Reaper

Threat Actor updated a month ago (2024-11-29T14:37:58.563Z)
Download STIX
Preview STIX
Reaper, also known as APT37, Inky Squid, RedEyes, or ScarCruft, is a threat actor group attributed to North Korea. It deploys ROKRAT, a malicious tool that has been used in cyber exploitation since the 1970s. This group is also tied to the NOKKI malware family, which originated from research surrounding code overlap and other connections to KONNI. Reaper has been observed to use CloudMensis, a dogged malware that identifies where System Integrity Protection (SIP) is disabled to load its own malicious database. This group has been particularly active, targeting media organizations and think-tank personnel focusing on North Korean affairs, with researchers expecting this activity to continue into 2024. The Reaper threat actor group has notably affected millions of Internet of Things (IoT) devices worldwide, outshining previous malware like Mirai. The group uses IoT botnets like Mozi, which emerged from the source code of several known malware families such as Gafgyt, Mirai, and IoT Reaper. These botnets can launch distributed denial-of-service (DDoS) attacks, exfiltrate data, and execute payloads. They infect IoT devices, using network gateways as an inroad for more powerful compromises. In addition to the cyber threats, there are physical security concerns related to Reaper. Information leaks have revealed details about security equipment at locations such as RAF Waddington in Lincolnshire, where the MQ-9 Reaper attack drones squadron is based. This highlights the potential for the Reaper threat actor group to exploit vulnerabilities not only in cyberspace but also in real-world military infrastructure.
Description last updated: 2024-05-17T18:15:58.761Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
APT37 is a possible alias for Reaper. APT37, also known as RedAnt, RedEyes, ScarCruft, and Group123, is a threat actor suspected to be backed by North Korea. It has been active since at least 2012, primarily targeting South Korea across various industry verticals such as chemicals, electronics, manufacturing, aerospace, automotive, and
6
ScarCruft is a possible alias for Reaper. ScarCruft, also known as APT37, Inky Squid, RedEyes, Reaper, or Group123, is a North Korean state-sponsored threat actor known for targeting high-value individuals and organizations to further North Korea's geopolitical objectives. This group has shown its agility in adopting new malware delivery me
6
RedEyes is a possible alias for Reaper. RedEyes, also known as APT37, TA-RedAnt, Reaper, ScarCruft, Group123, InkSquid, BadRAT, and Ricochet Chollima, is a North Korea-linked threat actor known for its malicious cyber activities. It recently exploited an Internet Explorer zero-day vulnerability (CVE-2024-38178 with a CVSS score of 7.5) in
3
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Espionage
Exploit
Apt
Payload
State Sponso...
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Mirai Malware is associated with Reaper. Mirai is a type of malware that primarily targets Internet of Things (IoT) devices, converting them into a botnet, which is then used to launch Distributed Denial of Service (DDoS) attacks. In early 2022, Mirai botnets accounted for over seven million detections worldwide, though there was a 9% quarUnspecified
2
Source Document References
Information about the Reaper Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
7 months ago
DARKReading
8 months ago
DARKReading
8 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
DARKReading
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
DARKReading
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
DARKReading
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
MITRE
2 years ago