The U.S. Department of Justice reported that RapperBot's Command and Control (C2) servers have been successfully seized by the Defense Criminal Investigation Service (DCIS) on August 6, 2025 in conjunction with Operation PowerOFF. Two months before that, we took over one of 8 C2 domains of RapperBot and about 60,000 infected devices were observed as of June 2025. But that sinkhole C2 domain is no longer valid for the latest RapperBot which removed the sinkhole domains.

These victim devices should be still vulnerable even after the C2 servers were powered off. Though our honeypots had been optimized for the Digital Video Recorders to obtain the RapperBot, we sometimes receive the other exploitations from the different botnets. Because RapperBot has no killer function for the competitors, the exploitation from the other botnet means the replacement of the bot. Our passive darknet monitoring system is already observing non-RapperBot scan packets from the former RapperBots.

From March to October 2025, the exploitations to install the new Mirai-based malware were observed on our honeypots. The most notable point we found is that this malware family hides the own process by mounting "/proc/1" to "/proc/self". Because we couldn't find any existing report about this malware, we began to call it MountBot. We found that some DDoS attacks by MountBot exactly link AISURU botnet's attacks. Another botnet is MooBot. We found the log data on the exposed download server. It indicates that some former RapperBots were replaced with MooBot. We will present the detailed analysis results and the activities of the possible next botnets which would take over the victim devices from RapperBot.

We will also show the detailed analysis results of the Mirai-based proxy peers including RapperBot and AISURU botnet.