By A sprawling IoT botnet known as “Raptor Train” has come to light, compromising over 200,000 internet-connected devices globally. Uncovered by Black Lotus Labs, the cybersecurity division of Lumen Technologies, this network is suspected to be the work of the Chinese-affiliated group known as Flax Typhoon.
The investigation, which began in mid-2023, detailed an extensive operation targeting vulnerable devices such as routers, NVRs, DVRs, NAS systems, and IP cameras—especially those in home offices and small businesses. At the height of its activity in June 2023, more than 60,000 devices were actively under the botnet’s control.
Researchers believe the operation has been running since May 2020. The scale and consistency of infections suggest a long-term effort to silently amass resources across critical network infrastructure.
At the core of Raptor Train is a sophisticated control system built using a centralized Node.js backend and an Electron-based interface dubbed “Sparrow.” This platform allows attackers to manage dozens of command-and-control (C2) servers and their associated devices concurrently. The system is capable of performing a wide range of actions—from uploading and downloading files, issuing remote commands, and exploiting vulnerabilities to coordinating potential distributed denial-of-service (DDoS) attacks.
Although no DDoS activity has been recorded so far, the functionality for such attacks is already embedded. The network has reportedly been used to target sectors such as national defense, government institutions, education, telecommunications, and IT infrastructure in both the United States and Taiwan.
The primary malware implant used on key infected devices—dubbed “Nosedive”—is a heavily customized version of the Mirai botnet code. It’s compatible with a wide range of IoT hardware and includes anti-forensic features to evade detection and complicate analysis.
Four separate waves of activity have been linked to the botnet’s lifecycle. These campaigns—named Crossbill, Finch, Canary, and Oriole—demonstrated evolving tactics and broadened the types of devices affected. Their progression aligns with behaviors previously associated with Flax Typhoon, including language indicators and geopolitical targeting patterns.
In response to these revelations, Lumen Technologies has taken proactive measures by blocking traffic to known C2 nodes and sharing intelligence with U.S. authorities. A joint cybersecurity advisory was later released by the FBI, the Cyber National Mission Force, and the NSA. Their assessment supports the conclusion that state-sponsored actors from China have compromised thousands of devices to form a covert, globally distributed attack infrastructure.
To mitigate the risk of falling victim to such botnets, experts recommend monitoring for unusual outbound data flows, particularly to internal or seemingly benign IP addresses. Organizations are encouraged to deploy secure access solutions like SASE, while individual users should prioritize frequent device reboots and timely firmware updates.
The discovery of Raptor Train underscores the growing threat posed by IoT-targeting cyber operations. As connected devices proliferate, the need for proactive defense and industry-wide vigilance has never been more urgent.