Ddos 
A botnet called RapperBot blends technical evolution with internet-era bravado to launch attacks on over 50,000 devices worldwide.
In a world where most malware remains silent, RapperBot screams for attention — and it’s not just from threat analysts. First disclosed by CNCERT in 2022 and linked to attacks as far back as 2021, RapperBot is back with more bots, more targets, and… rap lyrics?
According to a new report from XLAB, RapperBot has resurged in 2025 with over 50,000 active bots and is now demanding extortion fees in Monero (XMR) to stop DDoS attacks on victims.
In a rare display of cybercriminal showmanship, RapperBot samples contain taunts aimed at reverse engineers, including a YouTube link to the track “I Am Da Bag”.
“Question, Did you guys listen to my music whilst reverse engineering my binary?” one string reads, followed by a jab:
“I can only imagine the Chinese (NETLAB360) researchers not understanding it at all and trying to decode the meaning behind it.”
In another sample, the malware even promises to “leave a new message” in future updates — like a malware mixtape teaser.
RapperBot is no longer content just launching DDoS attacks — it now asks for protection money.
“Donate $5,000 in XMR… to be blacklisted from this and future botnets from us. Contact: horse@riseup.net with TxID and IP Range/ASN.”
With this shift toward extortion-based DDoS, RapperBot now enters the same league as established ransomware and blackmailing botnets — using fear as a business model.
By proactively registering RapperBot’s unclaimed C2 domains, XLAB was able to track bot activity. Key findings include:
- 50,000+ IPs observed in the most recent peaks
- Bots primarily infecting IoT devices, especially DVRs, network cameras, and routers
- Common web interfaces among infected devices include “DVR Components Download,” “ASUS Login,” and “RouterOS router configuration page”
These infected devices are hijacked to attack industries including public administration, finance, social networks, and AI platforms. Notably, RapperBot launched attacks on DeepSeek during the Chinese Spring Festival and Twitter in March 2025.
RapperBot’s evolution shows deep technical adaptability:
- C2 acquisition via DNS-TXT records using four different formats over time
- Adoption of custom string decryption algorithms and enhanced Mirai decryption methods
- Use of multiple encryption keys per sample
- Addition of proxy support, firmware update messages, and multi-part payload obfuscation
“Samples of different variants… are largely similar, with modifications mainly focused on message data structures, DNS-TXT record parsing methods, and string decoding,” XLAB explains.
RapperBot spreads primarily via:
- Telnet weak password brute force
- Exploiting known CVEs in:
- Zyxel NAS devices (CVE-2020-9054, CVE-2023-4473)
- D-Link routers (CVE-2021-46229, CVE-2020-24581)
- KGUARD and LILIN DVRs
- Ruijie and Reolink systems
With a list of targets drawn straight from Shodan, these vulnerable systems are easy prey for the botnet’s rapid and relentless expansion.
The botnet’s custom packet format includes login credentials, local network data, randomized filler, and attack commands like:
- Start Attack
- Proxy Create
- HeartBeat
- Confirm
These packets are XOR-obfuscated, with randomized fields meant to disrupt signature-based detection.
Donate