Raptor Train
Raptor Train is a China-linked botnet associated with Flax Typhoon and attributed by U.S. authorities and researchers to Integrity Technology Group, a Chengdu-based company assessed to have developed, controlled, and managed the network. It was disrupted by the FBI and other partners in 2024. The botnet had been active since at least May 2020, infected more than 200,000 devices over its lifetime, and was reported by the FBI to have compromised more than 260,000 networking and IoT devices. It peaked in June 2023 with more than 60,000 actively compromised devices.
Raptor Train primarily infected edge and IoT devices including SOHO routers, modems, IP cameras, NVRs, DVRs, firewalls, and NAS devices. Reported affected vendors included ActionTec, ASUS, TP-LINK, DrayTek, Tenda, Ruijie, Zyxel, Ruckus, Hikvision, D-LINK, AXIS, Panasonic, Shenzhen TVT, QNAP, Fujitsu, and Synology. Researchers stated the operators exploited more than 20 device types using both zero-day and known vulnerabilities. The botnet was also cited as an example of how compromised consumer-grade and remote-site devices can be used as covert proxy infrastructure or as entry points into IT and OT networks.
Black Lotus Labs described Raptor Train as a sophisticated multi-tiered botnet with an enterprise-grade control system. Its primary payload was a Mirai variant called Nosedive. Although Nosedive is associated with DDoS capability, researchers said they did not observe Raptor Train conducting DDoS attacks in the wild. The architecture included Tier 1 infected devices, Tier 2 infrastructure for exploitation or payload delivery, and Tier 3 management systems referred to by the operators as Sparrow nodes. Sparrow nodes were manually operated over SSH or TLS and included a web interface, backend services, and tooling to generate payloads and exploits. Infected Tier 1 devices typically remained in the botnet for about 17 days because the Nosedive payload lacked persistence.
The botnet was used to support intrusions and scanning activity against strategic sectors including military, government, telecommunications, higher education, the defense industrial base, and IT organizations. Reporting states it primarily targeted organizations in the United States and Taiwan, with victims also observed across North America, Europe, Asia, Africa, Oceania, and South America, and at least one government target in Kazakhstan. Researchers linked it to scanning of U.S. military and government networks and to exploitation attempts against Atlassian Confluence and Ivanti Connect Secure systems, likely including CVE-2024-21887.
Known infrastructure details mentioned in the content include the Oriole campaign domain w8510[.]com. The FBI stated that Raptor Train was controlled through Integrity Technology Group infrastructure using China Unicom Beijing Province Network IP addresses. Black Lotus Labs also observed that Tier 3 to Tier 2 SSH connections occurred almost exclusively during China normal workweek hours and that code comments and interface text were written in Chinese.
The botnet is widely described as covert infrastructure used by China-nexus operators to route malicious traffic, support intrusion operations, and hide attacker activity. Government advisories specifically cite Raptor Train alongside other Typhoon-linked infrastructure such as Volt Typhoon's KV Botnet.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The FBI and cybersecurity researchers have disrupted a massive Chinese botnet called “Raptor Train” that infected over 260,000 networking devices to target critical infrastructure in the US and in other countries.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The Raptor Train botnet, disrupted by the United States, offers a clear illustration of this contractor model. It was attributed to Chengdu-based Integrity Technology Group, found responsible for developing the botnet and therefore held partly accountable for intrusion activities attributed to Flax Typhoon.
Techniques & procedures
9 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
4 techniques
Resource Development
Since May 2020, over 200,000 devices, including SOHO routers, NVR/DVR devices, NAS servers, and IP cameras, have been compromised and added to the Raptor Train botnet.
For example, China's Integrity Technology Group controlled and managed the so-called Raptor Train network, which in 2024 infected more than 200,000 devices worldwide, including small office home office (SOHO) routers, internet-connected web cameras and video recorders, plus firewalls and network-attached storage (NAS) devices.
The Raptor Train botnet, disrupted by the United States, offers a clear illustration of this contractor model. It was attributed to Chengdu-based Integrity Technology Group, found responsible for developing the botnet and therefore held partly accountable for intrusion activities attributed to Flax Typhoon.
Execution
1 technique
Execution
Lateral Movement
1 technique
Lateral Movement
Command and Control
3 techniques
Command and Control
The malware connected these thousands of infected devices into a botnet, controlled by Integrity Technology Group, which was used to conduct malicious cyber activity disguised as routine internet traffic from the infected consumer devices.
A majority of China-linked threat actors are using compromised routers and IoT devices worldwide, turning this gear into proxy networks to carry out further intrusions, steal sensitive data, and disrupt victim organizations’ operations.
...used to conduct malicious cyber activity disguised as routine internet traffic from the infected consumer devices... For the second time this year, we have disrupted a botnet used by PRC proxies to conceal their efforts to hack into networks in the U.S. and around the world...
IOCs tracked for this family
20 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A botnet developed by Integrity Technology Group and linked to intrusion activity attributed to Flax Typhoon, illustrating the role of private contractors in Chinese cyber operations.
A large covert network/botnet of compromised routers, cameras, recorders, firewalls, and NAS devices used to provide proxy infrastructure for China-linked intrusion activity.
Long-running botnet campaign built over several years, with large numbers of compromised devices and an expanding multi-tier C2 infrastructure.
A botnet referenced as one of several past residential proxy or router-focused botnets taken down by law enforcement or governments.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.