RapperBot Hijacking Tools for Instant DDoS Attack Deployment

In early April 2025, cybersecurity researchers observed a concerning increase in UDP flood traffic originating from compromised Network Video Recorders (NVRs) and other edge devices. These devices were rapidly weaponised to unleash overwhelming volumes of packets on unsuspecting targets, resulting in significant service disruptions and excessive bandwidth consumption. Analysts from Bitsight identified this activity as the work of a new botnet named RapperBot, which exhibited an unusually swift kill chain and cleverly utilised legacy hardware constraints to evade detection. The malware followed a familiar pattern, where threat actors scanned the Internet for exposed web interfaces, exploited default credentials, and delivered a malicious payload disguised as a firmware update. Once activated, RapperBot executed two primary actions: it conducted encrypted DNS TXT record queries to obtain command-and-control (C2) IP addresses and initiated continuous UDP floods on port 80.

Impact assessments revealed that individual devices could achieve throughput exceeding 1 Gbps, with the botnet’s aggregated capacity peaking at over 7 Tbps during coordinated attacks against major targets, including cloud-based search providers and social media platforms. Despite its formidable capabilities, the malware’s operation was elegantly simple. It mounted a remote NFS share to retrieve and execute architecture-specific binaries, subsequently self-deleting to run entirely in memory. Bitsight researchers noted that this strategy took advantage of the minimal BusyBox environment found on many IoT devices, where standard download tools were absent. By exploiting a path traversal zero-day vulnerability in the NVR’s firmware update mechanism, RapperBot successfully avoided the typical filesystem artifacts that would trigger antivirus alerts. The botnet’s C2 discovery mechanism relied on encrypted TXT records hosted on OpenNIC domains, constructing predetermined hostnames and resolving them against custom DNS servers. The TXT response contained a list of encrypted IP addresses, which the bot decrypted using a custom RC4-like algorithm followed by base-56 decoding. 

Categories: Botnet Activity, IoT Vulnerabilities, Malware Techniques 

Tags: UDP Flood, Compromised Devices, Botnet, RapperBot, Command-and-Control, Firmware Update, Zero-Day, Encrypted DNS, Bandwidth Consumption, IoT Security