edge Devices 3")
The malware’s vulnerability exploitation arsenal encompasses a diverse range of device types and manufacturers. Critical vulnerabilities include CNVD-2021-79445 affecting Ruijie NBR700 devices, CVE-2021-46229 targeting D-Link Di-7200G routers, and CVE-2023-4473 exploiting Zyxel NAS326 systems.
Additional attack vectors target KGUARD DVR systems through TCP_MSGHEAD_CMD vulnerabilities, Reolink devices via BaiChuan remote code execution flaws, and various CCTV-DVR systems from multiple vendors.
def decodeTXT(data:str):
key = "ipWPeY43MhfFBt8ZCSN2KTdD6nEkmGjwx7vJR5rogzbcqHsXUQuyVA9L"
a = key. Find(data[0])
b = key. Find(data[1])
seed = 56*a+bThe botnet’s command-and-control infrastructure utilizes an innovative DNS-TXT record system for C2 communication, employing custom encryption algorithms that have evolved across multiple campaign iterations.
Power up early threat detection, escalation, and mitigation with ANY.RUN’s Threat Intelligence Lookup. Get 50 trial searches.
Source link
