Inside the RapperBot DDoS Botnet: Anatomy, Attack Tactics, and Defense Strategies

According to the U.S. Department of Justice, the high‑risk DDoS botnet RapperBot, responsible for numerous attacks on Tencent games, DeepSeek and X platform, has been dismantled. Its mastermind, 22‑year‑old Ethan Faulds from Oregon, was arrested on August 6, 2025 and now faces charges of aiding and abetting computer intrusion, with a potential ten‑year sentence.

1. RapperBot Botnet Family Overview

1.1 Family Introduction

RapperBot first appeared in May 2021, targeting IoT devices such as DVRs and Wi‑Fi routers via brute‑force attacks to build a botnet for large‑scale DDoS assaults. Its code inherits techniques from the fBot and Mirai families, offering high destructiveness and stealth.

The botnet once controlled between 65,000 and 95,000 devices, launched over 370,000 DDoS attacks affecting 18,000 victims across China, Japan, the United States, Ireland and Hong Kong, with peak traffic exceeding 6 Tbps. It also facilitated Monero mining and ransom‑style DDoS (RDoS).

1.2 Sample Analysis

New variants spread mainly through SSH brute‑force and vulnerability exploitation, implanting a zombie trojan on compromised devices. Using the x86 sample “garm5” as an example, the malware prints the string “Firmware update in progress” on the terminal and then self‑deletes.

It obtains the public IP and port of the infected host via the STUN protocol, resolves the C2 domain “iranistrash.libre”, and establishes an encrypted connection. Data exchanged is XOR‑encrypted; the server returns two packets, the second containing attack commands.

Key bytes in the decrypted command packet indicate attack parameters: byte 12 (0x05) – command type for DDoS; bytes 13‑14 (0x0001) – attack type “upd_flood”; bytes 8‑9 (0x004B) – duration 75 seconds; bytes 10‑13 – target IP; byte 14 (0x20) – subnet mask 32; byte 15 (0x00) – payload length option; byte 16 (0x04) – payload length encoded in ASCII (0x31343030 = 1400).

1.3 Attack Methods

RapperBot’s tactics have evolved to include “combo‑punch” attacks that combine multiple techniques, notably increasing TCP‑connection‑based floods that establish numerous real TCP connections to the target, making mitigation harder.

It also employs “map‑cannon” attacks by setting subnet masks (24, 23, 22, 21, 17, 16, 12) to target entire IP ranges. For example, 297 UDP‑connect‑flood commands with a /24 mask can affect 297 × 254 = 75,438 IPs.

1.4 Notable Attack Cases

• Large‑scale DDoS against DeepSeek during the 2025 Chinese New Year. • Three waves of attacks on Elon Musk’s X platform (Twitter) from February 28 to March 11, 2025. • Multiple attacks on Blizzard servers on March 23‑24, 2025. • Batch DDoS assaults on Tencent gaming services during the summer of 2025.

2. Profit Model Behind DDoS Botnets

2.1 Criminal Supply Chain

Attackers coerce victims—especially in finance, gaming, and e‑commerce—to pay ransom for service restoration. A rising “pre‑warning ransom” model issues threats before actual attacks.

2.2 Revenue Channels

• Botnet leasing – renting compromised devices to other criminals. • Extortion – demanding “protection fees” to stop ongoing attacks, exemplified by the ACCN group’s ransomware against game servers. • Selling attack resources and services via web portals or APIs, billed per request or time. • Diversified abuse – ad‑click fraud, game‑specific DDoS “room‑bombing”, etc.

3. Tencent Zeus Shield Intelligence System

3.1 System Architecture

The DDoS intelligence platform combines a self‑developed high‑interaction, full‑port honeypot with external open‑source feeds. Captured samples are placed in a “chicken farm” where their traffic with C2 servers is continuously analyzed to extract attacker commands.

3.2 AI‑Assisted Sample Analysis

Large‑language models are used to decompile and reason about sample code, invoke debuggers via MCP, and automate family classification. This boosts reverse‑engineering efficiency by 80 % and achieves 90 % automation in family tagging, enhancing threat detection, situational awareness, and coordinated defense.

4. DDoS Defense Recommendations

4.1 Prevent Becoming a Zombie

Strengthen device‑level security: replace default credentials, disable unnecessary services (e.g., public Telnet/SSH), patch vulnerabilities, enforce IoT device admission control and micro‑segmentation to limit lateral movement.

4.2 Build Automated Disaster‑Recovery Orchestration

Distribute workloads across multiple environments so that, during extreme attacks, automated failover reduces impact and raises the attacker’s cost.

4.3 Conduct Regular Red‑Team/Blue‑Team DDoS Exercises

Develop drill plans and joint response procedures for various attack scales, and run periodic simulations to improve real‑world response capabilities.

5. Conclusion

The botnet never dies, and DDoS defense is an ongoing battle. Every attack reminds us that “no product is inherently secure; only security practices make it resilient.” Tencent’s Zeus Shield remains committed to protecting seamless gaming experiences for all users.