Threat Research

Derailed: The Lumen Raptor Train

Securonix

Black Lotus Labs uncovered Raptor Train, a large, multi-tier IoT botnet likely operated by Flax Typhoon, compromising over 200,000 SOHO and IoT devices. It uses a sophisticated control architecture and a Mirai-based implant named Nosedive, with DDoS capabilities suspected for future use. #RaptorTrain #FlaxTyphoon

Keypoints

  • Botnet discovery occurred in mid-2023 and is believed to be operated by the Chinese threat actor group Flax Typhoon.
  • At its peak, Raptor Train encompassed over 60,000 Tier 1 nodes with more than 200,000 compromised devices overall since May 2020.
  • The network is built as a multi-tier system (Tier 1 devices, Tier 2 C2/payload servers, Tier 3 Sparrow management nodes) with a Node.js backend and an Electron-based Sparrow front-end.
  • The primary implant, “Nosedive,” is a custom Mirai variant that runs in memory, is non-persistent, and supports remote commands, file transfers, and DDoS actions.
  • Campaigns named Crossbill, Finch, Canary, and Oriole show evolving tactics and expanding device targets across SOHO/IoT ecosystems.
  • Targets span U.S. and Taiwanese military, government, higher education, telecom, DIB, and IT sectors, with observed exploitation attempts against Atlassian Confluence and Ivanti Connect Secure products.

MITRE Techniques

  • [T1078] Initial Access – Use of known vulnerabilities to exploit devices. “Use of known vulnerabilities to exploit devices.”
  • [T1203] Execution – Execution of malicious payloads on compromised devices. “Execution of malicious payloads on compromised devices.”
  • [T1547] Persistence – Use of non-persistent malware to maintain access to compromised devices. “Use of non-persistent malware to maintain access to compromised devices.”
  • [T1071] Command and Control – Communication with C2 servers over encrypted channels. “Communication with C2 servers over encrypted channels.”
  • [T1041] Exfiltration – Data exfiltration through compromised devices. “Data exfiltration through compromised devices.”
  • [T1499] Impact – Potential for DDoS attacks using compromised devices. “Potential for DDoS attacks using compromised devices.”

Indicators of Compromise

  • [Domain] C2 and control domains – k3121.com, b2047.com, and encoded subdomains (e.g., wsxe.k3121.com, abpi.b2047.com)
  • [Domain] Campaign-specific domains – w8510.com, cxmxbo.com
  • [Port] Network ports observed for control and management – 443 (TLS/C2), 22 (SSH management)

Read more: https://blog.lumen.com/derailing-the-raptor-train/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint