{
	"id": "f6372f03-2810-4553-b39d-bb2b416a0943",
	"created_at": "2026-04-06T02:12:18.355031Z",
	"updated_at": "2026-04-10T03:21:20.247967Z",
	"deleted_at": null,
	"sha1_hash": "20a9c90766223021fad4072602e5be6fe2555285",
	"title": "Threat Advisory: Cyclops Blink",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 91176,
	"plain_text": "Threat Advisory: Cyclops Blink\r\nBy Cisco Talos\r\nPublished: 2022-02-24 · Archived: 2026-04-06 02:09:14 UTC\r\nThursday, February 24, 2022 15:01\r\nUpdate Mar. 17, 2022\r\nToday, Asus released a product security advisory listing their products affected by Cyclops Blink. While the\r\ninvestigation is currently ongoing, this advisory provides guidance on taking necessary precautions via a checklist\r\nfor the affected product versions.\r\nUpdate Feb. 25, 2022\r\nIn our ongoing research into activity surrounding Ukraine and in cooperation with Cisco Duo data scientists Talos\r\ndiscovered compromised MikroTik routers inside of Ukraine being leveraged to conduct brute force attacks on\r\ndevices protected by multi-factor authentication. This continues a pattern we have seen since our investigation into\r\nVPNFilter involving actors using MikroTik routers. While it may not be Cyclops Blink specifically -- we can't\r\nknow without a forensic investigation -- it was yet another MikroTik router passing malicious traffic, a vendor\r\nwidely abused by VPNFilter in the past.\r\nCisco Talos is aware of the recent reporting around a new modular malware family, Cyclops Blink, that targets\r\nsmall and home office (SOHO) devices, similar to previously observed threats like VPNFilter. This malware is\r\ndesigned to run on Linux systems and is compiled specifically for 32-bit PowerPC architecture. The modular\r\nnature of this malware allows it to be used in a variety of ways, including typical reconnaissance and espionage\r\nactivity. It leverages modules to facilitate various operations such as establishment of C2, file upload/download\r\nand information extraction capabilities.\r\nDetails of modular Cyclops Blink malware\r\nCyclops Blink is a Linux ELF executable compiled for 32-bit PowerPC architecture that has targeted SOHO\r\nnetwork devices since at least June 2019. The complete list of targeted devices is unknown at this time, but\r\nWatchGuard FireBox has specifically been listed as a target. The modular malware consists of core components\r\nand modules that are deployed as child processes using the Linux API fork. At this point, four modules have been\r\nidentified that download and upload files, gather system information and contain updating mechanisms for the\r\nmalware itself. Additional modules can be downloaded and executed from the command and control (C2) server.\r\nThe core component has a variety of functionality. Initially, it confirms that it's running as a process named\r\n'kworker[0:1]' which allows it to masquerade as a kernel process. If that is not the case, it will reload itself as that\r\nprocess name and kill the parent process. The core component then adjusts the iptables to allow additional access\r\nhttp://blog.talosintelligence.com/2022/02/threat-advisory-cyclops-blink.html\r\nPage 1 of 4\n\nvia a set of hard-coded ports that are used for C2 communication. The C2 communication is conducted through\r\nmultiple layers of encryption including a TLS tunnel with individual commands encrypted using AES-256-CBC.\r\nModule details\r\nThe four known modules perform a variety of functions and tasks associated with initial access and\r\nreconnaissance. This could be the basis to deploy additional modules, but at this point, we cannot confirm any\r\nadditional modules.\r\nThe system reconnaissance module (ID 0x8) is designed to gather various pieces of information from the system\r\nat regular intervals, initially set to occur every 10 minutes.\r\nThe file upload/download module (ID 0xf) is designed to upload and download files. These instructions are sent\r\nby the core component and can include downloads from URLs or uploads of files to C2 servers.\r\nThe C2 server list module (ID 0x39) is used to store and/or update the list of IP addresses used for C2 activity. The\r\nlist is loaded and passed to the core component and when updates are received from the core component it is\r\npassed into this module to be updated.\r\nThe Update/Persistence module (ID 0x51) installs updates to Cyclops Blink or ensures its persistence on the\r\nsystem. The update process leverages the firmware update process on the device. The persistence is handled via a\r\nsubprocess to this module and involves overwriting legitimate executables with modified versions allowing the\r\nfirmware update process to be manipulated to update Cyclops Blink.\r\nComplete details on the modules and core components can be found in NCSC's report.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nhttp://blog.talosintelligence.com/2022/02/threat-advisory-cyclops-blink.html\r\nPage 2 of 4\n\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.\r\nCisco Secure Malware Analytics (formerly Threat Grid) identifies malicious binaries and builds protection into all\r\nCisco Secure products.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Firepower\r\nThreat Defense (FTD), Firepower Device Manager (FDM), Threat Defense Virtual, Adaptive Security Appliance\r\n can detect malicious activity associated with this threat.\r\nCisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically\r\nand alerts users of potentially unwanted activity on every connected device.\r\nMeraki MX appliances can detect malicious activity associated with this threat.\r\nhttp://blog.talosintelligence.com/2022/02/threat-advisory-cyclops-blink.html\r\nPage 3 of 4\n\nUmbrella, Secure Internet Gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs,\r\nwhether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nOrbital Queries\r\nCisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints\r\nare infected with this specific threat. For specific OSqueries on this threat, click here.\r\nSnort SIDs: 59095-59098\r\nThe following ClamAV signatures available for protection against this threat:\r\nUnix.Backdoor.CyclopsBlink\r\nUmbrella SIG customers will be protected from this threat if configured to leverage IPS or Malware Analytics\r\ncapabilities.\r\nIOCs\r\n50df5734dd0c6c5983c21278f119527f9fdf6ef1d7e808a29754ebc5253e9a86\r\nc082a9117294fa4880d75a2625cf80f63c8bb159b54a7151553969541ac35862\r\n4e69bbb61329ace36fbe62f9fb6ca49c37e2e5a5293545c44d155641934e39d1\r\nff17ccd8c96059461710711fcc8372cfea5f0f9eb566ceb6ab709ea871190dc6\r\nSource: http://blog.talosintelligence.com/2022/02/threat-advisory-cyclops-blink.html\r\nhttp://blog.talosintelligence.com/2022/02/threat-advisory-cyclops-blink.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"http://blog.talosintelligence.com/2022/02/threat-advisory-cyclops-blink.html"
	],
	"report_names": [
		"threat-advisory-cyclops-blink.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775441538,
	"ts_updated_at": 1775791280,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/20a9c90766223021fad4072602e5be6fe2555285.pdf",
		"text": "https://archive.orkl.eu/20a9c90766223021fad4072602e5be6fe2555285.txt",
		"img": "https://archive.orkl.eu/20a9c90766223021fad4072602e5be6fe2555285.jpg"
	}
}