{
	"id": "85e5aadf-1166-464e-9d14-a1a188c9c209",
	"created_at": "2026-04-06T00:12:02.966744Z",
	"updated_at": "2026-04-10T13:12:48.657093Z",
	"deleted_at": null,
	"sha1_hash": "0ff30f2cb88439b4ef92edf750a44a4176c744a9",
	"title": "IoT_reaper: A Rappid Spreading New IoT Botnet",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 213899,
	"plain_text": "IoT_reaper: A Rappid Spreading New IoT Botnet\r\nBy Genshen Ye\r\nPublished: 2017-10-20 · Archived: 2026-04-05 18:12:53 UTC\r\nOn 2017-09-13 at 01:02:13, we caught a new malicious sample targeting IoT devices. Starting from that time, this\r\nnew IoT botnet family continued to update and began to harvest vulnerable iot devices in a rapid pace.\r\nThe bot borrowed some code from the famous mirai botnet, but it does not do any password crack all. Instead, it\r\npurely focuses on exploiting IoT device vulnerabilities. So, we name it IoT_reaper.\r\nIoT_reaper is fairly large now and is actively expanding. For example, there are multiple C2s we are tracking, the\r\nmost recently data (October 19) from just one C2 shows the number of unique active bot IP address is more than\r\n10k per day. While at the same time, there are millions of potential vulnerable device IPs being queued into the c2\r\nsystem waiting to be processed by an automatic loader that injects malicious code to the devices to expand the size\r\nof the botnet.\r\nCurrently, this botnet is still in its early stages of expansion. But the author is actively modifying the code, which\r\ndeserves our vigilance.\r\nHere we are sharing some quick summary so the security community may stop its before it causes bigger damage.\r\nFrom Mirai, Beyond Mirai\r\nThe botnet partially borrows some mirai source code, but is significantly different from mirai in several key\r\nbehaviors, including:\r\nNo longer crack any weak password, only exploit IoT devices vulnerabilities;\r\nA LUA execution environment integrated, so more complex attacks can be supported and carried out;\r\nScan behavior is not very aggressive, so it can stay under the radar.\r\nSample Delivery, C2 Distribution and Traffic Pattern\r\nTake hxxp://162.211.183.192/sa as an example, IoT_reaper's sample delivery and C2 distribution are as follows.\r\nThere is a downloader , quite different from Mirai:\r\ndownloader: 162.211.183.192, samples can be downloaded from this server and it usually uses \"d\" as\r\nsubdomain, like d.hl852.com\r\ncontroller: 27.102.101.121, which can control bots, send commands and usually uses \"e\" as subdomain,\r\nlike e.hl852.com\r\nreporter: 222.112.82.231, which is used to receive potentially vulnerable device info collected by bots, it\r\nusually uses \"f\" as subdomain, like f.hl852.com.\r\nloader: 119.82.26.157, implants bot program through vulnerabilities into devices collected by reporter\r\nhttp://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/\r\nPage 1 of 5\n\nThe following figures shows traffic pattern of the above 4 IPs：\r\n9 IoT Vulnerability Exploits Integrated in the Malware\r\nUnlike Mirai that uses weak password cracking, IoT_reaper infects IoT devices by exploiting multiple IoT device\r\nvulnerabilities.\r\nWe noticed 9 IoT vulnerability exploits have been integrated into current samples as follows:\r\nDlink https://blogs.securiteam.com/index.php/archives/3364\r\nGoahead https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html\r\nJAWS https://www.pentestpartners.com/blog/pwning-cctv-cameras/\r\nNetgear https://blogs.securiteam.com/index.php/archives/3409\r\nVacron NVR https://blogs.securiteam.com/index.php/archives/3445\r\nNetgear http://seclists.org/bugtraq/2013/Jun/8\r\nLinksys http://www.s3cur1ty.de/m1adv2013-004\r\ndlink http://www.s3cur1ty.de/m1adv2013-003\r\nAVTECH https://github.com/Trietptm-on-Security/AVTECH\r\nhttp://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/\r\nPage 2 of 5\n\nNote just in the last 10 days, the attacker has continuously added more new exploits into samples, one of which is\r\nadopted only 2 days after the disclosure of the vulnerability was made.\r\nVacron NVR remote exploit was exposed on 2017-10-08 and was added into bot sample before 2017-10-\r\n10;\r\n3 and 1 exploits are added separately in two updates on 2017-10-12 and 2017-10-16;\r\nThe LUA Execution Environment Integrated in the Malware\r\nMd5: CA92A3B74A65CE06035FCC280740DAF6\r\nBased on the integrated LUA execution environment, author will be able to write very complex and efficient\r\nattack scripts now\r\nApproximately 100 DNS Open Resolvers Were Integrated in This Malware\r\nThe botnet has embedded more than 100 DNS open resolvers in its lua sample, so dns amplification attack can be\r\neasily carried out. And a cross-checking with our DRDoS data feed indicates that about one-third of these open\r\nDNS servers have been used as reflector in real dns amplification attacks. We have yet to see this type of config in\r\nany other mirai variants.\r\nNo DDoS Attack Command observed Till Now\r\nIn terms of attacking command, although we saw support of DDoS attack in the source file of Lua execution\r\nenvironment, we have not seen actual DDoS attack so far. The only instructions we saw are to download samples.\r\nhttp://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/\r\nPage 3 of 5\n\nThis means the attacker is still focusing on spreading the botnets.\r\nInfection Measurement\r\nBy using some tricks, we are able to draw some fairly accurate measurement on the scale of the infection, here are\r\na sample of the numbers.\r\nNumber of vulnerable devices in one c2 queue waiting to be infected : over 2m;\r\nInfected bots controlled by one c2 in last 7 days: over 20k ;\r\nNumber of daily active bots controlled by one c2 : around 10k for yesterday(October 19) ;\r\nNumber of simultaneous on-line bots controlled by one c2 : around 4k\r\nIoC URLs\r\nhxxp://cbk99.com:8080/run.lua\r\nhxxp://bbk80.com/api/api.php\r\nhxxp://103.1.221.40/63ae01/39xjsda.php\r\nhxxp://162.211.183.192/down/server.armel\r\nhxxp://162.211.183.192/sa\r\nhxxp://162.211.183.192/sa5\r\nhxxp://162.211.183.192/server.armel\r\nhxxp://162.211.183.192/sm\r\nhxxp://162.211.183.192/xget\r\nhxxp://198.44.241.220:8080/run.lua\r\nhxxp://23.234.51.91/control-ARM-LSB\r\nhxxp://23.234.51.91/control-MIPS32-MSB\r\nhxxp://23.234.51.91/ht_am5le\r\nhxxp://23.234.51.91/ht_mpbe\r\nhxxp://27.102.101.121/down/1506753086\r\nhxxp://27.102.101.121/down/1506851514\r\nIoC Hashes\r\n3182a132ee9ed2280ce02144e974220a\r\n3d680273377b67e6491051abe17759db\r\n41ef6a5c5b2fde1b367685c7b8b3c154\r\n4406bace3030446371df53ebbdc17785\r\n4e2f58ba9a8a2bf47bdc24ee74956c73\r\n596b3167fe0d13e3a0cfea6a53209be4\r\n6587173d571d2a587c144525195daec9\r\n6f91694106bb6d5aaa7a7eac841141d9\r\n704098c8a8a6641a04d25af7406088e1\r\n726d0626f66d5cacfeff36ed954dad70\r\n76be3db77c7eb56825fe60009de2a8f2\r\nhttp://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/\r\nPage 4 of 5\n\n95b448bdf6b6c97a33e1d1dbe41678eb\r\n9ad8473148e994981454b3b04370d1ec\r\n9f8e8b62b5adaf9c4b5bdbce6b2b95d1\r\na3401685d8d9c7977180a5c6df2f646a\r\nabe79b8e66c623c771acf9e21c162f44\r\nb2d4a77244cd4f704b65037baf82d897\r\nca92a3b74a65ce06035fcc280740daf6\r\ne9a03dbde09c6b0a83eefc9c295711d7\r\nf9ec2427377cbc6afb4a7ff011e0de77\r\nfb7c00afe00eeefb5d8a24d524f99370\r\nSource: http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/\r\nhttp://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/"
	],
	"report_names": [
		"iot_reaper-a-rappid-spreading-new-iot-botnet-en"
	],
	"threat_actors": [
		{
			"id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e",
			"created_at": "2025-08-07T02:03:25.082908Z",
			"updated_at": "2026-04-10T02:00:03.744649Z",
			"deleted_at": null,
			"main_name": "NICKEL FOXCROFT",
			"aliases": [
				"APT37 ",
				"ATK4 ",
				"Group 123 ",
				"InkySquid ",
				"Moldy Pisces ",
				"Operation Daybreak ",
				"Operaton Erebus ",
				"RICOCHET CHOLLIMA ",
				"Reaper ",
				"ScarCruft ",
				"TA-RedAnt ",
				"Venus 121 "
			],
			"source_name": "Secureworks:NICKEL FOXCROFT",
			"tools": [
				"Bluelight",
				"Chinotto",
				"GOLDBACKDOOR",
				"KevDroid",
				"KoSpy",
				"PoorWeb",
				"ROKRAT",
				"final1stpy"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "9b02c527-5077-489e-9a80-5d88947fddab",
			"created_at": "2022-10-25T16:07:24.103499Z",
			"updated_at": "2026-04-10T02:00:04.867181Z",
			"deleted_at": null,
			"main_name": "Reaper",
			"aliases": [
				"APT 37",
				"ATK 4",
				"Cerium",
				"Crooked Pisces",
				"G0067",
				"Geumseong121",
				"Group 123",
				"ITG10",
				"InkySquid",
				"Moldy Pisces",
				"Opal Sleet",
				"Operation Are You Happy?",
				"Operation Battle Cruiser",
				"Operation Black Banner",
				"Operation Daybreak",
				"Operation Dragon messenger",
				"Operation Erebus",
				"Operation Evil New Year",
				"Operation Evil New Year 2018",
				"Operation Fractured Block",
				"Operation Fractured Statue",
				"Operation FreeMilk",
				"Operation Golden Bird",
				"Operation Golden Time",
				"Operation High Expert",
				"Operation Holiday Wiper",
				"Operation Korean Sword",
				"Operation North Korean Human Right",
				"Operation Onezero",
				"Operation Rocket Man",
				"Operation SHROUDED#SLEEP",
				"Operation STARK#MULE",
				"Operation STIFF#BIZON",
				"Operation Spy Cloud",
				"Operation Star Cruiser",
				"Operation ToyBox Story",
				"Osmium",
				"Red Eyes",
				"Ricochet Chollima",
				"Ruby Sleet",
				"ScarCruft",
				"TA-RedAnt",
				"TEMP.Reaper",
				"Venus 121"
			],
			"source_name": "ETDA:Reaper",
			"tools": [
				"Agentemis",
				"BLUELIGHT",
				"Backdoor.APT.POORAIM",
				"CARROTBALL",
				"CARROTBAT",
				"CORALDECK",
				"Cobalt Strike",
				"CobaltStrike",
				"DOGCALL",
				"Erebus",
				"Exploit.APT.RICECURRY",
				"Final1stSpy",
				"Freenki Loader",
				"GELCAPSULE",
				"GOLDBACKDOOR",
				"GreezeBackdoor",
				"HAPPYWORK",
				"JinhoSpy",
				"KARAE",
				"KevDroid",
				"Konni",
				"MILKDROP",
				"N1stAgent",
				"NavRAT",
				"Nokki",
				"Oceansalt",
				"POORAIM",
				"PoohMilk",
				"PoohMilk Loader",
				"RICECURRY",
				"RUHAPPY",
				"RokRAT",
				"SHUTTERSPEED",
				"SLOWDRIFT",
				"SOUNDWAVE",
				"SYSCON",
				"Sanny",
				"ScarCruft",
				"StarCruft",
				"Syscon",
				"VeilShell",
				"WINERACK",
				"ZUMKONG",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434322,
	"ts_updated_at": 1775826768,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0ff30f2cb88439b4ef92edf750a44a4176c744a9.pdf",
		"text": "https://archive.orkl.eu/0ff30f2cb88439b4ef92edf750a44a4176c744a9.txt",
		"img": "https://archive.orkl.eu/0ff30f2cb88439b4ef92edf750a44a4176c744a9.jpg"
	}
}