Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

RapperBot botnet activity targeting NVRs and IoT devices

Malware Activity
First reported
Last updated
Happening score
H score 39
1 unique sources, 1 articles

Summary

Hide ▲

The RapperBot malware activity remains significant because it infects NVRs and IoT devices, pulls DDoS commands from its C2 infrastructure, and can scan for new exposed systems to propagate. Operators used path traversal, leaked administrator credentials, and a fake firmware update to land the malware on vulnerable devices. The botnet then established encrypted C2 communications and retrieved instructions to launch distributed denial-of-service attacks. Its infrastructure was taken down last month, but the infection pattern remains a live risk for exposed edge devices.

Related Happenings

China-nexus hijacked-device proxy network campaign

Campaign
H score39 First: 23.04.2026 15:28 Last: 23.04.2026 15:28 Sources 1

About this happening: **China-nexus** hackers are using **JDY**, a covert **SOHO/IoT** reconnaissance network, to expand **targeted scanning** and **service fingerprinting** across exposed infrastructu...

Open Happening

RondoDox botnet expands mining and DDoS capabilities

Malware Activity
H score39 First: 16.04.2026 20:52 Last: 16.04.2026 20:52 Sources 1

About this happening: **RondoDox botnet** now combines **cryptocurrency mining with XMRig** and **DDoS attacks**, expanding both monetization and disruption risk across exposed systems. It reaches targ...

Open Happening

Aisuru, KimWolf, JackSkid, and Mossad botnet C2 takedown

Law Enforcement
H score20 First: 20.03.2026 10:05 Last: 20.03.2026 10:05 Sources 1

About this happening: The **U.S. Department of Justice** announced the arrest of **Jacob Butler (aka Dort)**, a **23-year-old** in **Ottawa, Canada**, for allegedly developing and operating the **Kimwo...

Open Happening

AVRecon malware for Linux powering SocksEscort proxy network

Malware Activity
H score28 First: 12.03.2026 18:19 Last: 12.03.2026 18:19 Sources 1

About this happening: The **AVRecon** malware for Linux powered the **SocksEscort** proxy network, turning compromised **Linux-based SOHO routers** into traffic-routing nodes at scale. It was believed...

Open Happening

Kimwolf IoT botnet activity disrupting I2P

Malware Activity
H score16 First: 11.02.2026 18:08 Last: 11.02.2026 18:08 Sources 1

About this happening: The **Kimwolf** botnet disrupted **I2P** over the past week after operators tried to join **700,000 infected bots** as nodes, briefly overwhelming the anonymity network and disrup...

Open Happening

Timeline

  1. 03.09.2025 10:49 2 articles · 9mo ago

    RapperBot abuses NVR flaws to deploy a DDoS botnet

    Technical Analysis Update

    Bitsight detailed the RapperBot kill chain against network video recorders (NVRs) and other IoT devices, describing how attackers exploit security flaws in NVRs to gain initial access, use a path traversal flaw in the web server to leak valid administrator credentials, push a fake firmware update, mount a remote NFS file system at 104.194.9[.]127, run the next-stage RapperBot payload, obtain C2 server IP addresses through DNS TXT records tied to hard-coded domains such as iranistrash[.]libre and pool.rentcheapcars[.]sbs, and scan the internet for open ports to propagate the infection.

    Show sources
    Open in new tab