The DOT Report: Raptor Train Botnet Compromises 200K+ Devices, Europol Shuts Down Phishing Scheme

The DOT Report highlights major cybersecurity headlines monthly, exploring the tools, processes, and philosophies behind real-world incidents. These stories provide an opportunity to assess and analyze various cybersecurity measures and observe how they're applied.

By investigating the largest headlines in the cybersecurity space each month, we’re able to better understand how modern cybersecurity measures are put into practice, and the attack tactics that threat-actors use to bypass network security defenses.

Subscribe to the DOT Security blog to get regular updates on everything in the cybersecurity space from monthly headlines, to the latest technologies, and operational best practices!

Raptor Train Botnet Compromises 200K+ Devices

The Raptor Train IoT botnet is a major cybersecurity threat, recently compromising over 200,000 devices worldwide, predominantly targeting IoT systems like routers and IP cameras. This botnet is characterized by its extensive infrastructure, utilizing compromised devices to carry out large-scale DDoS (Distributed Denial of Service) attacks.

Its operators also use the infected devices to offer proxy services and execute brute-force attacks on weakly secured devices, making it highly destructive.

The botnet spreads by exploiting unpatched vulnerabilities in IoT devices, such as default login credentials and weak network security configurations. By focusing on low-security devices, Raptor Train rapidly expands, infecting new systems with minimal effort.

The attack surface includes not only consumer devices but also critical infrastructure, with the potential to cause widespread disruption if unchecked. With the rapid expansion of IoT systems, these devices are a prime target for attackers due to their limited built-in security features.

Researchers from Lumen’s Black Lotus Labs discovered the botnet and noted that its operators use rotating command-and-control (C2) servers, making detection and mitigation efforts challenging. The constant shift in IP addresses and domains used by Raptor Train makes it difficult for security teams to block malicious traffic effectively.

Additionally, the botnet’s ability to remain stealthy and its operators’ resilience in maintaining the infrastructure indicate a high level of sophistication and technical capability behind the scenes.

The continued evolution of IoT botnets like Raptor Train underscores the importance of maintaining cybersecurity hygiene, especially for IoT systems that often lack robust security features. Without proper safeguards, these devices can become easy targets for attackers, potentially leading to catastrophic damage, including system downtime, data theft, and significant financial losses.

Regular monitoring, vulnerability management, and a [proactive defense](https://dotsecurity.com/insights/blog-reactive-proactive-cybersecurity-measures `) posture are key to mitigating this growing threat.

Europol Shuts Down Mobile Phishing Campaign

Europol, along with various European law enforcement agencies, dismantled a massive phishing operation targeting mobile users through Operation KAERB. The phishing ring used smishing (SMS phishing) and fake websites to steal victims' banking credentials, often impersonating legitimate banks.

The criminals stole funds from unsuspecting users after gaining access to their accounts through fraudulent messages and fake banking portals.

The phishing group operated across multiple countries, affecting thousands of victims and accumulating over €1 million in stolen assets. The group constantly adapted their strategies, making their movements incredibly hard to trace. The investigation led to the arrest of 12 individuals and significant asset seizures during coordinated raids, demonstrating the global scale of the criminal operation.

Europol's European Cybercrime Centre (EC3) spearheaded the months-long investigation, highlighting the need for cross-border collaboration in addressing cybercrime. By sharing intelligence and coordinating law enforcement efforts across Europe, they successfully took down the infrastructure behind this widespread and global phishing scheme.

Europol continues to warn the public about the dangers of phishing, urging caution with unsolicited messages. They emphasize that phishing, particularly SMS-based attacks, remains a widespread threat that relies on social engineering tactics. They recommend that users double-check communications from financial institutions and avoid clicking on suspicious links to prevent falling victim to such schemes.

Hacktivist Group Twelve Targets Russia

The hacktivist group known as Twelve has launched a cyberattack against Russian government websites in retaliation for Russia's ongoing war in Ukraine. Targeting a wide range of government portals, including those linked to critical infrastructure, the group sought to disrupt communications and send a political message.

They claim their attacks are part of a larger movement of digital resistance against Russian aggression, aiming to expose vulnerabilities within Russia’s cyber defenses.

Twelve reportedly used Distributed Denial of Service (DDoS) attacks, among other methods, to overload Russian websites, rendering them inaccessible. The group made public statements about their actions, highlighting their commitment to destabilizing the Russian government's online presence as a form of protest.

Their attacks follow a series of cyber efforts by hacktivist collectives supporting Ukraine since the war began, underscoring the growing intersection of global politics and cyber activism.

The attacks also reveal how hacktivist groups like Twelve are becoming increasingly organized and technologically savvy. These groups often operate with a specific political agenda, leveraging cyber tools to exert pressure on state actors. Twelve’s actions not only disrupt governmental operations but also aim to inspire other activists to engage in similar forms of digital resistance.

As these types of cyberattacks intensify, cybersecurity experts warn of potential escalation in cyber warfare, with Russia likely to retaliate. The incident highlights the ongoing cyber battle between pro-Ukraine and pro-Russian forces, and the increasingly blurred lines between state-sponsored cyber warfare and independent hacktivist activity.

Threat Actors Hide PondRAT Malware in Python Packages

The recently discovered PondRAT malware is being distributed through malicious Python packages on PyPI, a popular repository for open-source software. Tied to the North Korean-affiliated Lazarus Group, this malware specifically targets developers' systems as part of a larger campaign, potentially compromising entire supply chains.

The malware, disguised in seemingly legitimate packages, downloads and runs a Remote Access Trojan (RAT) on infected systems, capable of file manipulation and command execution. It shares similarities with the POOLRAT malware, and its reach spans Linux and macOS environments.

The attack is linked to the broader "Operation Dream Job" campaign, which lures victims with fake job offers to trick them into downloading malware. The malicious packages—such as "real-ids" and "coloredtxt"—have since been removed from PyPI, but they had amassed hundreds of downloads before being detected.

Once installed, the packages download additional malware from a remote server, allowing attackers to gain persistent access to compromised systems.

PondRAT shares key characteristics with previous malware used by the Lazarus Group, including POOLRAT and AppleJeus, which have been used in high-profile supply chain attacks. The malware allows attackers to upload and download files, pause operations, and execute arbitrary commands, making it a versatile tool for cyber espionage and theft.

The similarities between Linux and macOS variants of the malware suggest a highly coordinated effort to target multiple platforms successfully.

The disclosure of this attack raises concerns about the security of open-source software repositories, where developers routinely download packages to build applications. This case highlights the potential risks to organizations when malicious actors weaponize trusted ecosystems, with consequences that could spread far beyond the initial infection point.

This has ultimately led to cybersecurity experts warning of the importance of verifying the integrity of third-party software and monitoring systems for unusual activity.

Signing Off

The stories this month highlight the dangers associated with adopting too many IoT devices with too little security, amount of time it takes for international law enforcement to shutdown large scale operations like global phishing schemes, the intricate relationship between advanced technology and global politics, and lastly the vitality of practicing secure development when building apps.

Keeping up with the biggest cybersecurity news stories not only keeps you informed but also deepens your understanding of the key elements in a robust cybersecurity strategy and how they collaborate to protect your data, yourself, and, most importantly, your people.

If you’re looking for a place to get regular updates on everything cybersecurity from the biggest news stories to the latest developments in technologies and best practices, subscribe to the DOT Security blog where we cover it all!