{ "id": "98231bdc-f2ef-4a34-b2a4-0b1e0f5ef4bd", "created_at": "2026-04-06T00:19:22.684907Z", "updated_at": "2026-04-10T03:38:06.411387Z", "deleted_at": null, "sha1_hash": "1d3052b92e851fe69b7688ab0cd3183c7f5a6cb9", "title": "Reaper: Calm Before the IoT Security Storm?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1129714, "plain_text": "Reaper: Calm Before the IoT Security Storm?\r\nPublished: 2017-10-23 · Archived: 2026-04-05 17:25:51 UTC\r\nIt’s been just over a year since the world witnessed some of the world’s top online Web sites being taken down for\r\nmuch of the day by “Mirai,” a zombie malware strain that enslaved “Internet of Things” (IoT) devices such as\r\nwireless routers, security cameras and digital video recorders for use in large-scale online attacks.\r\nNow, experts are sounding the alarm about the emergence of what appears to be a far more powerful strain of IoT\r\nattack malware — variously named “Reaper” and “IoTroop” — that spreads via security holes in IoT software\r\nand hardware. And there are indications that over a million organizations may be affected already.\r\nReaper isn’t attacking anyone yet. For the moment it is apparently content to gather gloom to itself from the\r\ndarkest reaches of the Internet. But if history is any teacher, we are likely enjoying a period of false calm before\r\nanother humbling IoT attack wave breaks.\r\nOn Oct. 19, 2017, researchers from Israeli security firm CheckPoint announced they’ve been tracking the\r\ndevelopment of a massive new IoT botnet “forming to create a cyber-storm that could take down the Internet.”\r\nCheckPoint said the malware, which it called “IoTroop,” had already infected an estimated one million\r\norganizations.\r\nThe discovery came almost a year to the day after the Internet witnessed one of the most impactful cyberattacks\r\never — against online infrastructure firm Dyn at the hands of “Mirai,” an IoT malware strain that first surfaced in\r\nhttps://krebsonsecurity.com/2017/10/reaper-calm-before-the-iot-security-storm\r\nPage 1 of 7\n\nthe summer of 2016. According to CheckPoint, however, this new IoT malware strain is “evolving and recruiting\r\nIoT devices at a far greater pace and with more potential damage than the Mirai botnet of 2016.”\r\nUnlike Mirai — which wriggles into vulnerable IoT devices using factory-default or hard-coded usernames and\r\npasswords — this newest IoT threat leverages at least nine known security vulnerabilities across nearly a dozen\r\ndifferent device makers, including AVTECH, D-Link, GoAhead, Netgear, and Linksys, among others (click each\r\nvendor’s link to view security advisories for the flaws).\r\nThis graphic from CheckPoint charts a steep, recent rise in the number of Internet addresses trying to spread the\r\nnew IoT malware variant, which CheckPoint calls “IoTroop.”\r\nBoth Mirai and IoTroop are computer worms; they are built to spread automatically from one infected device to\r\nanother. Researchers can’t say for certain what IoTroop will be used for but it is based at least in part on Mirai,\r\nwhich was made to launch distributed denial of service (DDoS) attacks.\r\nWhile DDoS attacks target a single Web site or Internet host, they often result in widespread collateral Internet\r\ndisruption. IoT malware spreads by scanning the Internet for other vulnerable devices, and sometimes this\r\nscanning activity is so aggressive that it constitutes an unintended DDoS on the very home routers, Web cameras\r\nand DVRs that the bot code is trying to subvert and recruit into the botnet.\r\nHowever, according to research released Oct. 20 by Chinese security firm Netlab 360, the scanning performed by\r\nthe new IoT malware strain (Netlab calls it the more memorable “Reaper”) is not very aggressive, and is intended\r\nto spread much more deliberately than Mirai. Netlab’s researchers say Reaper partially borrows some Mirai source\r\ncode, but is significantly different from Mirai in several key behaviors, including an evolution that allows Reaper\r\nto more stealthily enlist new recruits and more easily fly under the radar of security tools looking for suspicious\r\nactivity on the local network.\r\nWARNING SIGNS, AND AN EVOLUTION\r\nhttps://krebsonsecurity.com/2017/10/reaper-calm-before-the-iot-security-storm\r\nPage 2 of 7\n\nFew knew or realized it at the time, but even before the Mirai attacks commenced in August 2016 there were\r\nample warning signs that something big was brewing. Much like the seawater sometimes recedes hundreds of feet\r\nfrom its normal coastline just before a deadly tsunami rushes ashore, cybercriminals spent the summer of 2016\r\nusing their state-of-the-art and new Mirai malware to siphon control over poorly-secured IoT devices from other\r\nhackers who were using inferior IoT malware strains.\r\nMirai was designed to wrest control over systems infected with variants of an early IoT malware contagion known\r\nas “Qbot” — and it did so with gusto immediately following its injection into the Internet in late July 2016. As\r\ndocumented in great detail in “Who Is Anna Senpai, the Mirai Worm Author?“, the apparent authors of Mirai\r\ntaunted the many Qbot botmasters in hacker forum postings, promising they had just unleashed a new digital\r\ndisease that would replace all Qbot infected devices with Mirai.\r\nMirai’s architects were true to their word: their creation mercilessly seized control over hundreds of thousands of\r\nIoT devices, spreading the disease globally and causing total extinction of Qbot variants. Mirai had evolved, and\r\nQbot went the way of the dinosaurs.\r\nOn Sept. 20, 2016, KrebsOnSecurity.com was hit with a monster denial-of-service attack from the botnet powered\r\nby the first known copy of Mirai. That attack, which clocked in at 620 Gbps, was almost twice the size that my\r\nDDoS mitigation firm at the time Akamai had ever mitigated before. They’d been providing my site free\r\nprotection for years, but when the Mirai attackers didn’t go away and turned up the heat, Akamai said the attack\r\non this site was causing troubles for its paying customers, and it was time to go.\r\nThankfully, several days later Google brought KrebsOnSecurity into the stable of journalist and activist Web sites\r\nthat qualify for its Project Shield program, which offers DDoS protection to newsrooms and Web sites facing\r\nvarious forms of online censorship.\r\nThe same original Mirai botnet would be used to launch a huge attack — over one terabit of data per second —\r\nagainst French hosting firm OVH. After the media attention paid to this site’s attack and the OVH assault, the\r\nMirai authors released the source code for their creation, spawning dozens of copycat Mirai clones that all\r\ncompeted for the right to infest a finite pool of vulnerable IoT devices.\r\nhttps://krebsonsecurity.com/2017/10/reaper-calm-before-the-iot-security-storm\r\nPage 3 of 7\n\nProbably the largest Mirai clone to rise out of the source code spill was used in a highly disruptive attack on Oct.\r\n20, 2016 against Internet infrastructure giant Dyn (now part of Oracle). Some of the Internet’s biggest\r\ndestinations — including Twitter, SoundCloud, Spotify and Reddit — were unreachable for large chunks of\r\ntime that day because Mirai targeted a critical service that Dyn provides these companies.\r\nA depiction of the outages caused by the Mirai attacks on Dyn, an Internet infrastructure company. Source:\r\nDowndetector.com.\r\n[AUTHOR’S NOTE: Some people believe that the Dyn attack was in retribution for information presented\r\npublicly hours before the attack by Dyn researcher Doug Madory. The talk was about research we had worked on\r\ntogether for a story exploring the rather sketchy history of a DDoS mitigation firm that had a talent for annexing\r\nInternet address space from its neighbors in a personal grudge match between that mitigation firm and the original\r\nMirai authors and botmasters.]\r\nIt’s a safe bet that whoever is responsible for building this new Reaper IoT botnet will have more than enough\r\nfirepower capable of executing Dyn-like attacks at Internet pressure points. Attacks like these can cause\r\nwidespread Internet disruption because they target virtual gateways where third-party infrastructure providers\r\ncommunicate with hordes of customer Web sites, which in turn feed the online habits of countless Internet users.\r\nIt’s critical to observe that Reaper may not have been built for launching DDoS attacks: A global network of\r\nmillions of hacked IoT devices can be used for a variety of purposes — such as serving as a sort of distributed\r\nproxy or anonymity network — or building a pool of infected devices that can serve as jumping-off points for\r\nexploring and exploiting other devices within compromised corporate networks.\r\n“While some technical aspects lead us to suspect a possible connection to the Mirai botnet, this is an entirely new\r\ncampaign rapidly spreading throughout the globe,” CheckPoint warns. “It is too early to assess the intentions of\r\nthe threat actors behind it, but it is vital to have the proper preparations and defense mechanisms in place before\r\nan attack strikes.”\r\nhttps://krebsonsecurity.com/2017/10/reaper-calm-before-the-iot-security-storm\r\nPage 4 of 7\n\nAND THE GOOD NEWS IS?\r\nThere have been positive developments on the IoT security front: Two possible authors of Mirai have been\r\nidentified (if not yet charged), and some of Mirai’s biggest botmasters have been arrested and sentenced.\r\nSome of the most deadly DDoS attack-for-hire services on the Internet were either run out of business by Mirai or\r\nhave been forcibly shuttered in the past year, including vDOS — one of the Internet’s longest-running attack\r\nservices. The alleged providers of vDOS — two Israeli men first outed by KrebsOnSecurity after their service was\r\nmassively hacked last year — were later arrested and are currently awaiting trial in Israel for related cybercrime\r\ncharges.\r\nUsing a combination of arrests and interviews, the FBI and its counterparts in Europe have made it clear that\r\npatronizing or selling DDoS-for-hire services — often known as “booters” or “stressers” — is illegal activity that\r\ncan land violators in jail.\r\nThe front page of vDOS, when it was still online last year. vDOS was powered by an IoT botnet similar to Mirai\r\nand Reaper.\r\nPublic awareness of IoT security is on the rise, with lawmakers in Washington promising legislative action if the\r\ntech industry continues to churn out junky IoT hardware that is the Internet-equivalent of toxic waste.\r\nNevertheless, IoT device makers continue to ship products with either little to no security turned on by default or\r\nwith ill-advised features which can be used to subvert any built-in security.\r\nWHAT YOU CAN DO\r\nhttps://krebsonsecurity.com/2017/10/reaper-calm-before-the-iot-security-storm\r\nPage 5 of 7\n\nAccording to Netlab, about half of the security vulnerabilities exploited by Reaper were first detailed in just the\r\npast few months, suggesting there may be a great number of unpatched and vulnerable systems in real danger\r\nfrom this new IoT malware strain.\r\nCheck to make sure your network isn’t part of the problem: Netlab’s advisory links to specific patches available\r\nby vendor, as well as indicators of compromise and the location of various Reaper control networks. CheckPoint’s\r\npost breaks down affected devices by version number but doesn’t appear to include links to security advisories or\r\npatches.\r\nPlease note that many of the affected devices are cameras or DVRs, but there also are quite a few consumer\r\nwired/wireless routers listed here (particularly for D-Link and Linksys devices).\r\nA listing of known IoT device vulnerabilities targeted by Reaper. Source: Netlab 360 blog.\r\nOne incessant problem with popular IoT devices is the inclusion of peer-to-peer (P2P) networking capability\r\ninside countless security cameras, DVRs and other gear. Jake Reynolds, a partner and consultant at Kansas City,\r\nMo.-based Depth Security, published earlier this month research on a serious P2P weakness built into many\r\nFLIR/Lorex DVRs and security cameras that could let attackers remotely locate and gain access to vulnerable\r\nsystems that otherwise are not directly connected to the Internet (FLIR’s updated advisory and patches are here).\r\nIn Feb. 2016, KrebsOnSecurity warned about a similar weakness powering the P2P component embedded in\r\ncountless security cameras made by Foscam. That story noted that while the P2P component was turned on by\r\ndefault, disabling it in the security settings of the device did nothing to actually turn off P2P communications.\r\nBeing able to do that was only possible after applying a firmware patch Foscam made available after users started\r\ncomplaining. My advice is to stay away from products that advertise P2P functionality.\r\nhttps://krebsonsecurity.com/2017/10/reaper-calm-before-the-iot-security-storm\r\nPage 6 of 7\n\nAnother reason IoT devices are ripe for exploitation by worms like Reaper and Mirai is that vendors infrequently\r\nrelease security updates for their firmware, and when they do there’s often no easy method available to notify\r\nusers. Also, these updates are notoriously hard to do and easy to screw up, often leaving the unwary and unlearned\r\nwith an oversized paperweight after a botched firmware update. So if it’s time to update your device, do it slowly\r\nand carefully.\r\nWhat’s interesting about Reaper is that it is currently built to live harmoniously with Mirai. It’s not immediately\r\nclear whether the two IoT malware strains compete for any of the same devices, although some overlaps are\r\nbound to occur — particularly as the Reaper authors add new functionality and spreading mechanisms (both\r\nNetlab and Checkpoint say the Reaper code appears to be a work-in-progress).\r\nThat new Reaper functionality could well include the ability to seek out and supplant Mirai infections (much like\r\nMirai did with Qbot), which would help Reaper to grow to even more terrifying numbers.\r\nNo matter what innovation Reaper brings, I’m hopeful that the knowledge being shared within the security\r\ncommunity about how to defend against the Mirai attacks today will prove useful in ultimately helping to blunt\r\nany attacks from Reaper tomorrow. \u003cFingers crossed\u003e\r\nSpeaking of calms before storms, KrebsOnSecurity.com soon will get its first major facelift since its inception in\r\nDec. 2009. The changes are more structural than cosmetic; we’re striving to make the site more friendly to mobile\r\ndevices, while maintaining the simple, almost minimalist look and feel of this site. I’ll make another\r\nannouncement as we get closer to the switch (just so everyone doesn’t freak out and report the site’s been hacked).\r\nSource: https://krebsonsecurity.com/2017/10/reaper-calm-before-the-iot-security-storm\r\nhttps://krebsonsecurity.com/2017/10/reaper-calm-before-the-iot-security-storm\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://krebsonsecurity.com/2017/10/reaper-calm-before-the-iot-security-storm" ], "report_names": [ "reaper-calm-before-the-iot-security-storm" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434762, "ts_updated_at": 1775792286, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1d3052b92e851fe69b7688ab0cd3183c7f5a6cb9.pdf", "text": "https://archive.orkl.eu/1d3052b92e851fe69b7688ab0cd3183c7f5a6cb9.txt", "img": "https://archive.orkl.eu/1d3052b92e851fe69b7688ab0cd3183c7f5a6cb9.jpg" } }