A massive Chinese botnet dubbed “Raptor Train” has been disrupted by the FBI and cybersecurity researchers. This sophisticated network infected over 260,000 networking devices, primarily targeting critical infrastructure in the United States and other countries. According to FBI reports almost half the infected nodes were in the US and Canada with 126,000 in the US and 9,600 in Canada.
The botnet, active since May 2020, targeted entities in military, government, higher education, telecommunications, defense, and IT sectors. The FBI has linked the botnet to the Chinese state-sponsored hacker group Flax Typhoon
Raptor Train infected a wide range of devices, including SOHO routers, IP cameras, and network-attached storage servers. At its peak in June 2023, the botnet controlled over 60,000 devices simultaneously.
The primary payload is a variant of the Mirai malware, which researchers call Nosedive, designed for DDoS attacks. The botnet’s sophisticated architecture includes three tiers of activity for specific operations, making it highly adaptable and resilient.
FBI Director Christopher Wray confirmed that the bureau executed court-authorized operations to take control of the botnet infrastructure and remove malware from infected devices.
This discovery highlights the ongoing cybersecurity threats posed by state-sponsored actors and the vulnerability of consumer and small business networking devices.
Users are advised to regularly reboot their routers, ensure that they have installed the latest updates, and replace any end-of-life devices to protect against such threats. This advice should apply to corporate equipment and any work from home or home offices.
