Raptor Train
200,000-device botnet of compromised SOHO routers and cameras; operated by Flax Typhoon via Integrity Technology Group.
Last refreshed: 30 April 2026 · Appears in 1 active topic
If end-of-life devices cannot be patched, how do defenders cut off Raptor Train's rotating relay nodes?
Timeline for Raptor Train
Sixteen agencies put IOC extinction in print
Cybersecurity: Threats and Defences- What is the Raptor Train botnet and who controls it?
- Raptor Train is a botnet of over 200,000 compromised routers, cameras, and NAS devices used as a covert relay network for China-nexus espionage. It was managed by Integrity Technology Group, a Beijing company sanctioned by OFAC in December 2025, on behalf of Flax Typhoon. It was first publicly named in a 16-agency joint advisory on 23 April 2026.Source: NCSC 16-agency advisory
- Why is Raptor Train so hard to block?
- Raptor Train is built from end-of-life routers, cameras, and NAS devices that cannot receive security patches. The botnet continuously cycles through new compromised nodes, meaning any IP blocklist defenders publish becomes obsolete within hours. The 16-agency advisory called this 'IOC extinction' and said it defeats traditional blocklist-based defences entirely.Source: NCSC 16-agency advisory
- How can I tell if my router is part of the Raptor Train botnet?
- The advisory recommends baselining all edge-device traffic to detect anomalous outbound connections. Signs include unexpected outbound connections to unfamiliar IP ranges, firmware modifications not triggered by official updates, and elevated CPU or bandwidth usage on devices that should be idle. End-of-life devices with no available patches should be replaced as the primary mitigation.Source: NCSC 16-agency advisory
Background
Raptor Train is a large-scale botnet of compromised small office and Home Office (SOHO) routers, NAS devices, web cameras, video recorders, and firewalls that was first publicly mapped in 2024 by threat researchers. At its peak that year, it had infected more than 200,000 devices globally, with the majority being end-of-life equipment that had not received manufacturer security patches and could not be updated. The botnet functions as a covert relay network: traffic from China-nexus intrusion operations passes through the infected devices, making the true source invisible to network defenders and rendered untraceable via standard IP blocklists.
Raptor Train was controlled and managed by Integrity Technology Group, a Beijing-based company sanctioned by OFAC in December 2025. The company operated the botnet on behalf of Flax Typhoon, using it as the primary covert infrastructure layer for Flax Typhoon's espionage campaigns targeting government, defence, telecoms, energy, healthcare, and transport sectors.
The 16-agency advisory of 23 April 2026 formally named Raptor Train and attributed its operation to Integrity Technology Group, marking the first time an allied 16-nation Coalition publicly identified the botnet by name and connected it to a specific corporate operator. The advisory highlighted the IOC extinction challenge posed by Raptor Train's architecture: because devices cycle through the botnet continuously and cannot be patched, defenders who block a set of IP addresses find those indicators obsolete within hours as the botnet routes through different nodes.
