Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

RapperBot botnet activity targeting NVRs and IoT devices

Malware Activity
First reported
Last updated
Happening score
H score 39
1 unique sources, 1 articles

Summary

Hide ▲

The RapperBot malware activity remains significant because it infects NVRs and IoT devices, pulls DDoS commands from its C2 infrastructure, and can scan for new exposed systems to propagate. Operators used path traversal, leaked administrator credentials, and a fake firmware update to land the malware on vulnerable devices. The botnet then established encrypted C2 communications and retrieved instructions to launch distributed denial-of-service attacks. Its infrastructure was taken down last month, but the infection pattern remains a live risk for exposed edge devices.

Related Happenings

RondoDox botnet expands mining and DDoS capabilities

Malware Activity
First: 16.04.2026 20:52 Last: 16.04.2026 20:52 Sources 1

About this happening: **RondoDox botnet** now combines **cryptocurrency mining with XMRig** and **DDoS attacks**, expanding both monetization and disruption risk across exposed systems. It reaches targ...

Open Happening

Aisuru, KimWolf, JackSkid, and Mossad botnet C2 takedown

Law Enforcement
First: 20.03.2026 10:05 Last: 20.03.2026 10:05 Sources 1

About this happening: The **U.S. Department of Justice** announced the arrest of **Jacob Butler (aka Dort)**, a **23-year-old** in **Ottawa, Canada**, for allegedly developing and operating the **Kimwo...

Open Happening

AVRecon malware for Linux powering SocksEscort proxy network

Malware Activity
First: 12.03.2026 18:19 Last: 12.03.2026 18:19 Sources 1

About this happening: The **AVRecon** malware for Linux powered the **SocksEscort** proxy network, turning compromised **Linux-based SOHO routers** into traffic-routing nodes at scale. It was believed...

Open Happening

Kimwolf IoT botnet activity disrupting I2P

Malware Activity
First: 11.02.2026 18:08 Last: 11.02.2026 18:08 Sources 1

About this happening: The **Kimwolf** botnet disrupted **I2P** over the past week after operators tried to join **700,000 infected bots** as nodes, briefly overwhelming the anonymity network and disrup...

Open Happening

AISURU/Kimwolf hyper-volumetric DDoS botnet activity

Malware Activity
First: 05.02.2026 19:25 Last: 05.02.2026 19:25 Sources 1

About this happening: The **AISURU/Kimwolf** botnet is a **malware activity** cluster tied to **hyper-volumetric DDoS attacks** and large-scale device conscription. On **2025-12-04**, Cloudflare said i...

Latest development: 20.03.2026 08:25

The U.S. Department of Justice disrupted command-and-control infrastructure used by AISURU, Kimwolf, JackSkid, and Mossad in a court-authorized law-enforcement operation, with support from Akamai, Amazon Web Services, Cloudflare, DigitalOcean, Google, Lumen, Nokia, Okta, Oracle, PayPal, SpyCloud, Synthient, Team Cymru, Unit 221B, and QiAnXin XLab.

Open Happening

Timeline

  1. 03.09.2025 10:49 2 articles · 8mo ago

    RapperBot abuses NVR flaws to deploy a DDoS botnet

    Technical Analysis Update

    Bitsight detailed the RapperBot kill chain against network video recorders (NVRs) and other IoT devices, describing how attackers exploit security flaws in NVRs to gain initial access, use a path traversal flaw in the web server to leak valid administrator credentials, push a fake firmware update, mount a remote NFS file system at 104.194.9[.]127, run the next-stage RapperBot payload, obtain C2 server IP addresses through DNS TXT records tied to hard-coded domains such as iranistrash[.]libre and pool.rentcheapcars[.]sbs, and scan the internet for open ports to propagate the infection.

    Show sources
    Open in new tab