CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

RapperBot Botnet Administrator Charged in the U.S.

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

The RapperBot botnet, operated by Ethan Foltz, has been responsible for over 370,000 DDoS attacks targeting victims in over 80 countries since 2021. The botnet, also known as Eleven Eleven Botnet and CowBot, primarily infects DVRs and Wi-Fi routers to launch DDoS attacks and mine Monero. Foltz, 22, from Eugene, Oregon, was charged with aiding and abetting computer intrusions related to the botnet. The botnet's command-and-control infrastructure was seized during a search of Foltz's residence on August 6, 2025. The botnet has targeted U.S. government systems, major media platforms, gaming companies, and large tech firms. It added a cryptomining module in 2023 to diversify its revenue stream. The attacks ranged from several terabits to over 1 billion packets per second (pps), with the largest attack exceeding 6 Tbps. The disruption of RapperBot is part of Operation PowerOFF, an international effort to dismantle DDoS-for-hire infrastructures. The botnet has not shown any signs of resurgence in malicious activity following the seizure of its infrastructure.

Timeline

  1. 20.08.2025 07:19 2 articles · 1mo ago

    RapperBot botnet administrator charged in the U.S.

    The botnet targeted U.S. government systems, major media platforms, gaming companies, and large tech firms. The botnet added a cryptomining module in 2023 to diversify its revenue stream. The attacks ranged from several terabits to over 1 billion packets per second (pps), with the largest attack exceeding 6 Tbps. The botnet has not shown any signs of resurgence in malicious activity following the seizure of its infrastructure on August 6, 2025.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Cloudflare mitigates multiple record-breaking DDoS attacks, including 22.2 Tbps

Cloudflare has mitigated a new record-breaking DDoS attack peaking at 22.2 Tbps and 10.6 Bpps, which lasted 40 seconds. This attack is part of a series of hyper-volumetric DDoS attacks that have been increasing in frequency and intensity. Cloudflare's defenses have autonomously blocked hundreds of such attacks in recent weeks, with the largest reaching peaks of 5.1 Bpps, 11.5 Tbps, and now 22.2 Tbps. The attack was conducted using botnets that infected various devices with malware. Volumetric DDoS attacks can be used as a cover for more sophisticated exploits, known as 'smoke screen' attacks. The attack was aimed at a single IP address of an unnamed European network infrastructure company. The attack was traced to over 404,000 unique source IPs across over 14 ASNs worldwide. The attack was described as a UDP carpet bomb attack targeting an average of 31,000 destination ports per second, with a peak of 47,000 ports. The attack was conducted using the AISURU botnet, which has been around for more than a year. The botnet is powered by hacked IoT devices such as routers and DVRs that have been compromised through the exploitation of known and zero-day vulnerabilities. The attack was actually sourced from a combination of several IoT and cloud providers, not just Google Cloud. The attack's complexity and impact on users are highlighted as critical factors, not just its magnitude. The attack occurred in mid-May right after Cloudflare's publication of its quarterly DDoS threat report. The attacks reached 6.5Tbps and delivered 4.8 billion packets per second (pps). Cloudflare has seen a significant increase in DDoS attacks, with a 198% quarter-over-quarter increase and a 358% year-over-year jump in 2024. The company mitigated 21.3 million DDoS attacks targeting its customers and 6.6 million attacks targeting its own infrastructure in 2024. The attacks included SYN flood attacks, Mirai-generated DDoS attacks, and SSDP amplification attacks. Network-layer attacks saw a 509% year-over-year increase in 2025.

Open in new tab

Chinese State-Sponsored Actors Target Global Critical Infrastructure

Chinese state-sponsored Advanced Persistent Threat (APT) actors, specifically the Salt Typhoon group and a newly identified group named RedNovember, have been conducting sustained campaigns to compromise critical infrastructure networks worldwide. The campaigns aim to gain long-term access to telecommunications, government, transportation, lodging, and military networks. This activity has been detailed in a joint advisory by CISA, NSA, FBI, and international partners, including Canada, Australia, New Zealand, the UK, Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, Poland, and Spain. The advisory provides intelligence on tactics used by these actors and recommends mitigations to strengthen defenses. The Czech Republic's National Cyber and Information Security Agency (NUKIB) has issued a warning instructing critical infrastructure organizations to avoid using Chinese technology or transferring user data to servers located in China. The agency has re-evaluated its risk estimate of significant disruptions caused by China, now assessing it at a 'High' level. The NUKIB has confirmed malicious activities of Chinese cyber-actors targeting the Czech Republic, including a recent APT31 campaign targeting the Czech Ministry of Foreign Affairs. The advisory highlights concerns over the transfer of system and user data to China, potentially misused by state, military, or political interests. The Czech government previously accused China of targeting its critical infrastructure through APT 31, an allegation denied by the PRC but condemned by the US, EU, and NATO. The advisory suggests that individuals and organizations consider restricting or prohibiting the use of products and services that transfer data to China. The campaign has targeted at least 600 organizations across 80 countries, including 200 in the U.S. The threat actors have exploited vulnerabilities in Cisco, Ivanti, and Palo Alto Networks devices to gain initial access and have modified routers to maintain persistent access and pivot into other networks. The advisory also notes that the APT actors may target other devices such as Fortinet firewalls, Juniper firewalls, Microsoft Exchange, Nokia routers and switches, Sierra Wireless devices, Sonicwall firewalls, etc. RedNovember has targeted perimeter appliances of high-profile organizations globally, including defense and aerospace organizations, space organizations, and law firms. The group has breached at least two U.S. defense contractors, a European engine manufacturer, and a trade-focused intergovernmental cooperation body in Southeast Asia. RedNovember has used the Go-based backdoor Pantegana and Cobalt Strike as part of its intrusions, along with the Spark RAT and LESLIELOADER. The group has also used VPN services like ExpressVPN and Warp VPN to administer and connect to servers used for exploitation and communication.

Open in new tab

UNC6384 Targets Diplomats with PlugX via Captive Portal Hijacks

UNC6384, a China-nexus threat actor, has been targeting diplomats in Southeast Asia and other entities globally to advance Beijing's strategic interests. The group employs a multi-stage attack chain leveraging advanced social engineering, valid code signing certificates, adversary-in-the-middle (AitM) attacks, and indirect execution techniques to evade detection. The campaign, detected in March 2025, uses captive portal redirections to deliver a PlugX variant called SOGU.SEC. The attacks involve redirecting web traffic through a captive portal to a threat actor-controlled website, downloading a digitally signed downloader (STATICPLUGIN), and deploying the SOGU.SEC backdoor in memory. The malware supports commands to exfiltrate files, log keystrokes, and launch remote command shells. The campaign highlights the sophistication of PRC-nexus threat actors and their evolving operational capabilities. The campaign targeted around two dozen victims, primarily Southeast Asian diplomats, between March and July 2025. The attack chain involved compromised edge devices intercepting captive portal checks and redirecting users to a malicious website. The malicious website used a valid TLS/SSL certificate issued by Let's Encrypt to avoid browser security warnings. The first-stage malware, STATICPLUGIN, dropped a launcher called CANONSTAGER, which used unconventional techniques to hide its activities. The final payload was a variant of the PlugX backdoor, tracked by Google as SOGU.SEC. In September 2025, new information revealed that the PlugX variant overlaps with RainyDay and Turian backdoors, targeting telecommunications and manufacturing sectors in Central and South Asia. The campaign is linked to Mustang Panda, which also uses Bookworm malware. Bookworm has been used since 2015 and includes capabilities to execute commands, upload/download files, exfiltrate data, and establish persistent access.

Open in new tab

Russian Hackers Exploit Old Cisco Vulnerability to Target U.S. Critical Infrastructure

Russian hackers, tracked as Static Tundra and associated with the FSB's Center 16 or Military Unit 71330, have been exploiting a seven-year-old vulnerability (CVE-2018-0171) in unpatched end-of-life Cisco networking devices to target enterprise and critical infrastructure networks in the U.S. and abroad. The attacks, ongoing since at least August 2024, have compromised thousands of devices, allowing the attackers to collect configuration files, change settings, and gain unauthorized access. The U.S. Department of State is offering a reward of up to $10 million for information on three FSB officers involved in these cyberattacks. The targets include organizations in the manufacturing, telecommunications, higher education, and energy sectors. The attackers use stolen SNMP credentials to control compromised devices, enabling them to run commands, change settings, and steal configurations while evading detection. They also create new local user accounts and enable remote access services like Telnet to maintain access. The attacks highlight the persistent threat of unpatched vulnerabilities and the need for robust cybersecurity measures to protect critical infrastructure. The three FSB officers, Marat Valeryevich Tyukov, Mikhail Mikhailovich Gavrilov, and Pavel Aleksandrovich Akulov, targeted more than 380 foreign energy-sector companies in 135 countries. The suspects targeted American and foreign oil and gas firms, nuclear power plants, renewable energy firms, utility and electrical grid entities, consulting and engineering groups, and advanced technology companies. In August 2021, these officers were indicted in the US with charges of computer fraud and abuse, wire fraud, and aggravated identity theft. The Dragonfly campaign involved obtaining persistent access to victim networks and infecting them with the Havex malware through supply chain compromise. In the second phase, known as Dragonfly 2.0, the three allegedly targeted over 3,300 users at more than 500 US and international companies and entities, including US government agencies, in spear-phishing attacks.

Open in new tab

Large-scale Africa-wide cybercrime crackdown arrests over 1,200 suspects

Operation Serengeti 2.0, an INTERPOL-led international operation, resulted in the arrest of 1,209 cybercriminals across Africa. The operation targeted cross-border cybercrime gangs involved in ransomware, online scams, and business email compromise (BEC). The operation, conducted from June to August 2025, involved law enforcement from 18 African countries and the UK. Authorities seized $97.4 million and dismantled 11,432 malicious infrastructures linked to attacks on 88,000 victims worldwide. The operation was supported by data from private sector partners, including Cybercrime Atlas, Fortinet, Group-IB, Kaspersky, The Shadowserver Foundation, Team Cymru, Trend Micro, TRM Labs, and Uppsala Security. Group-IB provided circumstantial intelligence on a cryptocurrency investment scam and BEC campaigns, while TRM Labs pursued leads tied to the Bl00dy ransomware group in Ghana and RansomHub. Notable actions included dismantling 25 cryptocurrency mining centres in Angola, confiscating 45 illicit power stations, and disrupting an online investment fraud operation in Zambia with 65,000 victims and $300 million in losses. Additionally, a transnational inheritance scam originating in Germany was disrupted, with losses estimated at $1.6 million. Nigeria deported 102 foreign nationals convicted of cyber terrorism and internet fraud. Earlier, Operation Red Card in March 2025 resulted in the arrest of 306 suspects and confiscation of 1,842 devices. The operation was part of the 'African Joint Operation against Cybercrime.' Participating countries included Seychelles, Tanzania, Ghana, Kenya, and others. Operation Serengeti 2.0 is part of a series of multi-month investigations and arrests highlighted by Interpol. The original Operation Serengeti involved two months of investigations with the African Union's Afripol and raids against 1,006 suspects in September and October 2024. In 2022, Interpol and 27 African nations conducted joint investigations as part of Operation Cyber Surge, following up in April 2023 with Operation Cyber Surge II. These joint investigations aim to train local law enforcement and prosecutors, which Interpol has noted are often hard-pressed to deal with the technical requirements of cybercrime prosecutions. In addition, the race is to deter cybercrime, redirect youth into more productive activities, and train law enforcement before the cybercriminals become too smart.

Open in new tab