Reaper

Threat Actor Profile Updated 2 months ago
Download STIX
Preview STIX
Reaper, also known as APT37, Inky Squid, RedEyes, or ScarCruft, is a threat actor group attributed to North Korea. It deploys ROKRAT, a malicious tool that has been used in cyber exploitation since the 1970s. This group is also tied to the NOKKI malware family, which originated from research surrounding code overlap and other connections to KONNI. Reaper has been observed to use CloudMensis, a dogged malware that identifies where System Integrity Protection (SIP) is disabled to load its own malicious database. This group has been particularly active, targeting media organizations and think-tank personnel focusing on North Korean affairs, with researchers expecting this activity to continue into 2024. The Reaper threat actor group has notably affected millions of Internet of Things (IoT) devices worldwide, outshining previous malware like Mirai. The group uses IoT botnets like Mozi, which emerged from the source code of several known malware families such as Gafgyt, Mirai, and IoT Reaper. These botnets can launch distributed denial-of-service (DDoS) attacks, exfiltrate data, and execute payloads. They infect IoT devices, using network gateways as an inroad for more powerful compromises. In addition to the cyber threats, there are physical security concerns related to Reaper. Information leaks have revealed details about security equipment at locations such as RAF Waddington in Lincolnshire, where the MQ-9 Reaper attack drones squadron is based. This highlights the potential for the Reaper threat actor group to exploit vulnerabilities not only in cyberspace but also in real-world military infrastructure.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
APT37
6
APT37, also known as ScarCruft, Reaper, or Group123, is a threat actor suspected to be linked to North Korea. It primarily targets South Korea but has also extended its activities to Japan, Vietnam, and the Middle East, focusing on various industry verticals such as chemicals, electronics, manufactu
ScarCruft
6
ScarCruft, also known as APT37, Inky Squid, RedEyes, Reaper, or Group123, is a North Korean threat actor group associated with malicious cyber activities. Their actions have been linked to the execution of targeted attacks against individual Android devices, as outlined in a VB2023 paper titled "Int
Redeyes
3
RedEyes, also known as APT37, StarCruft, Reaper, or BadRAT, is a threat actor group known for its malicious cyber activities. This group recently deployed a new malware named FadeStealer to extract information from targeted systems. They have also been observed using CloudMensis, a malware that seek
DOGCALL
1
Dogcall, also known as ROKRAT, is a remote access Trojan (RAT) malware first reported by Talos in April 2017. It has consistently been attributed to the Advanced Persistent Threat (APT37) group, also known as Reaper. The malware uses third-party hosting services for data upload and command acceptanc
Cloudmensis
1
CloudMensis, a form of malware specifically designed to exploit macOS systems, was first brought to light by ESET in July 2022. The software infiltrates devices primarily through email attachments, causing significant security breaches once inside. Once installed, CloudMensis works diligently to ide
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Payload
Exploit
State Sponso...
Apt
Espionage
Uk
Infostealer
Antivirus
Nuclear
Phishing
Reconnaissance
Botnet
russian
Signal
Russia
Korean
Cybercrime
Worm
Fbi
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
MiraiUnspecified
2
Mirai is a type of malware that primarily targets Internet of Things (IoT) devices to form botnets, which are networks of private computers infected with malicious software and controlled as a group without the owners' knowledge. In early 2022, Mirai botnets accounted for over 7 million detections g
Final1stspyUnspecified
1
Final1stspy is a previously unreported malware family that has been discovered and named based on a pdb string found in the malware. This harmful software, designed to exploit and damage computer systems, is closely related to the NOKKI and DOGCALL malware families, used as a deployment mechanism fo
NOKKIUnspecified
1
NOKKI is a malicious software (malware) that was first identified in January 2018, with activities traced throughout the year. It originated from an investigation into a new malware family named NOKKI, which showed significant code overlap and other ties to KONNI, a previously identified malware. Th
InksquidUnspecified
1
None
BadratUnspecified
1
None
KONNIUnspecified
1
Konni is a malware, short for malicious software, that poses a significant threat to computer systems and data. It's designed to infiltrate systems surreptitiously through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, Konni can wreak havoc by stealin
MoziUnspecified
1
Mozi is a type of malware, a malicious software designed to exploit and damage computer systems or devices. It can infiltrate systems via suspicious downloads, emails, or websites, often unbeknownst to the user. Once it gains access, Mozi has the potential to steal personal information, disrupt oper
ROKRATUnspecified
1
RokRAT is a sophisticated malware that has been used by the cyber-espionage group ScarCruft, primarily to target South Korean media and research organizations. The malware is typically delivered via phishing emails with ZIP file attachments containing LNK files disguised as Word documents. However,
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
RgbUnspecified
1
RGB, a threat actor with ties to North Korea, has been involved in a range of malicious cyber activities. The group was designated by the Office of Foreign Assets Control (OFAC) on January 2, 2015, under Executive Order 13687 for being a controlled entity of the North Korean government. In addition
Lazarus GroupUnspecified
1
The Lazarus Group, a threat actor attributed to North Korea, is renowned for its notorious cyber-exploitation activities. The group has been linked to various high-profile cyber-attacks, including the largest decentralized finance exploit in history, the Ronin exploit of March 2022. This attack led
Group123Unspecified
1
Group123, also known as Inky Squid or APT37, is a threat actor group suspected of executing malicious cyber activities. They are known for their technical capabilities and innovative intrusion techniques. Over the past 18 months, they have been associated with a series of attacks that utilize shellc
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Reaper Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
DARKReading
2 months ago
Whose Data Is It Anyway? Equitable Access in Cybersecurity
DARKReading
3 months ago
DPRK Exploits 2 MITRE Sub-Techniques: Phantom DLL Hijacking, TCC Abuse
DARKReading
3 months ago
DPRK Exploits 2 MITRE Sub-Techniques: Phantom DLL Hijacking, TCC Abuse
CERT-EU
5 months ago
New Linux Malware "Migo" Exploits Redis for Cryptojacking, Disables Security
CERT-EU
5 months ago
Law enforcement leaves taunting post for cyber criminals after locking notorious ransomware gang out of their own website | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
DARKReading
6 months ago
North Korea's ScarCruft Attackers Gear Up to Target Cybersecurity Pros
CERT-EU
8 months ago
The history of malware: A primer on the evolution of cyber threats - MC Press Online
CERT-EU
8 months ago
Prolific Mozi Botnet Deliberately Shut Down with Kill Switch
DARKReading
8 months ago
Somebody Just Killed the Mozi Botnet
CERT-EU
8 months ago
Mysterious Kill Switch Disrupts Mozi IoT Botnet Operations
CERT-EU
9 months ago
History of Cybersecurity: Passwords to Quantification | Kovrr blog
DARKReading
9 months ago
North Korea's State-Sponsored APTs Organize & Align
CERT-EU
10 months ago
Cheap drones and expensive missiles mean there's no more 'safe rear areas' in wartime, top NATO general says
CERT-EU
10 months ago
The US Air Force is using satellites and dirt runways to prepare its drones for a different kind of war
CERT-EU
10 months ago
Ministry of Defence documents leaked by LockBit | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
BankInfoSecurity
a year ago
North Korean Hackers Phishing With US Army Job Lures
BankInfoSecurity
a year ago
N Korean Hackers Phishing With US Army Job Lures
CERT-EU
a year ago
Defense Watch: DoD Data Generation, Angry Kitten, No Labels, DeSantis on DoD EVs - Defense Daily
CERT-EU
a year ago
Defense Watch: Tester Challenger, Army CIO, MQ-9A Disaster Response - Defense Daily
MITRE
a year ago
The CostaRicto Campaign: Cyber-Espionage Outsourced