{
	"id": "c4ac67e0-fc65-45fe-a1b0-63249f2f5483",
	"created_at": "2026-04-06T00:11:50.201459Z",
	"updated_at": "2026-04-10T13:12:08.9414Z",
	"deleted_at": null,
	"sha1_hash": "2fa109a1bb490349daadd8147a09031316bcc51b",
	"title": "Cyclops Blink malware sets up shop in ASUS routers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 39302,
	"plain_text": "Cyclops Blink malware sets up shop in ASUS routers\r\nBy Jessica Lyons\r\nPublished: 2022-03-18 · Archived: 2026-04-02 11:38:22 UTC\r\nCyclops Blink malware has infected ASUS routers in what Trend Micro says looks like an attempt to turn these\r\ncompromised devices into command-and-control servers for future attacks.\r\nASUS says it's working on a remediation for Cyclops Blink and will post software updates if necessary. The\r\nhardware maker recommends users reset their gateways to factory settings to flush away any configurations added\r\nby an intruder, change the login password, make sure remote management access from the WAN is disabled, and\r\nensure the latest firmware is installed to be safe.\r\nCyclops Blink has ties to Kremlin-backed Sandworm, the criminal gang behind the nasty VPNFilter malware that\r\nin 2018 targeted routers and storage devices. The crew also carried out several high-profile attacks including the\r\n2015 and 2016 cyber-assaults on Ukraine's electrical grid, NotPetya in 2017, and the French presidential campaign\r\nemail leak that same year.\r\nA Trend Micro warning about the router hijackings follows a joint advisory last month from the FBI, CISA, the\r\nUS Department of Justice, and the UK National Cyber Security Centre about Cyclops Blink, which the agencies\r\nsaid looked to be Sandworm's replacement for VPNFilter. At the time, the botnet had its sights set on WatchGuard\r\nfirewall appliances.\r\n\"Our data also shows that although Cyclops Blink is a state-sponsored botnet, its C\u0026C servers and bots affect\r\nWatchGuard Firebox and Asus devices that do not belong to critical organizations, or those that have an evident\r\nvalue on economic, political, or military espionage,\" Trend Micro said. \"Hence, we believe that it is possible that\r\nthe Cyclops Blink botnet's main purpose is to build an infrastructure for further attacks on high-value targets.\"\r\nAnd while Cyclops Blink has infected routers from these two hardware providers, \"we have evidence that the\r\nrouters of at least one vendor other than Asus and WatchGuard are connecting to Cyclops Blink C\u0026Cs as well, but\r\nso far we have been unable to collect malware samples for this router brand,\" the security shop said.  \r\nUkraine hit by DDoS attacks, Russia deploys malware\r\nFrance's cyber-agency says Centreon IT management software sabotaged by Russian Sandworm\r\nUkraine invasion: This may be the quiet before the cyber-storm, IT staff warned\r\nWhere are the (serious) Russian cyberattacks?\r\nIt's not clear exactly right now how the malware gets onto a device, though it probably involves exploiting a\r\ndefault admin password to gain access via an enabled remote management service. According to Trend Micro's\r\nCyclops Blink technical analysis, once the modular malware, written in C, has been injected into the gateway and\r\nis running, it sets itself up and renames its process to \"[ktest]\" presumably to appear as a Linux kernel thread.\r\nhttps://www.theregister.com/2022/03/18/cyclops_asus_routers/\r\nPage 1 of 2\n\nNext, it waits for 37 seconds and decides on the hard-coded command-and-control (C2) server to talk to along\r\nwith the rate at which it communicates with the box. Then it begins communicating with its C2 server using an\r\nOpenSSL-encrypted channel to join the Cyclops Blink botnet. Among the commands it can receive, the\r\ncompromised router can be given more malware to run, allowing the botnet's controllers to do whatever they like\r\non the hijacked gateways. ®\r\nSource: https://www.theregister.com/2022/03/18/cyclops_asus_routers/\r\nhttps://www.theregister.com/2022/03/18/cyclops_asus_routers/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.theregister.com/2022/03/18/cyclops_asus_routers/"
	],
	"report_names": [
		"cyclops_asus_routers"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df",
			"created_at": "2023-01-06T13:46:38.402513Z",
			"updated_at": "2026-04-10T02:00:02.959797Z",
			"deleted_at": null,
			"main_name": "Sandworm",
			"aliases": [
				"IRIDIUM",
				"Blue Echidna",
				"VOODOO BEAR",
				"FROZENBARENTS",
				"UAC-0113",
				"Seashell Blizzard",
				"UAC-0082",
				"APT44",
				"Quedagh",
				"TEMP.Noble",
				"IRON VIKING",
				"G0034",
				"ELECTRUM",
				"TeleBots"
			],
			"source_name": "MISPGALAXY:Sandworm",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "7bd810cb-d674-4763-86eb-2cc182d24ea0",
			"created_at": "2022-10-25T16:07:24.1537Z",
			"updated_at": "2026-04-10T02:00:04.883793Z",
			"deleted_at": null,
			"main_name": "Sandworm Team",
			"aliases": [
				"APT 44",
				"ATK 14",
				"BE2",
				"Blue Echidna",
				"CTG-7263",
				"FROZENBARENTS",
				"G0034",
				"Grey Tornado",
				"IRIDIUM",
				"Iron Viking",
				"Quedagh",
				"Razing Ursa",
				"Sandworm",
				"Sandworm Team",
				"Seashell Blizzard",
				"TEMP.Noble",
				"UAC-0082",
				"UAC-0113",
				"UAC-0125",
				"UAC-0133",
				"Voodoo Bear"
			],
			"source_name": "ETDA:Sandworm Team",
			"tools": [
				"AWFULSHRED",
				"ArguePatch",
				"BIASBOAT",
				"Black Energy",
				"BlackEnergy",
				"CaddyWiper",
				"Colibri Loader",
				"Cyclops Blink",
				"CyclopsBlink",
				"DCRat",
				"DarkCrystal RAT",
				"Fobushell",
				"GOSSIPFLOW",
				"Gcat",
				"IcyWell",
				"Industroyer2",
				"JaguarBlade",
				"JuicyPotato",
				"Kapeka",
				"KillDisk.NCX",
				"LOADGRIP",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"ORCSHRED",
				"P.A.S.",
				"PassKillDisk",
				"Pitvotnacci",
				"PsList",
				"QUEUESEED",
				"RansomBoggs",
				"RottenPotato",
				"SOLOSHRED",
				"SwiftSlicer",
				"VPNFilter",
				"Warzone",
				"Warzone RAT",
				"Weevly"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434310,
	"ts_updated_at": 1775826728,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2fa109a1bb490349daadd8147a09031316bcc51b.pdf",
		"text": "https://archive.orkl.eu/2fa109a1bb490349daadd8147a09031316bcc51b.txt",
		"img": "https://archive.orkl.eu/2fa109a1bb490349daadd8147a09031316bcc51b.jpg"
	}
}