Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

RapperBot

RapperBot is an IoT-focused DDoS botnet and DDoS-for-hire malware family active since at least 2021. Reporting in the provided content describes it as responsible for large-scale disruptive attacks against more than 18,000 victims in over 80 countries, with more than 370,000 DDoS attacks attributed to the operation. U.S. authorities said the botnet typically controlled roughly 65,000 to 95,000 infected devices and had attack capacity estimated at 2 to 6 Tbps; the botnet was disrupted by U.S. law enforcement in August 2025. The content also states RapperBot was used to target Pentagon networks on at least three occasions.

RapperBot primarily infected internet-exposed IoT and embedded Linux devices, especially home routers, DVRs, and network cameras; one source also notes infections observed in Taiwan, the United States, and Japan. Technical reporting in the content says RapperBot malware was used in exclusive brute-force attacks on SSH servers and could replace victims' ~/.ssh/authorized_keys, while later related samples reused RapperBot’s distinctive C2 protocol but shifted to Telnet-based self-propagation using embedded default IoT credentials and device-prompt fingerprinting. After compromise, the malware reported the credentials used, victim IP, and architecture to its C2 on port 5123, determined architecture by parsing /bin/busybox, and downloaded an architecture-matched ELF payload. Reported target architectures included ARM, MIPS, PowerPC, SH4, and SPARC, with checks to avoid Intel systems.

The malware’s core purpose was DDoS. Reported attack methods included UDP flood, TCP SYN flood, TCP ACK flood, TCP STOMP flood, generic TCP flood, GRE Ethernet flood, GRE IP flood, and a UDP flood tailored to Grand Theft Auto: San Andreas Multi Player (SA:MP), indicating at least one campaign focused on game-server disruption. Additional reporting in the content mentions concentrated DDoS attacks against online game-related servers in China and a correlation discussed by one presenter between RapperBot DDoS timing and intermittent service disruptions affecting X in March 2025. The content also notes a blacklist function associated with preventing repeat attacks.

FortiGuard Labs assessed that October 2022 samples using the same distinctive RapperBot C2 protocol were either operated by the same threat actor as RapperBot or by actors sharing privately distributed source code. Security detections referenced in the content include FortiGuard antivirus classifications such as ELF/Mirai, Linux/Mirai, and ELF/Gafgyt, and an IPS signature named Rapper.Botnet for RapperBot C2 activity.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

9 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique
T1584.005BotnetEvidence1

In August 2025, the U.S. also took down the RapperBot botnet, used for large-scale attacks across more than 80 countries since 2021.

Execution

1 technique
T1059Command and Scripting InterpreterEvidence1

"The binary downloaders are written by echoing the bytes and piping the content to a file in the victim system"

Credential Access

1 technique
T1110Brute ForceEvidence1

"complete replacement of the SSH brute forcing code with the more usual Telnet equivalent"; "The Telnet brute forcing code is designed primarily for self-propagation"

Discovery

1 technique
T1082System Information DiscoveryEvidence1

"It first parses the Executable and Linkable Format (ELF) header of the /bin/busybox file for the e_machine field... This allows it to download and deploy a RapperBot payload of the correct architecture"

Lateral Movement

1 technique
T1021.004SSHEvidence1

"Telnet Self-propagation"; "once it has successfully gained access..."

Command and Control

2 techniques
T1071Application Layer ProtocolEvidence2

"new samples with the same distinctive C2 protocol used by RapperBot..."; "The C2 commands and corresponding IDs are identical in both campaigns"

T1105Ingress Tool TransferEvidence1

"downloads its payload via... ftpget, wget, curl, or tftp"; "If none... it will extract and send an embedded binary downloader"

Impact

2 techniques
T1498Network Denial of ServiceEvidence6

DDoS-for-hire services, or “booters,” are illegal platforms that let users pay to launch DDoS attacks that flood websites or servers with traffic, causing outages.

T1499Endpoint Denial of ServiceEvidence1

DDoS attacks often tend to target various web-based services, with the motivations behind them as varied as they are broad.

INDICATORS OF COMPROMISE

IOCs tracked for this family

24 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
1 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
7 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other
16 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
hash.sha256●●●●●●●●●●●●View more in app4 years ago
hash.sha256●●●●●●●●●●●●View more in app4 years ago
ip.v4●●●●●●●●●●●●View more in app4 years ago
uri●●●●●●●●●●●●View more in app4 years ago
uri●●●●●●●●●●●●View more in app4 years ago
uri●●●●●●●●●●●●View more in app4 years ago
ACTIVITY FEED

Recent activity

17 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

17 SOURCESView more in app
security affairsNews
Apr 17, 2026
Operation PowerOFF: 53 DDoS domains seized and 3 Million criminal accounts uncovered

A botnet used for large-scale distributed denial-of-service attacks across more than 80 countries.

Read more
the hacker newsNews
Apr 17, 2026
Operation PowerOFF Seizes 53 DDoS Domains, Exposes 3 Million Criminal Accounts

A DDoS botnet used to conduct large-scale disruptive attacks against victims in more than 80 countries.

Read more
bitsight blogNews
Mar 11, 2026
RondoDox Botnet: From Zero to 174 Exploited Vulnerabilities | Bitsight

RapperBot is mentioned as an example of an IoT-related threat from prior research, but no further details are provided in this content.

Read more
jpcert blogNews
Feb 27, 2026
JSAC2026 -Day 2- - JPCERT/CC Eyes | JPCERT Coordination Center official Blog

IoT-focused DDoS botnet targeting DVRs and network cameras; propagates via multiple scanners and is controlled via C2 infrastructure used to issue DDoS commands.

Read more
+13 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching24

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping9

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.