Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareUsed by 1 actorExploits 1 CVE

Nosedive

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES
CVE-2024-21887Command Injection in Ivanti Connect Secure and Policy Secure Web ComponentsExploited in the wild

Black Lotus Labs notes that the botnet was also involved in exploitation attempts against Atlassian Confluence servers and Ivanti Connect Secure appliances (likely via CVE-2024-21887) at organizations in the same activity sectors.

via bleeping computerbleepingcomputer.com
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Flax Typhoon

The primary implant seen on most of the Tier 1 nodes, which Black Lotus Labs calls “Nosedive”, is a custom variation of the Mirai implant that is supported on all major SOHO and IoT architectures (e.g. MIPS, ARM, SuperH, PowerPC, etc.).

via lumen black lotus labslumen.com
MITRE ATT&CK

Techniques & procedures

14 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique
T1584.005BotnetEvidence2

Black Lotus Labs began an investigation into compromised routers that led to the discovery of a large, multi-tiered botnet consisting of small office/home office (SOHO) and IoT devices... We call this botnet “Raptor Train.”

Initial Access

1 technique
T1190Exploit Public-Facing ApplicationEvidence2

The operators are likely exploiting more than 20 different device types with both 0-day and n-day (known) vulnerabilities for inclusion as Tier 1 nodes.

Execution

2 techniques
T1059Command and Scripting InterpreterEvidence2

Once deployed, Nosedive runs in-memory only and allows the operators to execute commands, upload and download files, and run DDoS attacks on compromised devices.

T1203Exploitation for Client ExecutionEvidence1

The researchers say that Raptor Train operators add devices in Tier 1 likely by exploiting “exploiting more than 20 different device types with both 0-day and n-day (known) vulnerabilities.”

Stealth

5 techniques
T1027Obfuscated Files or InformationEvidence1

Nosedive implants are delivered via multi-stage droppers using encoded URL schemes, making detection challenging.

T1027.011Fileless StorageEvidence1

Once deployed, the malware operates entirely in-memory... This memory-resident nature, combined with anti-forensics techniques such as obfuscated processes and multi-stage infections, complicates detection and analysis.

T1036MasqueradingEvidence1

This, in addition to anti-forensics techniques employed on these devices including the obfuscation of running process names... makes detection and forensics much more difficult.

T1070Indicator RemovalEvidence2

All samples Black Lotus Labs found of Nosedive and its associated droppers were memory-resident only and deleted from disk.

T1620Reflective Code LoadingEvidence1

All samples Black Lotus Labs found of Nosedive and its associated droppers were memory-resident only and deleted from disk.

Command and Control

4 techniques
T1071Application Layer ProtocolEvidence3

The C2 servers in Tier 2 receive the callbacks from compromised devices in Tier 1 over port 443.

T1104Multi-Stage ChannelsEvidence1

The ‘second stage’ servers often host their payloads on high, random ephemeral ports... and are used in multi-stage droppers.

T1105Ingress Tool TransferEvidence2

This service enables an entire suite of activities, including scalable exploitation of bots, vulnerability and exploit management, remote management of C2 infrastructure, file uploads and downloads...

T1568.002Domain Generation AlgorithmsEvidence1

Initially, the root domain k3121.com was used as the sole C2 domain, but by mid-2021, the operators began using encoded random alphanumeric C2 subdomains...

Impact

1 technique
T1498Network Denial of ServiceEvidence3

Once deployed, Nosedive runs in-memory only and allows the operators to execute commands, upload and download files, and run DDoS attacks on compromised devices.

INDICATORS OF COMPROMISE

IOCs tracked for this family

20 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
11 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
9 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app2 years ago
domain●●●●●●●●●●●●View more in app2 years ago
domain●●●●●●●●●●●●View more in app2 years ago
domain●●●●●●●●●●●●View more in app2 years ago
domain●●●●●●●●●●●●View more in app2 years ago
domain●●●●●●●●●●●●View more in app2 years ago
ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
bleeping computerNews
Sep 18, 2024
Chinese botnet infects 260,000 SOHO routers, IP cameras with malware

A Mirai variant used as the primary payload in the Raptor Train botnet. It lacks a persistence mechanism, so infected devices typically remain in the botnet for about 17 days.

Read more
lumen black lotus labsNews
Sep 18, 2024
Derailing the Raptor Train

A custom Mirai-based implant used in the Raptor Train botnet to infect SOHO and IoT devices. It runs in memory, supports multiple architectures, enables remote command execution, file upload/download, and DDoS functionality, and is deployed via droppers using a unique URL encoding and domain injection method.

Read more
contagiodump blogNews
Aug 18, 2024
contagio: 2024-08-18 RAPTOR TRAIN NOSEDIVE - Mirai-type IoT Botnet Samples

Primary implant used by the Raptor Train botnet. It is a customized Mirai variant targeting IoT devices and operating entirely in-memory. It supports file uploads, downloads, command execution, and DDoS attacks, while using anti-forensics techniques such as obfuscated processes and multi-stage infections.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching20

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping14

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.