Reaper

Threat Actor updated 5 months ago (2024-05-17T18:17:28.557Z)
Download STIX
Preview STIX
Reaper, also known as APT37, Inky Squid, RedEyes, or ScarCruft, is a threat actor group attributed to North Korea. It deploys ROKRAT, a malicious tool that has been used in cyber exploitation since the 1970s. This group is also tied to the NOKKI malware family, which originated from research surrounding code overlap and other connections to KONNI. Reaper has been observed to use CloudMensis, a dogged malware that identifies where System Integrity Protection (SIP) is disabled to load its own malicious database. This group has been particularly active, targeting media organizations and think-tank personnel focusing on North Korean affairs, with researchers expecting this activity to continue into 2024. The Reaper threat actor group has notably affected millions of Internet of Things (IoT) devices worldwide, outshining previous malware like Mirai. The group uses IoT botnets like Mozi, which emerged from the source code of several known malware families such as Gafgyt, Mirai, and IoT Reaper. These botnets can launch distributed denial-of-service (DDoS) attacks, exfiltrate data, and execute payloads. They infect IoT devices, using network gateways as an inroad for more powerful compromises. In addition to the cyber threats, there are physical security concerns related to Reaper. Information leaks have revealed details about security equipment at locations such as RAF Waddington in Lincolnshire, where the MQ-9 Reaper attack drones squadron is based. This highlights the potential for the Reaper threat actor group to exploit vulnerabilities not only in cyberspace but also in real-world military infrastructure.
Description last updated: 2024-05-17T18:15:58.761Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
APT37 is a possible alias for Reaper. APT37, also known as InkSquid, RedEyes, BadRAT, Reaper, ScarCruft, and Ricochet Chollima, is a threat actor suspected to be backed by North Korea. It primarily targets South Korea, but its activities have extended to Japan, Vietnam, the Middle East, and recently Cambodia, across various industry ver
6
ScarCruft is a possible alias for Reaper. ScarCruft, also known as APT37, Inky Squid, RedEyes, Reaper, or Group123, is a North Korean threat actor group associated with malicious cyber activities. Their actions have been linked to the execution of targeted attacks against individual Android devices, as outlined in a VB2023 paper titled "Int
6
Redeyes is a possible alias for Reaper. RedEyes, also known as APT37, StarCruft, Reaper, InkSquid, BadRAT, ScarCruft, and Ricochet Chollima, is a threat actor group known for its malicious activities. The group has recently deployed a new malware called FadeStealer to pilfer data from compromised systems, which it then sends to a command-
3
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Espionage
Exploit
Apt
Payload
State Sponso...
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Mirai Malware is associated with Reaper. Mirai is a type of malware that specifically targets Internet of Things (IoT) devices to create a botnet, which can then be used for various malicious activities. The Mirai botnet had a significant impact in early 2022, accounting for over 7 million botnet detections globally. However, there was a 9Unspecified
2
Source Document References
Information about the Reaper Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
5 months ago
DARKReading
6 months ago
DARKReading
6 months ago
CERT-EU
8 months ago
CERT-EU
8 months ago
DARKReading
9 months ago
CERT-EU
a year ago
CERT-EU
a year ago
DARKReading
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
DARKReading
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
MITRE
2 years ago