CRITICAL: Raptor Train Historical Bot Infections Special Report

LAST UPDATED: 2025-07-07

DEFAULT SEVERITY LEVEL: CRITICAL

The Special Report run on 2025-07-07 contained information about IoT devices that are believed to have been infected with Raptor Train malware during the period 2024-06-05 to 2024-09-13 and 2025-06-24 to 2025-07-01. The data is provided as a result of the botnet disruption operation publicly announced by US Law Enforcement and international partners on 2024-09-18.

More information about Raptor Train can be found in the following advisories:

US Department of Justice “Court-Authorized Operation Disrupts Worldwide Botnet Used by People’s Republic of China State-Sponsored Hackers“
US Federal Bureau of Investigation “FBI Director Announces Chinese Botnet Disruption, Exposes Flax Typhoon Hacker Group’s True Identity at Aspen Cyber Summit“
US National Security Agency “NSA and Allies Issue Advisory about PRC-Linked Actors and Botnet Operations“
UK National Cyber Security Centre “NCSC and partners issue advice to counter China-linked campaign targeting thousands of devices“
Australian Signals Directorate “People’s Republic of China-Linked Actors Compromise Routers and IoT Devices for Botnet Operations“

Technical information and Indicators of Compromise (IoCs) can be found in:

AU/CA/NZ/UK/US Joint Cybersecurity Advisory “People’s Republic of China-Linked Actors Compromise Routers and IoT Devices for Botnet Operations“
Lumen Black Lotus Lab’s “Derailing the Raptor Train“

Note: Additional events were also included in the one-off Special Report for the period from 2025-06-24 to 2025-07-01, to cover the period from when Shadowserver’s live sinkholing of remaining C2 domain traffic began but before events were automatically included in our standard free daily Sinkhole Events Report. Those later events feature less detail in some fields than the main historical events, since they are based on the content of our standard Sinkhole Events Report.

Shadowserver Special Reports are unlike all of our other standard free daily network reports. They do not cover a specific daily 24-hour time period.

Instead, we send out Special Reports in situations where we are able to share one-time, high value datasets that we feel should be reported responsibly for maximum public benefit. Sometimes there are incidents when it would be useful to be able to notify potential victims about events or breaches that may have impacted them outside of the previous 24-hour period, when it may take a number of days for incident responders to conduct forensic investigations and analyzed data becomes available for sharing with potential victims. Although the events included in these Special Reports will fall outside of our usual 24-hour daily reporting window, we believe that there would still be significant benefit to our constituents in receiving and, hopefully, acting on the retrospective data.

If you have missed a Special Report because you were NOT yet a subscriber at the time a report was pushed out, simply subscribe for your network now and specifically request all recent Shadowserver Special Reports – and we will regenerate them specifically for your network, at no cost.

Please note that the data shared across special reports may differ on a case by case basis, hence the report formats for individual Special Reports may be different.

The data in this Raptor Train Historical Bot Infections Special Report was provided to Shadowserver by US Law Enforcement partners to disseminate to National CERTs/CSIRTs and network owners globally, to maximize remediation efforts.

Exact timestamps were not available for individual events, so the timestamp field is set to “2025-07-07 00:00:00”. Since only the first and last seen time for an infection was recorded, the first and last seen dates for an infected victim system represent a date range when an infection was likely active. However, there could have been multiple infections during that time period for shorter individual time periods (and therefore periods without an active infection).

This special report has severity level CRITICAL set on all events. Severity levels are described here.

Filename prefix: 2025-07-07-special.

Note: this is accessible in the API using 2025-07-07 as the search date.

Fields

timestamp

The timestamp has been set to "2025-07-07 00:00:00" to represent when this data set was reported
ip

IP address of the affected device
port

TCP or UDP port identified (not used)
protocol

Protocol associated with the malicious activity (not used)
asn

Autonomous System Number of the affected device
geo

Country of the affected device
region

Region of the affected device
city

City of the affected device
hostname

Hostname of the affected device (may be from reverse DNS)
naics

North American Industry Classification System Code
sector

Sector of the IP in question
tag

Additional tags for more insight
infection

Description of the malware/infection
public_source

Source of the data
status

Status of the affected IP, for example, "compromised"
detail

Unused
account

Unused
method

Unused
severity

Severity level
hostname_source

Hostname source
first_seen_time

Timestamp the device was first recorded
last_seen_time

Timestamp the device was last recorded
potential_exposure_time

The number of seconds between first and last seen times
mac_address

Device MAC address
os

Operating system type
architecture

Device architecture
version

Bot version
c2

Command and Control (C2) IP address

Sample

"timestamp","ip","port","protocol","asn","geo","region","city","hostname","naics","sector","tag","infection","public_source","status","detail","account","method","severity","hostname_source","first_seen_time","last_seen_time","potential_exposure_time","mac_address","os","architecture","version","c2"
"2010-02-10 00:00:00",192.168.0.1,,,64512,ZZ,Region,City,node01.example.com,0,,iot;flax-tyhpoon,raptor-train,,compromised,,root,,critical,ptr,"2024-06-05 00:00:00","2024-06-05 00:00:00",,00:1A:2B:3C:4D:1,"Linux version 3.10.0-1160.88.1.el7.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) )",x86,17.4,78.141.238.97
"2010-02-10 00:00:01",192.168.0.2,,,64512,ZZ,Region,City,node02.example.com,0,,iot;flax-tyhpoon,raptor-train,,compromised,,root,,critical,ptr,"2024-06-05 00:00:00","2024-06-05 00:00:00",,00:1A:2B:3C:4D:2,"Linux version 3.10.0-1160.45.1.el7.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) )",x86,17.4,45.80.215.149
"2010-02-10 00:00:02",192.168.0.3,,,64512,ZZ,Region,City,node03.example.com,0,,iot;flax-tyhpoon,raptor-train,,compromised,,root,,critical,ptr,"2024-06-05 00:00:00","2024-06-05 00:00:00",,00:1A:2B:3C:4D:3,"Linux version 3.10.0-1160.45.1.el7.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) )",x86,17.4,45.80.215.149

Our 135 Report Types

« Back to Network Reporting