RapperBot Hijacking Devices to Launch DDoS Attack In a Split Second

Cybersecurity

In early April 2025, cybersecurity researchers identified a significant increase in UDP flood traffic originating from compromised network video recorders (NVRs) and other edge devices. Within milliseconds of infection, these devices were used to generate large volumes of packets directed at various targets, resulting in service interruptions and substantial bandwidth usage.

Bitsight analysts attributed this activity to a new botnet named RapperBot. The botnet was noted for its rapid attack process and innovative use of legacy hardware constraints to avoid detection.

The malware propagates by scanning for exposed web interfaces, exploiting default credentials, and delivering a malicious payload disguised as a firmware update. Once activated, RapperBot performs two main actions: it makes encrypted DNS TXT record queries to obtain command-and-control (C2) IP addresses and initiates continuous UDP floods on port 80.

Risk assessments indicate that individual devices can exceed 1 Gbps throughput, with the botnet’s total capacity peaking at over 7 Tbps during attacks on major targets, including cloud-based search providers and social media platforms.

The malware operates by mounting a remote NFS share to execute architecture-specific binaries, subsequently deleting itself to run entirely in memory. This strategy leverages the minimal BusyBox environment on many IoT devices, avoiding standard download tools like curl or /dev/tcp.

RapperBot exploits the NVR’s firmware update mechanism through a path traversal zero-day in the web server, followed by a binary fetch over NFS. This approach bypasses typical filesystem artifacts that trigger antivirus alerts.

Infection Mechanism

RapperBot exploits the administrative port (TCP 34567) of vulnerable NVRs. The attacker uses a path traversal flaw to obtain account configuration files, revealing credentials. These credentials are then used to initiate a fake firmware update, sending a ZIP-formatted payload over the proprietary update protocol.

The ZIP archive contains a JSON script instructing the device to mount an NFS share and execute the payload script. This method bypasses the limitations of the NVR’s BusyBox environment by using NFS, which is universally supported on minimal embedded Linux systems.

The script executes multiple ARM architecture binaries until successful, writes a marker file, and cleans up, leaving no on-disk executable. This immediate execution from mounted memory significantly reduces forensic evidence and allows the device to quickly become an active DDoS participant.