{ "id": "493a1833-44ae-419a-8f2e-fbf5d57bcbc5", "created_at": "2026-04-06T00:21:16.014498Z", "updated_at": "2026-04-10T03:37:09.017136Z", "deleted_at": null, "sha1_hash": "1a4eaee10e03b083d1e565e57ba6c8f4099ef3d3", "title": "CyclopsBlink (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 60869, "plain_text": "CyclopsBlink (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 14:32:14 UTC\r\nCyclopsBlink\r\nAccording to CISA, Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in\r\n2018, and which exploited network devices, primarily small office/home office (SOHO) routers and network\r\nattached storage (NAS) devices. Cyclops Blink has been deployed since at least June 2019, fourteen months after\r\nVPNFilter was disrupted. In common with VPNFilter, Cyclops Blink deployment also appears indiscriminate and\r\nwidespread. The actor has so far primarily deployed Cyclops Blink to WatchGuard and ASUS devices, but it is\r\nlikely that Sandworm would be capable of compiling the malware for other architectures and firmware.\r\nReferences\r\n2022-04-15 ⋅ splunk ⋅\r\nSTRT-TA03 CPE - Destructive Software\r\nAcidRain CyclopsBlink\r\n2022-04-11 ⋅ Bleeping Computer ⋅ Sergiu Gatlan\r\nCISA warns orgs of WatchGuard bug exploited by Russian state hackers\r\nCyclopsBlink\r\n2022-04-07 ⋅ InQuest ⋅ Nick Chalard, Will MacArthur\r\nUkraine CyberWar Overview\r\nCyclopsBlink Cobalt Strike GraphSteel GrimPlant HermeticWiper HermeticWizard MicroBackdoor\r\nPartyTicket Saint Bot Scieron WhisperGate\r\n2022-04-06 ⋅ Bleeping Computer ⋅ Sergiu Gatlan\r\nUS disrupts Russian Cyclops Blink botnet before being used in attacks\r\nCyclopsBlink\r\n2022-04-06 ⋅ US Department of Justice ⋅ Department of Justice\r\nAttorney General Merrick B. Garland Announces Enforcement Actions to Disrupt and Prosecute Russian\r\nCriminal Activity (video)\r\nCyclopsBlink\r\n2022-04-06 ⋅ US Department of Justice ⋅ Department of Justice\r\nEDCA Search Warrant Package (CyclopsBlink)\r\nCyclopsBlink\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.cyclops_blink\r\nPage 1 of 3\n\n2022-04-06 ⋅ US Department of Justice ⋅ Department of Justice\r\nJustice Department Announces Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s\r\nMain Intelligence Directorate (GRU)\r\nCyclopsBlink\r\n2022-03-21 ⋅ Github (trendmicro) ⋅ Trend Micro Research\r\nPython script to check a Cyclops Blink C\u0026C\r\nCyclopsBlink\r\n2022-03-18 ⋅ The Register ⋅ Jessica Lyons Hardcastle\r\nCyclops Blink malware sets up shop in ASUS routers\r\nCyclopsBlink\r\n2022-03-17 ⋅ Trendmicro ⋅ Feike Hacquebord, Fernando Mercês, Stephen Hilt\r\nCyclops Blink Sets Sights on Asus Routers\r\nCyclopsBlink\r\n2022-03-17 ⋅ Trendmicro ⋅ Feike Hacquebord, Fernando Mercês, Stephen Hilt\r\nCyclops Blink Sets Sights on Asus Routers (Appendix)\r\nCyclopsBlink\r\n2022-03-17 ⋅ Bleeping Computer ⋅ Bill Toulas\r\nASUS warns of Cyclops Blink malware attacks targeting routers\r\nCyclopsBlink\r\n2022-02-23 ⋅ CISA ⋅ CISA\r\nAlert (AA22-054A) New Sandworm Malware Cyclops Blink Replaces VPNFilter\r\nCyclopsBlink VPNFilter\r\n2022-02-23 ⋅ The Shadowserver Foundation ⋅ Shadowserver Foundation\r\nShadowserver Special Reports – Cyclops Blink\r\nCyclopsBlink\r\n2017-05-31 ⋅ MITRE ⋅ MITRE ATT\u0026CK\r\nSandworm Team\r\nCyclopsBlink Exaramel BlackEnergy EternalPetya Exaramel GreyEnergy KillDisk MimiKatz Olympic\r\nDestroyer Sandworm\r\nYara Rules\r\n[TLP:WHITE] elf_cyclops_blink_w0 (20220316 | Detects notable strings identified within the Cyclops\r\nBlink executable)\r\nDownload all Yara Rules\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.cyclops_blink\r\nPage 2 of 3\n\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/elf.cyclops_blink\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.cyclops_blink\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.cyclops_blink" ], "report_names": [ "elf.cyclops_blink" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d9cdc7f-72d6-4e17-89d8-f6323bfcaebb", "created_at": "2023-01-06T13:46:38.82716Z", "updated_at": "2026-04-10T02:00:03.113893Z", "deleted_at": null, "main_name": "GreyEnergy", "aliases": [], "source_name": "MISPGALAXY:GreyEnergy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434876, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1a4eaee10e03b083d1e565e57ba6c8f4099ef3d3.pdf", "text": "https://archive.orkl.eu/1a4eaee10e03b083d1e565e57ba6c8f4099ef3d3.txt", "img": "https://archive.orkl.eu/1a4eaee10e03b083d1e565e57ba6c8f4099ef3d3.jpg" } }