Reaper

Threat Actor updated a month ago (2024-11-29T14:37:58.563Z)

Download STIX

Preview STIX

Reaper, also known as APT37, Inky Squid, RedEyes, or ScarCruft, is a threat actor group attributed to North Korea. It deploys ROKRAT, a malicious tool that has been used in cyber exploitation since the 1970s. This group is also tied to the NOKKI malware family, which originated from research surrounding code overlap and other connections to KONNI. Reaper has been observed to use CloudMensis, a dogged malware that identifies where System Integrity Protection (SIP) is disabled to load its own malicious database. This group has been particularly active, targeting media organizations and think-tank personnel focusing on North Korean affairs, with researchers expecting this activity to continue into 2024. The Reaper threat actor group has notably affected millions of Internet of Things (IoT) devices worldwide, outshining previous malware like Mirai. The group uses IoT botnets like Mozi, which emerged from the source code of several known malware families such as Gafgyt, Mirai, and IoT Reaper. These botnets can launch distributed denial-of-service (DDoS) attacks, exfiltrate data, and execute payloads. They infect IoT devices, using network gateways as an inroad for more powerful compromises. In addition to the cyber threats, there are physical security concerns related to Reaper. Information leaks have revealed details about security equipment at locations such as RAF Waddington in Lincolnshire, where the MQ-9 Reaper attack drones squadron is based. This highlights the potential for the Reaper threat actor group to exploit vulnerabilities not only in cyberspace but also in real-world military infrastructure.

Description last updated: 2024-05-17T18:15:58.761Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
APT37 is a possible alias for Reaper. APT37, also known as RedAnt, RedEyes, ScarCruft, and Group123, is a threat actor suspected to be backed by North Korea. It has been active since at least 2012, primarily targeting South Korea across various industry verticals such as chemicals, electronics, manufacturing, aerospace, automotive, and	6
ScarCruft is a possible alias for Reaper. ScarCruft, also known as APT37, Inky Squid, RedEyes, Reaper, or Group123, is a North Korean state-sponsored threat actor known for targeting high-value individuals and organizations to further North Korea's geopolitical objectives. This group has shown its agility in adopting new malware delivery me	6
RedEyes is a possible alias for Reaper. RedEyes, also known as APT37, TA-RedAnt, Reaper, ScarCruft, Group123, InkSquid, BadRAT, and Ricochet Chollima, is a North Korea-linked threat actor known for its malicious cyber activities. It recently exploited an Internet Explorer zero-day vulnerability (CVE-2024-38178 with a CVSS score of 7.5) in	3

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Espionage

Exploit

Apt

Payload

State Sponso...

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Mirai Malware is associated with Reaper. Mirai is a type of malware that primarily targets Internet of Things (IoT) devices, converting them into a botnet, which is then used to launch Distributed Denial of Service (DDoS) attacks. In early 2022, Mirai botnets accounted for over seven million detections worldwide, though there was a 9% quar	Unspecified	2

Source Document References

Information about the Reaper Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	7 months ago	Whose Data Is It Anyway? Equitable Access in Cybersecurity
DARKReading	8 months ago	DPRK Exploits 2 MITRE Sub-Techniques: Phantom DLL Hijacking, TCC Abuse
DARKReading	8 months ago	DPRK Exploits 2 MITRE Sub-Techniques: Phantom DLL Hijacking, TCC Abuse
CERT-EU	10 months ago	New Linux Malware "Migo" Exploits Redis for Cryptojacking, Disables Security
CERT-EU	10 months ago	Law enforcement leaves taunting post for cyber criminals after locking notorious ransomware gang out of their own website \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
DARKReading	a year ago	North Korea's ScarCruft Attackers Gear Up to Target Cybersecurity Pros
CERT-EU	a year ago	The history of malware: A primer on the evolution of cyber threats - MC Press Online
CERT-EU	a year ago	Prolific Mozi Botnet Deliberately Shut Down with Kill Switch
DARKReading	a year ago	Somebody Just Killed the Mozi Botnet
CERT-EU	a year ago	Mysterious Kill Switch Disrupts Mozi IoT Botnet Operations
CERT-EU	a year ago	History of Cybersecurity: Passwords to Quantification \| Kovrr blog
DARKReading	a year ago	North Korea's State-Sponsored APTs Organize & Align
CERT-EU	a year ago	Cheap drones and expensive missiles mean there's no more 'safe rear areas' in wartime, top NATO general says
CERT-EU	a year ago	The US Air Force is using satellites and dirt runways to prepare its drones for a different kind of war
CERT-EU	a year ago	Ministry of Defence documents leaked by LockBit \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
BankInfoSecurity	a year ago	North Korean Hackers Phishing With US Army Job Lures
BankInfoSecurity	a year ago	N Korean Hackers Phishing With US Army Job Lures
CERT-EU	a year ago	Defense Watch: DoD Data Generation, Angry Kitten, No Labels, DeSantis on DoD EVs - Defense Daily
CERT-EU	a year ago	Defense Watch: Tester Challenger, Army CIO, MQ-9A Disaster Response - Defense Daily
MITRE	2 years ago	The CostaRicto Campaign: Cyber-Espionage Outsourced