Reaper (also called IoTroop) is a botnet first publicly reported in October 2017 by researchers at Check Point and the Chinese security firm Qihoo 360. It targeted internet-connected devices such as IP cameras, routers, and network video recorders made by vendors including D-Link, Netgear, Linksys, GoAhead, AVTECH, and others.
Reaper is frequently compared to Mirai, the 2016 botnet that powered the massive DDoS attack against DNS provider Dyn. The key technical distinction is recruitment method:
- Mirai spread by scanning the internet for IoT devices and attempting to log in with lists of default or weak credentials.
- Reaper instead exploited at least nine known unpatched software vulnerabilities in device firmware, allowing it to compromise devices even when owners had changed default passwords.
Reaper also incorporated a Lua-based execution environment, giving operators flexibility to push new attack scripts to infected nodes without rebuilding the malware. Researchers observed it integrating new exploits into its toolkit within days of public disclosure.
Estimates of Reaper's size varied widely. Check Point initially suggested over a million organizations had been affected, though later analyses, including from Arbor Networks, put the count of actively infected devices in the range of 10,000 to 20,000 at any given time, with a larger pool of vulnerable bots queued for recruitment. As of public reporting, Reaper was not observed launching a large-scale DDoS campaign comparable to the Dyn incident, though its capability to do so was a central concern.
For policy researchers, Reaper is often cited in debates over IoT security regulation, software liability, and coordinated vulnerability disclosure. It influenced legislative efforts such as the U.S. IoT Cybersecurity Improvement Act of 2020 and the UK's Product Security and Telecommunications Infrastructure (PSTI) Act 2022, both of which address baseline security requirements for connected devices. The botnet is also a recurring case study in discussions at forums like the UN Open-Ended Working Group on ICTs regarding state and non-state cyber threats.
Example
In October 2017, Check Point researchers disclosed the Reaper botnet, warning that it had compromised IoT devices from vendors including D-Link and Netgear by exploiting unpatched firmware vulnerabilities.
Frequently asked questions
Mirai infected IoT devices by guessing default or weak passwords, while Reaper exploited known software vulnerabilities in device firmware, letting it compromise devices with strong credentials.
Keep learning