
Raptor Train
200,000-device botnet of compromised SOHO routers and cameras; operated by Flax Typhoon via Integrity Technology Group.
Last refreshed: 30 April 2026 · Appears in 1 active topic
If end-of-life devices cannot be patched, how do defenders cut off Raptor Train's rotating relay nodes?
Timeline for Raptor Train
Sixteen agencies put IOC extinction in print
Cybersecurity: Threats and DefencesWhat is the Raptor Train botnet and who controls it?
Why is Raptor Train so hard to block?
How can I tell if my router is part of the Raptor Train botnet?
Background
Raptor Train is a large-scale botnet of compromised small office and Home Office (SOHO) routers, NAS devices, web cameras, video recorders, and firewalls that was first publicly mapped in 2024 by threat researchers. At its peak that year, it had infected more than 200,000 devices globally, with the majority being end-of-life equipment that had not received manufacturer security patches and could not be updated. The botnet functions as a covert relay network: traffic from China-nexus intrusion operations passes through the infected devices, making the true source invisible to network defenders and rendered untraceable via standard IP blocklists.
Raptor Train was controlled and managed by Integrity Technology Group, a Beijing-based company sanctioned by OFAC in December 2025. The company operated the botnet on behalf of Flax Typhoon, using it as the primary covert infrastructure layer for Flax Typhoon's espionage campaigns targeting government, defence, telecoms, energy, healthcare, and transport sectors.
The 16-agency advisory of 23 April 2026 formally named Raptor Train and attributed its operation to Integrity Technology Group, marking the first time an allied 16-nation Coalition publicly identified the botnet by name and connected it to a specific corporate operator. The advisory highlighted the IOC extinction challenge posed by Raptor Train's architecture: because devices cycle through the botnet continuously and cannot be patched, defenders who block a set of IP addresses find those indicators obsolete within hours as the botnet routes through different nodes.