{
	"id": "b9246be8-81f0-45f5-a76a-2d8e51a8007c",
	"created_at": "2026-04-06T00:06:15.598249Z",
	"updated_at": "2026-04-10T13:12:10.082872Z",
	"deleted_at": null,
	"sha1_hash": "01f8c15b8e2be0e7057d09638bdecb6e8d19bfc1",
	"title": "US disrupts Russian Cyclops Blink botnet before being used in attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3333535,
	"plain_text": "US disrupts Russian Cyclops Blink botnet before being used in attacks\r\nBy Sergiu Gatlan\r\nPublished: 2022-04-06 · Archived: 2026-04-05 18:06:07 UTC\r\nUS government officials announced today the disruption of the Cyclops Blink botnet controlled by the Russian-backed\r\nSandworm hacking group before being used in attacks.\r\nThe malware, used by Sandworm to create this botnet since at least June 2019, is targeting WatchGuard Firebox firewall\r\nappliances and multiple ASUS router models.\r\nCyclops Blink enables the attackers to establish persistence on the device through firmware updates, providing remote\r\naccess to compromised networks.\r\nhttps://www.bleepingcomputer.com/news/security/us-disrupts-russian-cyclops-blink-botnet-before-being-used-in-attacks/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/us-disrupts-russian-cyclops-blink-botnet-before-being-used-in-attacks/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nThis malware is modular, making it easy to upgrade to target new devices and tap into new pools of exploitable hardware.\r\n\"We are announcing today [..] the disruption of a global botnet controlled by the Russian military intelligence agency,\r\ncommonly known as the GRU,\" US Attorney General Merrick Garland said.\r\n\"The Russian government has recently used similar infrastructure to attack Ukrainian targets. Fortunately, we were able to\r\ndisrupt this botnet before it could be used.\r\n\"Thanks to our close work with international partners we were able to detect the infection of thousands of network hardware\r\ndevices. We were then able to disable the GRU's control over those devices before the botnet could be weaponized.\"\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nMalware removed from infected Watchguard and Asus devices\r\nFollowing this US Justice Department operation's initial March 18 court authorization, the malware was removed from all\r\nremaining identified Watchguard devices acting as command and control servers.\r\nThe FBI has also notified owners of compromised devices in the United States and abroad through foreign law enforcement\r\npartners before removing the Cyclops Blink malware. US victims whose contact info was not found were contacted by their\r\nproviders following notices issued by the FBI.\r\nFBI Director Chris Wray said the botnet was disrupted following close cooperation with Watchguard while analyzing the\r\nmalware and developing detection tools and remediation techniques.\r\n\"I should caution that as we move forward, any Firebox devices that acted as bots, may still remain vulnerable in the future\r\nuntil mitigated by their owners. So those owners should still go ahead and adopt Watchguard's detection and remediation\r\nsteps as soon as possible,\" FBI Director Chris Wray added.\r\n\"Sandworm strung them together to use their computing power in a way that would obfuscate who was really running the\r\nnetwork and let them launch malware or to orchestrate distributed denial of service attacks, like the GRU has already used to\r\nattack Ukraine.\"\r\nWatchGuard has shared detailed instructions on how to restore compromised Firebox appliances to a clean state to remediate\r\nthe infection and update them to the latest Fireware OS version to prevent future infections.\r\nWatchGuard played an important role in eliminating the threat posed by Cyclops Blink, with the rapid release of\r\ndetection and remediation tools to protect its partners and customers following the government disclosure of the\r\nmalware, and by cooperating with the U. S. Department of Justice in its effort to disrupt the botnet. The\r\ncompany’s close collaboration with its partner and customer communities was instrumental in mitigating this\r\nsophisticated state-sponsored threat, which affected less than 1% of WatchGuard appliances. —\r\nWatchGuard spokesperson\r\nThe Sandworm Russian-backed threat group\r\nSandworm (also tracked as Voodoo Bear, BlackEnergy, and TeleBots), the group behind the Cyclops Blink botnet, is a\r\nRussian-sponsored hacking group active since the mid-2000s.\r\nIts operators are believed to be Russian military hackers part of Unit 74455 of the Russian GRU's Main Center for Special\r\nTechnologies (GTsST).\r\nhttps://www.bleepingcomputer.com/news/security/us-disrupts-russian-cyclops-blink-botnet-before-being-used-in-attacks/\r\nPage 3 of 4\n\nSandworm was linked to the BlackEnergy malware behind blackouts in Ukraine in 2015 and 2016 [1, 2, 3], the KillDisk\r\nwiper attacks against Ukrainian banks, and highly destructive NotPetya ransomware used to inflict billions worth of damage\r\nto companies worldwide starting with June 2017.\r\n\"Sandworm is the premier Russian cyber attack capability and one of the actors we have been most concerned about in light\r\nof the invasion,\" John Hultquist, Mandiant VP of Intelligence Analysis, told BleepingComputer.\r\n\"We are concerned that they could be used to hit targets in Ukraine, but we are also concerned they may hit targets in the\r\nWest in retribution for the pressure being placed on Russia.\"\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/us-disrupts-russian-cyclops-blink-botnet-before-being-used-in-attacks/\r\nhttps://www.bleepingcomputer.com/news/security/us-disrupts-russian-cyclops-blink-botnet-before-being-used-in-attacks/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/us-disrupts-russian-cyclops-blink-botnet-before-being-used-in-attacks/"
	],
	"report_names": [
		"us-disrupts-russian-cyclops-blink-botnet-before-being-used-in-attacks"
	],
	"threat_actors": [
		{
			"id": "39842197-944a-49fd-9bec-eafa1807e0ea",
			"created_at": "2022-10-25T16:07:24.310589Z",
			"updated_at": "2026-04-10T02:00:04.931264Z",
			"deleted_at": null,
			"main_name": "TeleBots",
			"aliases": [],
			"source_name": "ETDA:TeleBots",
			"tools": [
				"BadRabbit",
				"Black Energy",
				"BlackEnergy",
				"CredRaptor",
				"Diskcoder.C",
				"EternalPetya",
				"ExPetr",
				"Exaramel",
				"FakeTC",
				"Felixroot",
				"GreyEnergy",
				"GreyEnergy mini",
				"KillDisk",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"NonPetya",
				"NotPetya",
				"Nyetya",
				"Petna",
				"Petrwrap",
				"Pnyetya",
				"TeleBot",
				"TeleDoor",
				"Win32/KillDisk.NBB",
				"Win32/KillDisk.NBC",
				"Win32/KillDisk.NBD",
				"Win32/KillDisk.NBH",
				"Win32/KillDisk.NBI",
				"nPetya"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df",
			"created_at": "2023-01-06T13:46:38.402513Z",
			"updated_at": "2026-04-10T02:00:02.959797Z",
			"deleted_at": null,
			"main_name": "Sandworm",
			"aliases": [
				"IRIDIUM",
				"Blue Echidna",
				"VOODOO BEAR",
				"FROZENBARENTS",
				"UAC-0113",
				"Seashell Blizzard",
				"UAC-0082",
				"APT44",
				"Quedagh",
				"TEMP.Noble",
				"IRON VIKING",
				"G0034",
				"ELECTRUM",
				"TeleBots"
			],
			"source_name": "MISPGALAXY:Sandworm",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "7bd810cb-d674-4763-86eb-2cc182d24ea0",
			"created_at": "2022-10-25T16:07:24.1537Z",
			"updated_at": "2026-04-10T02:00:04.883793Z",
			"deleted_at": null,
			"main_name": "Sandworm Team",
			"aliases": [
				"APT 44",
				"ATK 14",
				"BE2",
				"Blue Echidna",
				"CTG-7263",
				"FROZENBARENTS",
				"G0034",
				"Grey Tornado",
				"IRIDIUM",
				"Iron Viking",
				"Quedagh",
				"Razing Ursa",
				"Sandworm",
				"Sandworm Team",
				"Seashell Blizzard",
				"TEMP.Noble",
				"UAC-0082",
				"UAC-0113",
				"UAC-0125",
				"UAC-0133",
				"Voodoo Bear"
			],
			"source_name": "ETDA:Sandworm Team",
			"tools": [
				"AWFULSHRED",
				"ArguePatch",
				"BIASBOAT",
				"Black Energy",
				"BlackEnergy",
				"CaddyWiper",
				"Colibri Loader",
				"Cyclops Blink",
				"CyclopsBlink",
				"DCRat",
				"DarkCrystal RAT",
				"Fobushell",
				"GOSSIPFLOW",
				"Gcat",
				"IcyWell",
				"Industroyer2",
				"JaguarBlade",
				"JuicyPotato",
				"Kapeka",
				"KillDisk.NCX",
				"LOADGRIP",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"ORCSHRED",
				"P.A.S.",
				"PassKillDisk",
				"Pitvotnacci",
				"PsList",
				"QUEUESEED",
				"RansomBoggs",
				"RottenPotato",
				"SOLOSHRED",
				"SwiftSlicer",
				"VPNFilter",
				"Warzone",
				"Warzone RAT",
				"Weevly"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa",
			"created_at": "2022-10-25T16:47:55.919702Z",
			"updated_at": "2026-04-10T02:00:03.618194Z",
			"deleted_at": null,
			"main_name": "IRON VIKING",
			"aliases": [
				"APT44 ",
				"ATK14 ",
				"BlackEnergy Group",
				"Blue Echidna ",
				"CTG-7263 ",
				"ELECTRUM ",
				"FROZENBARENTS ",
				"Hades/OlympicDestroyer ",
				"IRIDIUM ",
				"Qudedagh ",
				"Sandworm Team ",
				"Seashell Blizzard ",
				"TEMP.Noble ",
				"Telebots ",
				"Voodoo Bear "
			],
			"source_name": "Secureworks:IRON VIKING",
			"tools": [
				"BadRabbit",
				"BlackEnergy",
				"GCat",
				"NotPetya",
				"PSCrypt",
				"TeleBot",
				"TeleDoor",
				"xData"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6",
			"created_at": "2022-10-25T15:50:23.339976Z",
			"updated_at": "2026-04-10T02:00:05.27483Z",
			"deleted_at": null,
			"main_name": "Sandworm Team",
			"aliases": [
				"Sandworm Team",
				"ELECTRUM",
				"Telebots",
				"IRON VIKING",
				"BlackEnergy (Group)",
				"Quedagh",
				"Voodoo Bear",
				"IRIDIUM",
				"Seashell Blizzard",
				"FROZENBARENTS",
				"APT44"
			],
			"source_name": "MITRE:Sandworm Team",
			"tools": [
				"Bad Rabbit",
				"Mimikatz",
				"Exaramel for Linux",
				"Exaramel for Windows",
				"GreyEnergy",
				"PsExec",
				"Prestige",
				"P.A.S. Webshell",
				"AcidPour",
				"VPNFilter",
				"Neo-reGeorg",
				"Cyclops Blink",
				"SDelete",
				"Kapeka",
				"AcidRain",
				"Industroyer",
				"Industroyer2",
				"BlackEnergy",
				"Cobalt Strike",
				"NotPetya",
				"KillDisk",
				"PoshC2",
				"Impacket",
				"Invoke-PSImage",
				"Olympic Destroyer"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775433975,
	"ts_updated_at": 1775826730,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/01f8c15b8e2be0e7057d09638bdecb6e8d19bfc1.pdf",
		"text": "https://archive.orkl.eu/01f8c15b8e2be0e7057d09638bdecb6e8d19bfc1.txt",
		"img": "https://archive.orkl.eu/01f8c15b8e2be0e7057d09638bdecb6e8d19bfc1.jpg"
	}
}