{
	"id": "517d22aa-6ee7-4e77-81b6-b4284cb91d81",
	"created_at": "2026-04-06T00:20:15.350666Z",
	"updated_at": "2026-04-10T03:20:05.166645Z",
	"deleted_at": null,
	"sha1_hash": "0cf51f381f220889a27656d0cd6d7035532067da",
	"title": "New RapperBot Campaign – We Know What You Bruting for this Time | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 426584,
	"plain_text": "New RapperBot Campaign – We Know What You Bruting for this\r\nTime | FortiGuard Labs\r\nPublished: 2022-11-16 · Archived: 2026-04-05 18:25:47 UTC\r\nAfter FortiGuard Labs reported on RapperBot in our previous article titled So RapperBot, What Ya Bruting For?\r\nin August 2022, there was a significant drop in the number of samples collected in the wild. But in early October\r\n2022, new samples with the same distinctive C2 protocol used by RapperBot were detected.\r\nUnlike the murky objectives of the previous campaign, it is quickly evident that these samples are part of a\r\nseparate campaign to launch Distributed Denial of Service (DDoS) attacks against game servers, which we believe\r\nto be a re-emergence of a similar campaign from earlier this year.\r\nAffected Platforms: Linux\r\nImpacted Users: Any organization\r\nImpact: Remote attackers gain control of the vulnerable systems\r\nSeverity Level: Critical\r\nThis article discusses the differences observed in this campaign and its relation to the previous RapperBot and\r\nsimilar campaigns in the past.\r\nRapperBot Rebooted\r\nFortiGuard Labs encountered this campaign by hunting for samples using the unique bot ID used by RapperBot to\r\ncommunicate with its Command-and-Control (C2) server, as reported in the previous article.\r\nBut once we analyzed these new samples, we observed a significant difference between them and the earlier\r\ncampaign. In fact, it turns out that this campaign is less like RapperBot than an older campaign that appeared in\r\nFebruary and then mysteriously disappeared in the middle of April. Other related campaigns uncovered during this\r\ninvestigation are detailed later in this article.\r\nNetwork Protocol and Denial-of-Service (DoS) Attacks\r\nThe C2 network protocol used in previous campaigns remains essentially unchanged, with additional commands\r\nadded to support the Telnet brute force. The list of commands and IDs are shown below:\r\n0x00: Register (used by the client)\r\n0x01: Keep-Alive/Do nothing\r\n0x02: Stop all DoS attacks and terminate the client\r\n0x03: Perform a DoS attack\r\n0x04: Stop all DoS attacks\r\n0x06: Restart Telnet brute forcing\r\n0x07: Stop Telnet brute forcing\r\nhttps://www.fortinet.com/blog/threat-research/new-rapperbot-campaign-ddos-attacks\r\nPage 1 of 7\n\nThe previously reported RapperBot campaign was limited to a few generic DoS methods against TCP and UDP\r\nservices. This campaign adds DoS attacks against the GRE protocol (likely reusing the Mirai source code) and the\r\nUDP protocol used by the Grand Theft Auto: San Andreas Multi Player (SA:MP) mod.\r\nHere are the DoS attack commands supported by this botnet:\r\n0x00: Generic UDP flood\r\n0x01: TCP SYN flood\r\n0x02: TCP ACK flood\r\n0x03: TCP STOMP flood\r\n0x04: UDP SA:MP flood targeting game servers running GTA San Andreas: Multi Player (SA:MP)\r\n0x05: GRE Ethernet flood\r\n0x06: GRE IP flood\r\n0x07: Generic TCP flood\r\nThese specific commands, coupled with the absence of HTTP-related DDoS attacks, suggests that this campaign\r\nis primarily geared toward game server DDoS.\r\nTelnet Self-propagation\r\nThe most significant difference in the new campaign was the complete replacement of the SSH brute forcing code\r\nwith the more usual Telnet equivalent. FortiGuard Labs has observed similar drastic modifications within\r\nRapperBot samples, as detailed in our previous report, adding and removing even DoS attack code on an apparent\r\nwhim.\r\nThe Telnet brute forcing code is designed primarily for self-propagation and resembles the old Mirai Satori botnet.\r\nUnlike the earlier SSH brute-forcing campaign, the plaintext credentials are embedded into the malware instead of\r\nbeing downloaded from the C2.\r\nFigure 1. Function initializing the credential list\r\nhttps://www.fortinet.com/blog/threat-research/new-rapperbot-campaign-ddos-attacks\r\nPage 2 of 7\n\nThese credentials used appear to be default credentials for IoT devices. To optimize brute forcing efforts, the\r\nmalware compares the server prompt upon connection to a hardcoded list of strings to identify the possible device\r\nand then only tries the known credentials for that device. Unlike less sophisticated IoT malware, this allows the\r\nmalware to avoid trying to test a full list of credentials. While not exactly a novel technique, it is still uncommon\r\ncompared to other IoT botnets.\r\nBased on the prompt messages hardcoded into the malware, most of the targeted devices are IoT devices such as\r\nrouters and DVRs. This campaign seems especially interested in older devices with the Qualcomm MDM9625\r\nchipset, such as LTE modems. It attempts to specifically gain root access to these devices via a default password,\r\ndespite having the same credentials in the list embedded in the binary.\r\nFigure 2. Gaining root access on devices with a default password\r\nLike the earlier SSH brute-forcing campaign, once it has successfully gained access, it sends the credentials used,\r\nthe compromised device’s IP address, and its architecture to the C2 server on a separate port, 5123. After\r\nreporting, the malware attempts to install its main payload binary on the compromised device.\r\nIt first parses the Executable and Linkable Format (ELF) header of the /bin/busybox file for the e_machine field,\r\nwhich provides the architecture of the compromised device. This allows it to download and deploy a RapperBot\r\npayload of the correct architecture to ensure proper execution. This selective behavior is more efficient than the\r\nshotgun approach in most IoT malware families, whereby all the binaries for the supported architectures are\r\ndownloaded and executed in the victim's system.\r\nBased on the payload binaries we collected, this botnet currently seems to only target devices running on ARM,\r\nMIPS, PowerPC, SH4, and SPARC architectures. Moreover, it specifically checks and stops its self-propagation if\r\nthe device is detected to be running on Intel processors.\r\nThe bot then downloads its payload via software installed on the compromised device, such as ftpget, wget, curl,\r\nor tftp, before executing the payload.\r\nFigure 3. Downloading the payload binary using the wget tool\r\nIf none of the software mentioned above is installed, it will extract and send an embedded binary downloader to\r\nthe compromised device that executes and downloads the primary payload.\r\nhttps://www.fortinet.com/blog/threat-research/new-rapperbot-campaign-ddos-attacks\r\nPage 3 of 7\n\nUnlike in Satori, these embedded downloaders are stored as escaped byte strings, probably to simplify parsing and\r\nprocessing within the code.\r\nFigure 4. List of embedded binary downloaders\r\nThe binary downloaders are written by echoing the bytes and piping the content to a file in the victim system. As\r\nlabeled in Figure 4, each binary has a hardcoded URL for downloading the payload binary of the proper\r\narchitecture.\r\nFigure 5. Writing downloader binary and executing it\r\nNo attempts to persist on infected or brute-forced devices were observed for this campaign.\r\nRelated Campaigns\r\nFortiGuard Labs compared samples for this and related campaigns from the past to find any links with the\r\npreviously reported RapperBot campaign.\r\nWe observed that the earliest samples for this campaign were from December 2021 and that the SA:MP attack was\r\nonly added in February 2022. This campaign mysteriously disappeared in mid-April 2022, resurfacing in Oct 2022\r\nwith the addition of the self-propagation feature.\r\nWe also found older samples from another campaign that was active in August-September 2021 with an almost\r\nidentical list of credentials. These samples contain slightly fewer credentials and a simpler self-propagation code\r\nthat only supports downloading the payload via wget or the binary downloader embedded directly into the sample.\r\nThis campaign did not support stopping or restarting the Telnet propagation, and while the samples support the\r\nsame commands, their associated IDs did not match.\r\nhttps://www.fortinet.com/blog/threat-research/new-rapperbot-campaign-ddos-attacks\r\nPage 4 of 7\n\nFigure 6. Timeline of related campaigns\r\nThe similar lists of credentials suggest that the threat actor behind this current campaign has access to the source\r\ncode for the earlier campaign, as this code was not found in other IoT malware samples.\r\nConnections to RapperBot\r\nThe fact that samples from both campaigns use the same C2 protocol, coupled with the absence of this campaign\r\nduring the RapperBot campaign active between June and Aug 2022 and its recent reappearance, seems to be more\r\nthan a coincidence.\r\nWith the several similarities between the two campaigns outlined below, we believe that either the same threat\r\nactor might be behind both campaigns or each campaign might have branched from the same privately-shared\r\nsource code.\r\n1. The C2 commands and corresponding IDs are identical in both campaigns (excluding the Telnet-related\r\ncommands, as those do not apply to RapperBot)\r\n2. Both campaigns show a certain degree of effort in optimizing the brute forcing implementation. Code for\r\nthe brute forcing implementation is significantly more structured than typical IoT malware that copies and\r\npastes code with minimal modifications.\r\n3. RapperBot also supported the TCP STOMP attack popularized by Mirai. This attack was not observed in\r\nthe earlier campaigns mentioned above. However, as both Mirai and Satori source code are publicly\r\navailable, this is considered a very weak link between the campaigns.\r\nIf both campaigns were related, the reason for restarting an older campaign remains a mystery.\r\nConclusion\r\nBased on the undeniable similarities between this new campaign and the previously reported RapperBot\r\ncampaign, it is highly likely that they are being operated by a single threat actor or by different threat actors with\r\naccess to a privately-shared base source code.\r\nhttps://www.fortinet.com/blog/threat-research/new-rapperbot-campaign-ddos-attacks\r\nPage 5 of 7\n\nUnlike the previous RapperBot campaign, this new campaign has a clear motivation to compromise as many IoT\r\ndevices as possible to build a DDoS botnet.\r\nAlthough this new campaign has evolved significantly from previous campaigns, mitigating it remains the same—\r\nsetting strong passwords for all devices connected to the internet.\r\nFortiGuard Labs will continue to monitor RapperBot’s development.\r\nFortinet Protections\r\nThe FortiGuard Antivirus service detects and blocks this threat as ELF/Mirai, Linux/Mirai, and ELF/Gafgyt.\r\nThe FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR, and the\r\nFortinet AntiVirus engine is a part of each of those solutions. Customers running current AntiVirus updates are\r\nprotected.\r\nFortiGuard Labs provides the Rapper.Botnet IPS signature against RapperBot C2 activity.\r\nThe FortiGuard Web Filtering Service blocks the C2 servers and download URLs.\r\nFortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating\r\nmalicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative\r\ncompetitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile\r\nsources.\r\nIOCs\r\nFiles\r\n3d5c5d9e792e0a5f3648438b7510b284f924ab433f08d558b6e082e1d5414a03\r\n7afcac5f71e9205879e0e476d3388898a62e7aa4a3e4a059884f40ea36cfd57f\r\n8ec79a35700f6691f0d88d53647e9f2b75648710ecd119e55815331fc3bdd0b5\r\na12ad4bc394d60bc037271e1c2df1bd2b87bdaaba85f6c1b7d046341f027cc2d\r\nf000bf482040b48595badee1fc56afb95449ac48b5dc35fe3a05542cbf18f658\r\n4aa9175c1846557107ec197ea73d4cc8dbe6d575a8fd86ae214ff9b3a00e438b\r\nf98261eb7dc122449c158118cc9c660683206983a9e90ff73eb88c4705e0c48e\r\nDownload URLs\r\nhxxp://185[.]216[.]71[.]149/armv4l\r\nhxxp://185[.]216[.]71[.]149/armv5l\r\nhxxp://185[.]216[.]71[.]149/armv6l\r\nhxxp://185[.]216[.]71[.]149/armv7l\r\nhttps://www.fortinet.com/blog/threat-research/new-rapperbot-campaign-ddos-attacks\r\nPage 6 of 7\n\nhxxp://185[.]216[.]71[.]149/mips\r\nhxxp://185[.]216[.]71[.]149/mipsel\r\nhxxp://185[.]216[.]71[.]149/powerpc\r\nhxxp://185[.]216[.]71[.]149/sparc\r\nhxxp://185[.]216[.]71[.]149/sh4\r\nhxxp://185[.]216[.]71[.]149/bot_arm4_el\r\nhxxp://185[.]216[.]71[.]149/bot_arm5_el\r\nhxxp://185[.]216[.]71[.]149/bot_arm6_el\r\nhxxp://185[.]216[.]71[.]149/bot_arm7_el\r\nhxxp://185[.]216[.]71[.]149/bot_mips_eb\r\nhxxp://185[.]216[.]71[.]149/bot_mips_el\r\nhxxp://185[.]216[.]71[.]149/bot_sh_el\r\nC2\r\n185[.]216[.]71[.]149\r\nLearn more about Fortinet’s FortiGuard Labs threat research and global intelligence organization and Fortinet’s\r\nFortiGuard AI-powered Security Services portfolio. Sign up to receive our threat research blogs.\r\nSource: https://www.fortinet.com/blog/threat-research/new-rapperbot-campaign-ddos-attacks\r\nhttps://www.fortinet.com/blog/threat-research/new-rapperbot-campaign-ddos-attacks\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/new-rapperbot-campaign-ddos-attacks"
	],
	"report_names": [
		"new-rapperbot-campaign-ddos-attacks"
	],
	"threat_actors": [],
	"ts_created_at": 1775434815,
	"ts_updated_at": 1775791205,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0cf51f381f220889a27656d0cd6d7035532067da.pdf",
		"text": "https://archive.orkl.eu/0cf51f381f220889a27656d0cd6d7035532067da.txt",
		"img": "https://archive.orkl.eu/0cf51f381f220889a27656d0cd6d7035532067da.jpg"
	}
}