RapperBot

Also known asRapperBot

RapperBot is an IoT-focused DDoS botnet (first named and tracked by NSFOCUS’s Fuying Lab) that primarily targets DVRs and network cameras. Reporting describes RapperBot as propagating via multiple scanners and being operated through a command-and-control (C2) infrastructure used to conduct large-scale DDoS attacks. Investigation activity referenced in the content began in 2022 and leveraged darknet monitoring and honeypot data, identifying infections in Taiwan, the United States, and Japan. Operational reporting notes concentrated DDoS activity against online game-related servers in China and a reported timing correlation between RapperBot DDoS events and intermittent service disruptions affecting X (formerly Twitter) in March 2025. A described blacklist function was used to prevent repeat attacks; it was also associated (in the reporting) with cessation of communications and the operator’s arrest. In August 2025, the U.S. Department of Justice charged a 22-year-old Oregon man for operating RapperBot, alleging the botnet conducted more than 370,000 DDoS attacks against 18,000 victims across more than 80 countries, controlled approximately 65,000–95,000 infected devices, and had an estimated attack capacity of 2–6 Tbps. The content does not attribute RapperBot to a nation-state actor.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Software & Services
Media & Entertainment

Where they target

Geographies tied to known operations.

🇹🇼 Taiwan
🇺🇸 United States
🇯🇵 Japan
🇨🇳 China

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

jpcert blogNews

Feb 27, 2026

JSAC2026 -Day 2- - JPCERT/CC Eyes | JPCERT Coordination Center official Blog

IoT DDoS botnet with active C2 infrastructure; propagates via multiple scanners; observed infections in multiple regions and linked (timing correlation) to service disruptions and attacks on online game-related servers; operator reportedly arrested after C2 communications ceased.

netscout asertNews

Dec 19, 2025

DDoS-for-Hire and the Evolving Use of AI

RapperBot is a botnet used to conduct large-scale DDoS attacks globally, leveraging tens of thousands of infected devices to overwhelm targets with high-volume traffic.

security boulevardNews

Nov 3, 2025

NSFOCUS in SAS 2025: Unveiling Secrets Behind Large-Scale DDoS Attacks on AI Platform and Social Media

RapperBot is a botnet involved in large-scale DDoS attacks, particularly against AI infrastructure and social media platforms. It is notable for its stealth, command-and-control sophistication, and effectiveness in overwhelming targets.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.