RapperBot Mirai Variant Behind Surge in Layer-7 DDoS Against Gaming Industry

Akamai's Security Intelligence Response Team published research today attributing a surge of Layer-7 application-layer DDoS attacks against major game publishers and tournament platforms to RapperBot, a botnet derived from the leaked Mirai source code.

RapperBot, first observed in 2022, has grown to an estimated 65,000 active nodes by harvesting credentials from internet-exposed SSH endpoints on Linux servers and older IoT gear. Unlike its volumetric-flood predecessors, RapperBot has increasingly been used for sustained, low-and-slow HTTP request floods designed to exhaust application backends rather than saturate bandwidth.

"What we're seeing in 2026 is a shift in the DDoS economy," said Tomer Shloush, principal threat researcher at Akamai. "Volumetric attacks still make headlines, but the daily disruption is being driven by surgical Layer-7 floods that bypass CDN caches and hammer authentication, search, and matchmaking endpoints."

The attacks have hit Epic Games, Riot Games, Activision Blizzard, and the Esports Integrity Commission's tournament infrastructure over the past three months. In several cases the attacks coincided with high-profile tournament finals, suggesting both extortion and competitive-disruption motives.

Akamai recommends defenders implement bot-management with TLS-fingerprinting (JA4) and behavioral analytics, and prioritize rate-limiting on authenticated endpoints. The company also urged ISPs to enforce BCP38 ingress filtering, noting that source-address spoofing continues to amplify reflective vectors even as application-layer attacks dominate disruption time.