Full Report
The U.S. Department of Justice (DoJ) announced charges against the alleged developer and administrator of the "Rapper Bot" DDoS-for-hire botnet. [...]
Analysis Summary
# Threat Actor: Rapper Bot Operators (Attributed to Ethan Foltz)
## Attribution & Identity
* **Primary Identity:** Ethan Foltz, 22, of Eugene, Oregon, alleged developer and administrator of the Rapper Bot DDoS-for-hire botnet.
* **Known Aliases/Associated Groups:** The malware botnet is also known as "Eleven Eleven" and "CowBot." The operation was targeted during "Operation PowerOff."
## Activity Summary
The Rapper Bot botnet has been active since at least 2021, operating as a lucrative DDoS-for-hire service. The operation was believed to infect tens of thousands of Digital Video Recorders (DVRs) and router devices. The infrastructure was seized by U.S. authorities on August 6 (as part of Operation PowerOff).
* **Recent Activity (Cited timeframe through August 2025):** Launched 370,000 attacks, ranging from several terabits to over 1 billion packets per second (pps), utilizing more than 45,000 compromised devices across 39 countries.
* **Diversification:** In 2023, the malware added a cryptomining module to diversify revenue streams.
* **Impact:** The botnet's firepower ranged between 2 to 6 Tbps. Following the seizure, the botnet showed no signs of resurgence, suggesting the operator's control was centralized.
## Tactics, Techniques & Procedures
* **Infection Vector (Underlying):** The malware is described as Mirai-based.
* **Core Function:** Orchestrating large-scale Distributed Denial of Service (DDoS) attacks (up to 2 Tbps lasting 30 seconds).
* **Monetization TTPs:** Using DDoS attack volumes to leverage large-scale extortion demands against victims.
* **Secondary Function:** Deploying a cryptomining module on compromised devices.
* **MITRE ATT&CK IDs:** (Not explicitly mentioned in the article, but core activity implies T1498.004 - Resource Hijacking for Compute Power, and T1498 - Attack Against Availability).
## Targeting
* **Sectors:** U.S. government systems, major media platforms, large tech firms, and gaming companies.
* **Geography:** Targeted over 18,000 entities across 80 countries. The botnet infrastructure spanned devices in 39 countries.
* **Victims:** Over 18,000 entities globally. Specific organizations are not named beyond the categories listed above.
## Tools & Infrastructure
* **Malware Families Used:** Rapper Bot (a Mirai-based variant).
* **Infrastructure (C2, domains, IPs):** Command and control infrastructure was traced, assisted by Amazon Web Services (AWS), which was subsequently seized by law enforcement. (No specific IPs or domains were provided/defanged.)
## Implications
The successful identification and charging of a major botnet administrator demonstrate a significant law enforcement victory against financially motivated DDoS-for-hire services. The scale (up to 6 Tbps) highlights the high-end capabilities available on the cybercrime market. The addition of cryptomining indicates actor adaptation to maximize profit from compromised IoT/edge devices.
## Mitigations
* **Device Security:** The compromise of DVRs and routers suggests a need for robust security measures, patching, and strong/unique credentials for IoT and network edge devices susceptible to Mirai-type infections.
* **DDoS Preparedness:** Organizations should maintain robust upstream DDoS mitigation services capable of absorbing multi-terabit-per-second volumetric attacks.
* **Extortion Response:** Establish clear protocols for handling DDoS-related extortion demands.