US Officials Claim to Have Gained Control of the RapperBot

US Officials Claim to Have Gained Control of the RapperBot

agosto 22, 2025 | NSFOCUS

Overview

Recently, US officials claimed to have successfully gained control of RapperBot, effectively curbing this powerful source of DDoS attacks. The operation pinpointed the key figure behind the botnet, Ethan Foltz. According to the investigation, Foltz has been developing and operating RapperBot since 2021, with his residence in Eugene, Oregon, USA. Since its activity, the RapperBot botnet has launched attacks against more than 80 countries and regions around the world, including China, Japan, and the United States. Its targets spread across various industries, including government, public management, social security and social organizations, Internet platforms, manufacturing, financial services, etc.

RapperBot

1. Introduction

RapperBot, also known as Eleven Eleven Botnet and CowBot, was first disclosed by NSFOCUS Fuying Lab and CNCERT IoT threat research team in June 2022.

Related posts:

NSFOCUS 2022 Cybersecurity Insights: A Summary

RapperBot: A new threat for IoT devices

Its activities can be traced back to 2021. The botnet inherited Mira’s code and mainly launched attacks on IoT devices such as digital video recorders, webcams and routers. Since March 2025, its attacks have been significantly active, with an average of more than 100 attacking targets per day and more than 50,000 observed bots.

2. Technical characteristics

  • Architecture adaptability: RapperBot draws on the source code of Mirai botnet and is tailored for Linux devices with different architectures, covering ARM, MIPS, SPARC and x86 architectures, which enables it to have a wide range of device infection capabilities and can attack many types of IoT devices and Linux servers on the market.
  • SSH brute force attack mechanism: Unlike Mirai’s preference for brute force attacks on Telnet servers, RapperBot focuses its attacks on the password authentication link of SSH servers. In early samples, it hard-coded 57 simple passwords directly in the “.data” area of the binary file for brute force cracking. Subsequent samples are more cunning and obtain password lists from the C&C server instead. In this way, attackers can refresh the password base at any time without updating the malware itself, increasing the success of attacks.
  • Unique identification and authentication means: When communicating with the target server, RapperBot will send the string “SSH-2.0-HELLOWORLD” to indicate its identity. The attack instructions include a command that attempts to replace the contents of the victim’s ~/.ssh/authorized_keys file with its own SSH public key. Once successful, the attacker can easily log in to the controlled server without a password and gain remote control of the device.
  • Instruction set parsing: RapperBot has 5 types of instruction codes, namely registration (0x00), keep connected (0x01), client termination (0x02), launch attack (0x03) and stop all attacks (0x04). During the transmission of data packets, it will cleverly integrate instruction codes into specific locations to achieve precise control of botnets.
  • Application of obfuscation technology: Early samples were obfuscated in function calls, while later samples further strengthened the obfuscation method, storing strings in single-character intervals and splicing them during actual operation, which undoubtedly increased the difficulty for security researchers to analyze and detect them.

3. Recent key attack incidents

  • Attacks on DeepSeek: Since January 2025, DeepSeek has been frequently attacked by DDoS. Among them, RapperBot, as one of the main participants, launched a DDoS attack on DeepSeek using 16 command and control (C2) servers and more than 100 C2 ports. The highest number of connection requests in a single day was 139,405, and the peak traffic exceeded TB level, forcing DeepSeek to add another service IP.
  • Attacks on X: On March 10, Eastern Time, X (formerly Twitter) was attacked by the RapperBot’s DDoS attacks, causing users across the globe unable to use it normally. X suffered three large-scale outages, the attack time coincided perfectly with the service outage, and Cloudflare detected its attack traffic. In the end, Tesla’s stock price plummeted by 15%.
  • Attacks on US government networks: Public disclosure shows that since April 2025, the RapperBot has had a real impact on US government-related networks at least three times. This incident shows that its attack targets are not limited to civilian or commercial systems, but also affect national critical infrastructure.

US Officials Gain Control of RapperBot

On August 6, 2025, the U.S. Defense Criminal Investigative Service (DCIS) executed a search warrant on the residence of Ethan Foltz, a 22-year-old man in Eugene, Oregon. The investigation results show that Foltz has been suspected of developing and operating the RapperBot since 2021, and was formally charged in the U.S. District Court for the District of Alaska on August 8 with aiding and abetting cyber intrusion. He may be sentenced to up to 10 years in prison.

The action of the US law enforcement agencies has been coordinated by many parties. During the investigation, tech-giants such as Google and PayPal and cybersecurity agencies provided key assistance to law enforcement. Investigators traced the connection between the hosting provider of the RapperBot botnet and Foltz’s PayPal account, obtaining records that Foltz controlled the account and the email address associated with it. Although Foltz used a VPN service to try to cover his tracks, an investigation found that the same IP address had been used to access his Gmail, PayPal and ISP accounts. In addition, Foltz’s Google account search records show that he searched for information related to “RapperBot” many times and browsed cybersecurity blogs after the search, seemingly monitoring the public’s perception of the RapperBot.

At the search site, Foltz admitted that he was the main administrator of RapperBot and revealed to investigators that his main partner was codenamed “SlayKings” and that RapperBot’s code originated from Mirai, Tsunami and fBot botnets. Ultimately, at the request of investigators, Foltz terminated RapperBot’s external attack capabilities and handed over management to DCIS personnel.

Summary

The RapperBot case once again highlights the security vulnerabilities and complexities faced by the IoT ecosystem around the world. As a new type of botnet derived from Mirai, it has shown high evolution in architecture adaptation, attack methods and obfuscation techniques, indicating that attackers have the ability to continuously develop and iterate. From the perspective of the scope of attack, its impact has spread to key industries such as public management, finance, manufacturing and platform services, and extended to national critical information infrastructure, highlighting the severity and long-term nature of cross-border cyber attack risks.

In addition, although the United States took control of RapperBot through law enforcement actions in August 2025 and quickly terminated its attack capabilities, innovation-driven botnet variants may still be revived in the future through code reuse, infection base residue and grey market transactions. The potential regenerative capacity of such botnets reminds all parties that global monitoring and coordinated defense need to be continuously strengthened to deal with possible derivative threats in the future.