In early April 2025, cybersecurity researchers detected a significant surge in UDP flood traffic originating from compromised network video recorders (NVRs) and other edge devices. These devices, once infected, were swiftly weaponized to launch massive distributed denial-of-service (DDoS) attacks, causing widespread service disruptions and substantial bandwidth consumption. This alarming activity was attributed to a novel botnet named RapperBot, distinguished by its rapid infection process and innovative exploitation of legacy hardware to evade detection.
Emergence and Evolution of RapperBot
RapperBot first came to light in mid-2022, with its activities traced back to 2021. Initially, the botnet targeted Linux SSH servers through brute-force attacks, aiming to establish a foothold by exploiting weak or default credentials. Unlike typical Mirai variants, RapperBot exhibited unique features, including a distinct command-and-control (C2) protocol and specific post-compromise activities. Over time, the botnet evolved, incorporating advanced evasion techniques and expanding its target range to include various Internet of Things (IoT) devices.
Infection Mechanism and Rapid Deployment
RapperBot’s infection vector primarily exploits vulnerabilities in the administrative ports of NVRs and similar devices. Attackers scan the internet for exposed web interfaces, utilizing brute-force methods or exploiting default credentials to gain access. Once a device is compromised, the malware is delivered under the guise of a firmware update. Upon execution, RapperBot immediately initiates two concurrent actions: querying encrypted DNS TXT records to obtain C2 IP addresses and launching continuous UDP floods on port 80. This rapid deployment allows the botnet to commence DDoS attacks within milliseconds of infection.
Command-and-Control Communication
RapperBot employs a sophisticated C2 discovery mechanism that relies on encrypted TXT records hosted on OpenNIC domains. The malware constructs hostnames by selecting randomly from hardcoded subdomain, domain, and top-level domain lists, resolving these names against custom DNS servers. The TXT response contains a list of encrypted IP addresses, which the bot decrypts using a custom algorithm. This method enhances the botnet’s resilience and complicates efforts to disrupt its operations.
Targeted Devices and Exploited Vulnerabilities
The botnet primarily targets IoT devices with public network access, including network cameras, home routers, and enterprise networking equipment. These devices often possess weak default credentials or unpatched firmware vulnerabilities, making them susceptible to compromise. Notably, RapperBot has exploited specific vulnerabilities such as CVE-2021-46229 in D-Link routers and CVE-2023-4473 in Zyxel NAS systems. By leveraging these weaknesses, the botnet has expanded its reach, compromising devices from various manufacturers using identical exploitation techniques.
Scale and Impact of Attacks
RapperBot has achieved an unprecedented scale, with security researchers observing over 50,000 active bot infections targeting network edge devices globally. The botnet’s capacity has peaked at over 7 terabits per second during coordinated campaigns against major targets, including cloud-based search providers and social media platforms. This immense throughput underscores the botnet’s potential to cause significant disruptions and highlights the critical need for robust cybersecurity measures.
Advanced Evasion Tactics
To evade detection, RapperBot employs advanced techniques, particularly in its C2 communications. Recent versions utilize encrypted TXT records for C2 server resolution and implement randomized TLS signature algorithms to blend with legitimate HTTPS traffic. The malware generates varying JA4 fingerprints for each connection attempt, making network-based detection significantly more challenging for security systems monitoring encrypted communications patterns.
Notable Incidents and Targets
RapperBot has been implicated in several high-profile cyberattacks. In February 2025, the botnet targeted the artificial intelligence service DeepSeek, disrupting operations and delaying new user registrations. The attack involved sophisticated variants of the Mirai botnet, including RapperBot, highlighting the growing sophistication of cyber threats. Additionally, in mid-March 2025, RapperBot was linked to a coordinated attack against a major social media platform, where the timing of the botnet’s DDoS command distribution directly correlated with the platform’s service disruption.
Recommendations for Mitigation
To mitigate the threat posed by RapperBot, organizations and individuals should implement the following measures:
– Regular Firmware Updates: Ensure that all devices have the latest firmware updates to patch known vulnerabilities.
– Strong, Unique Passwords: Replace default credentials with strong, unique passwords to prevent unauthorized access.
– Disable Unnecessary Services: Turn off services that are not in use to reduce potential attack vectors.
– Network Segmentation: Isolate IoT devices from critical network segments to limit the impact of a potential compromise.
– Monitor Network Traffic: Regularly monitor network traffic for unusual patterns that may indicate a compromise.
By adopting these practices, organizations can enhance their resilience against botnet infections and protect their digital infrastructure from emerging threats like RapperBot.
