Researchers at Lumen Technologies have eyes on a massive, multi-tiered botnet of hijacked IoT devices being commandeered by a Chinese state-sponsored espionage hacking operation.

The botnet, tagged with the moniker Raptor Train, is packed with hundreds of thousands of small office/home office (SOHO) and Internet of Things (IoT) devices, and has targeted entities in the U.S. and Taiwan across critical sectors, including the military, government, higher education, telecommunications, and the defense industrial base (DIB).

“Based on the recent scale of device exploitation, we  suspect hundreds of thousands of devices have been entangled by this network since its formation in May 2020,” Black Lotus Labs said in a paper to be presented at the LABScon conference this week.

Black Lotus Labs, the research arm of Lumen Technologies, said the botnet is the handiwork of Flax Typhoon, a known Chinese cyberespionage team heavily focused on hacking into Taiwanese organizations. Flax Typhoon is notorious for its minimal use of malware and maintaining stealthy persistence by abusing legitimate software tools.

Since the middle of 2023, Black Lotus Labs tracked the APT building the new IoT botnet that, at its height in June 2023, contained more than 60,000 active compromised devices. 

Black Lotus Labs estimates that more than 200,000 routers, network-attached storage (NAS) servers, and IP cameras have been affected over the last four years. The botnet has continued to grow, with hundreds of thousands of devices believed to have been entangled since its formation.

In a paper documenting the threat, Black Lotus Labs said possible exploitation attempts against Atlassian Confluence servers and Ivanti Connect Secure appliances have sprung from nodes associated with this botnet. 

The company described the botnet’s command and control (C2) infrastructure as robust, featuring a centralized Node.js backend and a cross-platform front-end application called “Sparrow” that handles sophisticated exploitation and management of infected devices.

The Sparrow platform allows for remote command execution, file transfers, vulnerability management, and distributed denial-of-service (DDoS) attack capabilities, although Black Lotus Labs said it has yet to observe any DDoS activity from the botnet.

The researchers found the botnet’s infrastructure is divided into three tiers, with Tier 1 consisting of compromised devices like modems, routers, IP cameras, and NAS systems. The second tier manages exploitation servers and C2 nodes, while Tier 3 handles management through the “Sparrow” platform. 

Black Lotus Labs observed that devices in Tier 1 are regularly rotated, with compromised devices remaining active for an average of 17 days before being replaced. 

The attackers are exploiting over 20 device types using both zero-day and known vulnerabilities to include them as Tier 1 nodes. These include modems and routers from companies like ActionTec, ASUS,  DrayTek Vigor and Mikrotik; and IP cameras from D-Link, Hikvision, Panasonic, QNAP (TS Series) and Fujitsu.

In its technical documentation, Black Lotus Labs said the number of active Tier 1 nodes is constantly fluctuating, suggesting operators are not concerned with the regular rotation of compromised devices.

The company said the primary malware seen on most of the Tier 1 nodes, called Nosedive, is a custom variation of the infamous Mirai implant. Nosedive is designed to infect a wide range of devices, including those running on MIPS, ARM, SuperH, and PowerPC architectures and is deployed through a complex two-tier system, using specially encoded URLs and domain injection techniques.

Once installed, Nosedive operates entirely in memory, leaving no trace on the hard drive. Black Lotus Labs said the implant is particularly difficult to detect and analyze due to obfuscation of running process names, use of a multi-stage infection chain, and termination of remote management processes.

In late December 2023, the researchers observed the botnet operators conducting extensive scanning efforts targeting the US military, US government, IT providers, and DIB organizations.  

“There was also widespread, global targeting, such as a government agency in  Kazakhstan, along with more targeted scanning and likely exploitation attempts against  vulnerable software including Atlassian Confluence servers and Ivanti Connect Secure  appliances (likely via CVE-2024-21887) in the same sectors,” Black Lotus Labs warned.

Black Lotus Labs has null-routed traffic to the known points of botnet infrastructure, including the distributed botnet management, command-and-control, payload and  exploitation infrastructure. There are reports that law enforcement agencies in the US are working on neutralizing the botnet.

Related: ‘Flax Typhoon’ APT Hacks Taiwan With Minimal Malware Footprint

Related: Chinese APT Volt Typhoon Linked to Unkillable SOHO Router Botnet 

Related: Researchers Discover 40,000-Strong EOL Router, IoT Botnet 

Related: US Gov Disrupts SOHO Router Botnet Used by Chinese APT Volt Typhoon