RapperBot Unleashed: Sophisticated Mirai Variant Targets DVRs, Launches HTTPS DDoS Attacks
At the international Botconf conference held in May 2025 in Angers, France, experts from NICT CSRI unveiled the findings of their three-year investigation into the RapperBot malware. Their conclusions were alarming: this evolved variant of the infamous Mirai botnet has emerged as a sophisticated and targeted threat to surveillance systems across the globe.
RapperBot specifically targets digital video recorders (DVRs) used for capturing and remotely managing surveillance camera footage. The NICT CSRI team conducted a meticulous analysis of the DVR ecosystem, exposing its profound vulnerabilities to cyber intrusions. Chief among the issues are default login credentials, exposed Telnet and HTTP ports on legacy models, and a widespread lack of firmware updates. These weaknesses render DVRs highly susceptible to exploitation, making them prime targets for threat actors seeking to compromise the infrastructure of the Internet of Things.
To infiltrate these DVRs, RapperBot employs a multi-layered attack strategy. In addition to brute-force password attacks—nearly half of which are tailored specifically to DVR systems—it exploits known vulnerabilities from the CVE database, as well as zero-day flaws that remain undisclosed to the public. These breaches occur through administrative interfaces, significantly increasing the likelihood of a successful compromise.
A defining characteristic of RapperBot is its elaborate infection chain. According to NICTER’s monitoring data from late 2024, once the malware gains access to a device, it activates Recon scanners to accurately identify the hardware type. This intelligence is relayed to a command-and-control server, which then deploys a loader programmed to exploit a vulnerability specifically tailored to that device model. This precise targeting makes detection and neutralization exceedingly difficult, as attackers proactively avoid honeypot traps and other common defense mechanisms.
Beyond hijacking DVRs, RapperBot is actively leveraged to launch global DDoS campaigns. The most significant incident occurred on March 10, 2025, when the malware targeted the social media platform X, resulting in widespread service disruptions. Analysts from Cisco ThousandEyes documented and published metrics illustrating the outage.
Since the spring of 2025, RapperBot has evolved further, incorporating new capabilities. The malware now encrypts domain name resolution requests to its command servers, generating 32-character random domain names via public DNS resolvers. It has also adopted HTTPS-based DDoS attack functionality, which allows malicious traffic to blend in with legitimate web traffic. To further evade detection, it randomly selects TLS signature algorithms, complicating identification by behavioral analysis systems like JA4.
RapperBot poses a particularly severe threat due to its ability to compromise devices manufactured by ITX Security and CTRing. These DVRs are rebranded and sold under more than 28 different names globally, making coordinated vulnerability mitigation virtually impossible. As early as 2022, NICT—working with a Japanese retailer—identified four critical vulnerabilities in ITX Security products, including two zero-days, which were only partially addressed through a firmware update.
Yet the malware continues to evolve. Multiple variants are now in circulation, distinguished by their choice of scanners—whether Recon, Telnet, SSH, or none at all. The NICT CSRI team has pledged to continue researching this growing threat and to collaborate with hardware vendors and cybersecurity communities to strengthen end-user protections and bolster the resilience of IoT infrastructure against such botnets.
