01 OverviewRecently, the domestic AI large model DeepSeek has been subjected to large-scale cyber attacks, resulting in multiple service interruptions. This has attracted attention from the domestic security industry. According to a monitoring report from Qihoo 360’s XLab, it was found that the zombie networks RapperBot and HailBot launched DDoS attacks against DeepSeek. To more effectively assess the risks and support the prevention of related attacks, Antiy CERT extracted the zombie trojan samples used by these two zombie networks from the “Cyber Brain” platform sample library for further analysis.02 Sample Analysis
2.1 The Origins of RapperBot and HailBot — Mirai
Both RapperBot and HailBot are products of the source code leak of the Mirai botnet. The Mirai botnet was first discovered in 2016 and quickly attracted widespread attention. Its name comes from the Japanese word for “future.” Unlike traditional botnets that primarily target Windows systems, Mirai infects and controls network cameras, home routers, and other IoT devices to build a botnet system. In 2016, it came to light due to the “DYN incident,” and the three authors of Mirai, Paras Jha, Josiah White, and Dalton Norman, are all Americans. The three operated a company called Protraf Solutions LLC, which claimed to provide DDoS attack protection but actually used the botnet to launch DDoS attacks for extortion and profit. In 2018, they were sentenced to five years of probation, 2,500 hours of community service, and ordered to pay $127,000 in restitution, and to voluntarily forfeit any cryptocurrency obtained during the criminal period.
Mirai specifically targets IoT devices for automated penetration, such as routers, network cameras, and digital video recorders (DVRs), which often fall outside the security operation perspective or are home devices, commonly having issues like unchanged default passwords or simple passwords, and outdated firmware versions. Through password cracking and vulnerability exploitation, Mirai gains access to these devices and uploads malicious code to run on them, turning them into controlled zombie nodes. A notable feature of this botnet is its modular design and self-updating capability, allowing it to quickly adapt to changing security environments and add new attack methods. Once infected, devices will automatically execute scanning tasks and attempt to spread the malware to other devices, thereby building large botnet clusters.
On September 30, 2016, the source code of the Mirai botnet was publicly leaked on GitHub. Attackers have customized and modified the source code, resulting in multiple variant families, including RapperBot and HailBot. The modification methods include but are not limited to replacing the control domain name (to evade security vendor bans), disguising login authentication mechanisms (to mimic legitimate device traffic), and obfuscating communication protocol fields (such as modifying the structure of the heartbeat packet to bypass detection rules). Due to the high reusability of the source code, global black market groups can build “same-source heterogeneous” botnet clusters at low cost—these variants may present differences in surface functionality, but their core infection logic, C2 command structure, and attack modules are inherited from the original Mirai architecture, making it difficult to trace the associations of the controlling organizations behind them.
2.2 RapperBot Botnet
RapperBot is a botnet developed based on the Mirai source code, with multiple versions capable of running on different architecture processors such as ARM, MIPS, SPARC, and x86. It was named “RapperBot” because an early sample contained a link to a rap video.

Figure 2-1 RapperBot early sample containing a link to a rap video
The string in the code “follow me on instant gram @2tallforfood, pause it. Fuck Bosco.” translates to “Find me on Instagram @2tallforfood, pause it. Fuck Bosco,” where @2tallforfood is an account of a singer on the YouTube channel ALL URBAN CENTRAL, which has only two videos before 2021: @2TallForFood – Diamonds Is Lit (Official Video) and @2tallforfood – I Am Da Bag (Official Video). The song “Fuckbosco” is another title by this singer, who is relatively obscure, with video views not exceeding 500 at the time of this report.
The YouTube channel ALL URBAN CENTRAL was established in 2014 as an American music entertainment channel, primarily featuring music rap and hip hop, as well as celebrity news. It has about 3 million subscribers, and most of its videos are under 6 minutes, with a total view count exceeding 2 billion. It generates revenue through subscriptions and ranks around 4000 in the music category in the US.

Figure 2-2 Video linked in the early sample of RapperBot
2.2.1 Sample Tags
Table 2-1 RapperBot early version sample tags
|
Virus Name |
Trojan/Linux.Mirai[Backdoor] |
|
MD5 |
9E331675D780AF4585857B1F95B40CBB |
|
Processor Architecture |
i386 |
|
File Size |
66.47 KB (68068 bytes) |
|
File Format |
ELF |
|
Digital Signature |
None |
|
Packing Type |
None |
|
VT First Upload Time |
2022-06-17 08:10:19 |
|
VT Detection Result |
38/64 |
Table 2-2 RapperBot new variant sample tags
|
Virus Name |
Trojan/Linux.Mirai[Backdoor] |
|
MD5 |
BEC7596CFB1225900673398ABB24FFA8 |
|
Processor Architecture |
i386 |
|
File Size |
80.47 KB (82400 bytes) |
|
File Format |
ELF |
|
Digital Signature |
None |
|
Packing Type |
None |
|
VT First Upload Time |
2024-07-02 02:21:30 |
|
VT Detection Result |
37/63 |
Note:Due to the strong preprocessing capabilities of Antiy’s AVL SDK antivirus engine, it can detect transformed derivative samples with fewer high-quality rules. As of the writing of this article, the detection results for RapperBot samples are all Mirai, hence this note.
2.2.2 Propagation Methods
2.2.2.1 SSH Brute Force
Some variants of the RapperBot botnet family propagate through SSH brute force. In early samples, the credential list was hardcoded in the file, while later variants changed to obtaining the credential list from the C2 server. After successfully brute-forcing the SSH server, RapperBot executes shell commands to replace the ~/.ssh/authorized_keys file on that server, thus maintaining remote access to the victim server.

Figure 2-3 Part of the SSH brute force credential list hardcoded in the file
2.2.2.2 Telnet Default Password Probing
Some RapperBot botnet variants probe devices using default Telnet passwords, with target device keywords, default usernames, and passwords hardcoded in the file.

Figure 2-4 Telnet username/password table hardcoded in the sample file
From the hardcoded information attempted for brute force in related samples, it can be seen that the targets of these RapperBot variants are mostly common network devices and IoT devices.
Table 2-3 RapperBot built-in user probing login services, usernames, passwords, and possible associated devices(The table content is based on DeepSeek’s organized output and has been manually revised, hence this note)
|
Service/Module |
Username |
Password |
Possible Associated Services/Brands/Device Types |
|
tc login |
dnsekakf2$$ |
“” (empty) |
DASAN customized network devices |
|
tc login |
dnsekakf2$$ |
dnsekakf2$$ |
DASAN customized network devices |
|
tc login |
user |
1234 |
DASAN customized network devices |
|
tc login |
admin |
TeleCom_1234 |
China Telecom customized devices |
|
tc login |
admin |
TJ2100Npassword |
Tejas Networks TJ2100N optical modem or gateway |
|
tc login |
admin |
admin |
Various mainstream network devices |
|
tc login |
&unk_19130 |
1234 |
Possible IoT devices such as cameras |
|
soc1 |
default |
Default |
Various industrial products and software |
|
soc1 |
default |
password |
Various industrial products and software |
|
TAG |
default |
password |
Suspected IoT devices |
|
PXICPU |
default |
password |
Some industrial embedded controllers devices |
|
TX25 |
default |
password |
Suspected wireless devices |
|
PK |
admin_404A03Tel |
zyad5001 |
ZyXEL (合勤) routers |
|
PK |
admin_404A03Tel |
Centurylink |
ZyXEL (合勤) routers |
|
PK |
admin_404A03Tel |
QwestM0dem |
ZyXEL (合勤) routers |
|
PK |
admin |
Centurylink |
ZyXEL (合勤) routers |
|
PK |
admin |
QwestM0dem |
ZyXEL (合勤) routers |
|
PK |
admin |
zyad5001 |
ZyXEL (合勤) routers |
|
abloom |
nobody |
“” (empty) |
Abloom brand IoT devices |
|
abloom |
admin |
Abloom |
Abloom brand IoT devices |
|
abloom |
root |
Abloom |
Abloom brand IoT devices |
|
SAP |
nobody |
“” (empty) |
SAP testing environment or IoT devices |
|
SAP |
admin |
Admin |
SAP NetWeaver application server |
|
RG- |
ftp |
Video |
Network video recorders (NVR) or IP cameras |
|
buildroot login |
default |
Default |
Various embedded Linux systems |
|
mico |
root |
“” (empty) |
Embedded systems |
2.2.3 Behavior Analysis
The early versions of RapperBot support fewer types of DoS attack methods, including TCP STOMP attacks and UDP flood attacks. The new variants of RapperBot support similar commands to the early samples but can execute a wider variety of DoS attacks.Table 2-4 Comparison of command functions between early versions and new variants
|
Command Code |
RapperBot Early Version Functions |
RapperBot New Variant Functions |
|
1 |
Maintain connection status |
Online packet |
|
2 |
Stop DoS attack and terminate |
Response packet |
|
3 |
Execute DoS attack |
Heartbeat packet |
|
4 |
Stop DoS attack |
Execute DoS attack |
|
5 |
None |
Stop DoS attack and terminate |
|
6 |
None |
Close C2 connection |
When attackers conduct DoS attacks, they execute the corresponding functional functions by selecting pre-set sequence numbers to carry out specific DoS attacks. This indicates that the commands supported by RapperBot samples primarily focus on initiating DoS attacks, and throughout its development from early to present, the developers have gradually improved RapperBot’s DoS attack capabilities to support large-scale DDoS attack activities.Table 2-5 RapperBot new variants support various DoS attacks
|
Attack Command |
DoS Attack Type |
Attack Description |
|
0 |
UDP flood attack |
Consumes the victim’s network bandwidth by sending a large number of UDP packets. |
|
1 |
UDP packet forgery |
Attackers send a large number of forged UDP packets to the target server, tricking the server into responding and consuming the victim’s network bandwidth. |
|
2 |
GRE-IP flood attack |
Consumes the victim’s network bandwidth by sending a large number of GRE protocol data encapsulated with IP network packets. |
|
3 |
GRE-Eth flood attack |
Consumes the victim’s network bandwidth by sending a large number of GRE protocol data encapsulated with Eth network packets. |
|
4 |
SYN flood attack |
By sending a large number of SYN packets, the server creates a large number of half-connection requests, consuming system memory and CPU resources. |
|
5 |
ACK flood attack |
Consumes the victim’s network bandwidth by sending ACK packets with random source ports, destination ports, and data. |
|
6 |
ACK-PSH flood attack |
Establishes a connection with the server by sending ACK responses with PSH flags, sending a large number of requests to consume the victim’s network bandwidth. |
|
7 |
TCP flood attack |
Consumes the victim’s network bandwidth by sending a large number of TCP packets. |
|
8 |
HTTP flood attack |
Attackers send a large number of HTTP messages to the target server, consuming the victim’s network bandwidth and server resources. |
2.3 HailBot Botnet
HailBot is a botnet developed based on the Mirai source code, capable of running on different architecture processors such as ARM, x86, x64, and MIPS. It is named HailBot because it outputs “hail china mainland” to the console during runtime.
2.3.1 Sample Tags
Table 2-6 HailBot early version sample tags
|
Virus Name |
Trojan/Linux.Mirai[Backdoor] |
|
MD5 |
C4526600A90D4E1EC581D1D905AA6593 |
|
Processor Architecture |
x64 |
|
File Size |
68.6 KB (70,295 bytes) |
|
File Format |
BinExecute/Linux.ELF[:X64] |
|
Digital Signature |
None |
|
Packing Type |
None |
|
VT First Upload Time |
2024-02-23 06:43:16 |
|
VT Detection Result |
41/66 |
Table 2-7 HailBot new variant sample tags
|
Virus Name |
Trojan/Linux.Mirai[Backdoor] |
|
MD5 |
2DFE4015D6269311DB6073085FD73D1B |
|
Processor Architecture |
ARM |
|
File Size |
74.7 KB (76,572 bytes) |
|
File Format |
BinExecute/Linux.ELF[:ARM] |
|
Digital Signature |
None |
|
Packing Type |
None |
|
VT First Upload Time |
2024-09-23 18:35:26 |
|
VT Detection Result |
42/63 |
Note:Due to the strong preprocessing capabilities of Antiy’s AVL SDK antivirus engine, it can detect transformed derivative samples with fewer high-quality rules. As of the writing of this article, the detection results for HailBot samples are all Mirai, hence this note.
2.3.2 Behavior Analysis
HailBot outputs “hail china mainland” to the console during runtime, which clearly has the intent to frame China, and its expression is obviously inconsistent with Chinese language logic.
Figure 2-5 HailBot outputs specific strings to the console
When Mirai series zombie programs go online, they send online data packets to the C2 server. The original online data packet of Mirai is four bytes long, with the content |00 00 00 01|, while HailBot modifies it to eight bytes |31 73 13 93 04 83 32 01|, allowing the C2 server to recognize that its traffic comes from HailBot, while also evading detection by security scanning mechanisms that use the original online packet.

Figure 2-6 HailBot sends eight specific bytes when connecting to C2
HailBot spreads by exploiting vulnerabilities, including the long-used CVE-2017-17215 vulnerability, which exists in the UPnP (Universal Plug and Play) service of specific versions of routers. Attackers can exploit this vulnerability by sending specially crafted HTTP requests to execute arbitrary code on the device.
Figure 2-7 HailBot vulnerability exploitation payload
The early versions of HailBot have three TCP attack methods and one UDP attack method, while the latest version has upgraded to five TCP attack methods and three UDP attack methods, providing attackers with more options and combinations for attacks, thus posing a greater threat.
Table 2-8 Old version HailBot commands
|
Command Number |
Function |
Impact |
|
0 |
TCP flood attack |
Consumes the victim’s network bandwidth by sending a large number of TCP requests of 500 to 900 bytes. |
|
1 |
UDP flood attack |
Consumes the victim’s network bandwidth by sending a large number of UDP requests. |
|
2 |
GRE IP flood attack |
Consumes the victim’s network bandwidth by sending a large number of GRE protocol data encapsulated with IP network packets. |
|
3 |
SYN flood attack |
By sending a large number of SYN packets, the server creates a large number of half-connection requests, consuming system memory and CPU resources. |
Table 2-9 New version HailBot commands
|
Command Number |
Function |
Impact |
|
0 |
TCP flood attack |
Creates connections and sends a large number of TCP requests of 500 to 900 bytes, consuming the victim’s network bandwidth. |
|
1 |
SSDP flood attack |
Utilizes the Simple Service Discovery Protocol (SSDP) to send a large number of “discovery message” requests, causing the victim to respond and consuming the victim’s memory and CPU resources. |
|
2 |
GRE IP flood attack |
Consumes the victim’s network bandwidth by sending a large number of GRE protocol data encapsulated with IP network packets. |
|
3 |
SYN flood attack |
By sending a large number of SYN packets, the server creates a large number of half-connection requests, consuming system memory and CPU resources. |
|
4 |
UDP flood attack (512 bytes) |
Sends a large number of 512-byte UDP requests, consuming the victim’s network bandwidth. |
|
5 |
UDP flood attack (1024 bytes) |
Sends a large number of 1024-byte UDP requests, consuming the victim’s network bandwidth. |
|
6 |
TCP STOMP flood attack |
Creates connections and sends a large number of 768-byte data packets, consuming the victim’s network bandwidth. |
|
7 |
TCP ACK flood attack |
Consumes the victim’s network bandwidth by sending ACK packets with random source ports, destination ports, and data. |
In addition, HailBot has also changed its encryption methods. In early versions, HailBot used a simple XOR algorithm to encrypt strings such as C2 addresses and attack payloads, with the XOR bytes being constants hardcoded in the program.

Figure 2-8 Early version HailBot encryption algorithm
In subsequent versions, HailBot switched to the chacha20 stream cipher encryption algorithm for string encryption, increasing the strength of string encryption and reducing static characteristics of strings, making them harder to detect and analyze.
Figure 2-9 HailBot chacha20 round operation code
03 Summary
In summary, the attack modes of HailBot and RapperBot primarily rely on the massive zombie nodes (botnet clusters) they control, continuously consuming the target host’s bandwidth resources, TCP connection pool capacity, and CPU power required for connection processing by sending forged request data packets at high frequency. This attack method, while belonging to the traditional DDoS (Distributed Denial of Service) category, remains one of the core threats to internet infrastructure today. The fundamental contradiction lies in the fact that the defender’s resources naturally have limits (such as computing performance and network throughput), while the attacker can continuously expand the scale of the botnet at almost zero marginal cost through automated scanning and malicious code injection, creating an asymmetry of resources between the attacker and defender.
After the global explosion of DeepSeek, it experienced exponential growth in user numbers, API call volumes, and concurrent requests in a short period, causing the underlying infrastructure to remain in a high-load critical state. Against this backdrop, the addition of large-scale DDoS attacks (such as massive text generation requests launched through botnets) directly triggered a surge in service response delays, API rate limiting, and even cluster overload crashes, severely impacting user experience and business continuity.
For internet resource service providers, methods to prevent DDoS attacks are relatively mature and require a deep integration of resource investment and routine security operations, necessitating cooperation among service providers, infrastructure providers, and regulatory agencies. This includes deploying more resilient distributed, multi-region, multi-link service architectures, using load balancer devices and strategies, enhancing bandwidth and hardware facilities, and improving system throughput capacity; as well as improving security monitoring, traffic cleaning, and dynamically adjusting relevant security policies.
For the security operations of government and enterprise institutions, strengthening protection to prevent devices from becoming zombie nodes is also a contribution to curbing the spread of botnets. Timely detection and handling of infected nodes is a very important task. From the analysis in this article, the basic security governance of terminals and IoT devices is key, including changing default passwords, controlling access policies for network devices and IoT device management ports, and timely firmware patch upgrades. On the endpoint and cloud side, it is necessary to deploy security products with effective protection capabilities, such as antivirus, EDR, CWPP, etc., to build a solid security foundation.
For regulatory agencies, DDoS governance involves a large amount of resource coordination, especially international governance collaboration, which further increases the difficulty of governance. There is a need to improve stronger technical resources and system capabilities at the national security and public safety levels.
While improving basic protection and security governance, we also need to further focus on researching the risk evolution of new technologies. The development of new technologies is always bound to the dynamic evolution of security threats in three ways: bringing new threats, promoting the escalation of traditional threats, and becoming targets of attacks themselves. Generative artificial intelligence and large model technologies are no exception, as they have driven the automation level of traditional attack techniques, rapidly matured deep forgery attack techniques, and themselves have become high-value targets.
Compared to traditional web services (such as CGI dynamic pages or search engines), the computational power consumption of generative AI in a single interaction is significantly higher, and the open API interfaces are easily abused by attackers as computational resource black holes. The business characteristics and risk scenarios of large model platforms present significant particularities, which require us to be more vigilant about computational resource attack risks. To support high-concurrency inference requests and long-context interactions, platforms need to deploy large-scale GPU clusters and real-time scheduling systems. Attackers can design low-traffic, high-impact precision attack chains targeting these computationally intensive, low-latency-sensitive characteristics, such as maliciously constructing model parameter queries (e.g., triggering high-dimensional tensor calculations), where a single request can consume several times the GPU resources of a conventional task; context injection attacks, by embedding specific prompt words to force the model to execute recursive parsing, leading to CPU/memory resource exhaustion. The cost-effectiveness ratio of such attacks far exceeds that of traditional DDoS (which can paralyze services without massive botnets) and is easier to bypass traffic threshold-based protection strategies.
At the same time, we also need to further pay attention to the data security risks of big data platforms: due to the intertwining storage of multi-tenant data involved in large model training and inference processes, residual tuning parameters, etc., sensitive information leakage (such as user privacy data leaking through model output side channels) may occur. During the data labeling process, files containing malicious code that are not cleaned may lead to virus infection spread in the labeling engineer’s work environment and data platform, system performance degradation, and even data being ransomed or stolen. It is necessary to consider strengthening the virus cleaning of data files to be labeled, enhancing fine-grained isolation control capabilities and security detection and protection capabilities, thereby enhancing the threat resistance capabilities of large model platforms.
Therefore, the security construction of large model platforms needs to achieve dual-track progress: on one hand, improve the security of the underlying infrastructure: strengthen defense, monitoring, resource isolation, and other mechanisms at the levels of cloud hosts, container clusters, APIs, etc., effectively defending against penetration and invasion risks, supplemented by elastic scaling and real-time circuit-breaking mechanisms to resist resource exhaustion attacks; on the other hand, improve security capabilities from architecture, design, business logic, and coding optimization levels, including but not limited to: building a deep defense system at the model interaction layer through prompt injection detection, sandboxing of inference processes, data lineage tracking, etc. Embed security capabilities deeply into the technical architecture and business flow.
History has proven that the security gains in responding to new technology risks often come from the new technology itself. Historically, the internet has greatly enhanced the accessibility of attacks, becoming a breeding ground for large-scale attack events; but it has also improved the agility of security operations. Cloud computing platforms have introduced overall disruptive risks but have also brought greater resource elasticity and unified efficient security governance. Artificial intelligence technology is also rapidly changing the capabilities and landscape of cybersecurity. Antiy itself is an active practitioner in the cybersecurity industry embracing large model technology. Our LanDi threat analysis vertical large model focuses on binary sample analysis feature engineering scenarios, breaking through token context limitations, and has already been able to run in CPU scenarios. Antiy’s computer virus classification encyclopedia is also the result of our automated operations leveraging our feature engineering and knowledge system. In areas where we are not proficient, we have also actively embraced excellent domestic large models; for the writing of this report, we used DeepSeek as an assistant.
From the launch of “Black Myth: Wukong” to the explosive popularity of DeepSeek, China’s information technology is continuously creating new legends. At the same time, it is accompanied by a succession of cyber attacks. Overcoming these risks validates the invincibility and great prospects of new things. As a long-term provider of common security capabilities for the internet industry system, Antiy, as a national team of private enterprises, is willing to provide more common security genes for strategic emerging industries, safeguarding great new things.
04 IOC
|
MD5 |
|
71B4C3FE502E6C6D5EF5E420D52D2729 |
|
C4526600A90D4E1EC581D1D905AA6593 |
|
6C6D1CCCE5946F0AA68F9E0C438C1E21 |
|
B1E0B2C046D4CB7F0A0DD87054A17AC4 |
|
6B8A9D6335D056E20DCD794B265074E3 |
|
AB2C4A13D1FE946003FFCB7DDEC064D0 |
|
9E331675D780AF4585857B1F95B40CBB |
|
EFA786F2B6F0F267F717145FAF48A95B |
|
EF9EBF4D5A1A44D0DB92DE06D3DCE7A1 |
|
BEC7596CFB1225900673398ABB24FFA8 |
References[1] Qihoo 360. Zombie networks enter the scene, targeting DeepSeek network attacks upgrade [R/OL]. (2025-01-30)
https://mp.weixin.qq.com/s/NM-zCyA4m5WJeAjPwUmYYg
[2] Antonakakis M, April T, Bailey M, et al. Understanding the Mirai Botnet [R/OL]. (2017-08-16)https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/antonakakis[3] Wikipedia. DDoS attacks on Dyn [R/OL]. (2016) https://en.wikipedia.org/wiki/DDoS_attacks_on_Dyn[4] Antiy. Computer Virus Encyclopedia Mirai corresponding entry [R/OL]. (2016)https://www.virusview.net/malware/Trojan/Linux/Mirai[5] Antiy. Antiy Chasing Shadow Team analyzes new propagation methods of Mirai variants [R/OL]. (2016-12-19)https://www.antiy.cn/research/notice&report/research_report/608.html
[6] Diamonds Is Lit (Official Video)
https://www.youtube.com/watch?v=fPu9hTClNWQ
[7] Fuckbosco
https://soundcloud.com/xxdannyflandersxx/fuckbosco2-a-danny-flanders-special-release
[8] Antiy. 2024 AI technology empowers cybersecurity application testing: Antiy vertical large model shows initial results in malware detection scenarios [R/OL]. (2024-09-23)
https://www.antiy.cn/About/news/20240923.htmlOriginal link: https://mp.weixin.qq.com/s/NvlVuA5urPG_r6attAiXsA
Follow the public account for more information
For membership application, please reply “individual member” or “unit member” in the public account
Welcome to follow the media matrix of the China Command and Control Society

Official website of the China Command and Control Society

Official WeChat account of the China Command and Control Society

Official website of the Journal of Command and Control

Official website of the International Unmanned Systems Conference

Official website of the China Command and Control Conference

National Military Simulation Competition

National Aerial Intelligent Game Competition

Sohu Account

Yidian Account