{
	"id": "8829a9bd-9aa6-4cf2-af43-9aa51814a936",
	"created_at": "2026-04-06T00:14:20.149806Z",
	"updated_at": "2026-04-10T13:11:31.737126Z",
	"deleted_at": null,
	"sha1_hash": "4184308575726d6c4c1e316bbeab7f91b7c3e9a0",
	"title": "VPNFilter: New Router Malware with Destructive Capabilities",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 81061,
	"plain_text": "VPNFilter: New Router Malware with Destructive Capabilities\r\nBy About the Author\r\nArchived: 2026-04-05 23:14:21 UTC\r\nUPDATE: September 26, 2018:\r\nThis blog has been updated to include new information that was released by Cisco Talos on seven new Stage 3\r\nmodules. For further details see below.\r\nUPDATE: June 6, 2018:\r\nThis blog has been updated to include new information that was released by Cisco Talos. This includes an\r\nexpanded list of vulnerable devices and details on a newly discovered stage 3 module known as “ssler” which\r\ncould permit the attackers to perform man-in-the-middle (MitM) attacks on traffic going through vulnerable\r\nrouters and allow them to intercept web traffic and insert malicious code into it. For further details see below.\r\nA new threat which targets a range of routers and network-attached storage (NAS) devices is capable of knocking\r\nout infected devices by rendering them unusable. The malware, known as VPNFilter, is unlike most other IoT\r\nthreats because it is capable of maintaining a persistent presence on an infected device, even after a reboot.\r\nVPNFilter has a range of capabilities including spying on traffic being routed through the device. Its creators\r\nappear to have a particular interest in SCADA industrial control systems, creating a module which specifically\r\nintercepts Modbus SCADA communications.\r\nAccording to new research from Cisco Talos, activity surrounding the malware has stepped up in recent weeks and\r\nthe attackers appear to be particularly interested in targets in Ukraine. While VPNFilter has spread widely, data\r\nfrom Symantec's honeypots and sensors indicate that unlike other IoT threats such as Mirai, it does not appear to\r\nbe scanning and indiscriminately attempting to infect every vulnerable device globally.\r\nQ: What devices are known to be affected by VPNFilter?\r\nA: To date, VPNFilter is known to be capable of infecting enterprise and small office/home office routers from\r\nAsus, D-Link, Huawei, Linksys, MikroTik, Netgear, TP-Link, Ubiquiti, Upvel, and ZTE, as well as QNAP\r\nnetwork-attached storage (NAS) devices. These include:\r\n \r\nAsus RT-AC66U\r\nAsus RT-N10\r\nAsus RT-N10E\r\nAsus RT-N10U\r\nAsus RT-N56U\r\nAsus RT-N66U\r\nD-Link DES-1210-08P\r\nD-Link DIR-300\r\nhttps://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware\r\nPage 1 of 5\n\nD-Link DIR-300A\r\nD-Link DSR-250N\r\nD-Link DSR-500N\r\nD-Link DSR-1000\r\nD-Link DSR-1000N\r\nHuawei HG8245\r\nLinksys E1200\r\nLinksys E2500\r\nLinksys E3000\r\nLinksys E3200\r\nLinksys E4200\r\nLinksys RV082\r\nLinksys WRVS4400N\r\nMikroTik CCR1009\r\nMikroTik CCR1016\r\nMikroTik CCR1036\r\nMikroTik CCR1072\r\nMikroTik CRS109\r\nMikroTik CRS112 \r\nMikroTik CRS125 \r\nMikroTik RB411 \r\nMikroTik RB450 \r\nMikroTik RB750 \r\nMikroTik RB911 \r\nMikroTik RB921\r\nMikroTik RB941 \r\nMikroTik RB951\r\nMikroTik RB952 \r\nMikroTik RB960 \r\nMikroTik RB962 \r\nMikroTik RB1100 \r\nMikroTik RB1200 \r\nMikroTik RB2011 \r\nMikroTik RB3011 \r\nMikroTik RB Groove \r\nMikroTik RB Omnitik \r\nMikroTik STX5 \r\nNetgear DG834 \r\nNetgear DGN1000 \r\nNetgear DGN2200\r\nhttps://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware\r\nPage 2 of 5\n\nNetgear DGN3500 \r\nNetgear FVS318N \r\nNetgear MBRN3000 \r\nNetgear R6400\r\nNetgear R7000\r\nNetgear R8000\r\nNetgear WNR1000\r\nNetgear WNR2000\r\nNetgear WNR2200 \r\nNetgear WNR4000 \r\nNetgear WNDR3700\r\nNetgear WNDR4000\r\nNetgear WNDR4300 \r\nNetgear WNDR4300-TN\r\nNetgear UTM50\r\nQNAP TS251\r\nQNAP TS439 Pro\r\nOther QNAP NAS devices running QTS software\r\nTP-Link R600VPN\r\nTP-Link TL-WR741ND\r\nTP-Link TL-WR841N\r\nUbiquiti NSM2\r\nUbiquiti PBE M5\r\nUpvel Devices -unknown models\r\nZTE Devices ZXHN H108N \r\nQ: How does VPNFilter infect affected devices?\r\nA: Most of the devices targeted are known to use default credentials and/or have known exploits, particularly for\r\nolder versions. There is no indication at present that the exploit of zero-day vulnerabilities is involved in spreading\r\nthe threat.\r\nQ: What does VPNFilter do to an infected device?\r\nA: VPNFilter is a multi-staged piece of malware. Stage 1 is installed first and is used to maintain a persistent\r\npresence on the infected device and will contact a command and control (C\u0026C) server to download further\r\nmodules.\r\nStage 2 contains the main payload and is capable of file collection, command execution, data exfiltration, and\r\ndevice management. It also has a destructive capability and can effectively “brick” the device if it receives a\r\nhttps://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware\r\nPage 3 of 5\n\ncommand from the attackers. It does this by overwriting a section of the device’s firmware and rebooting,\r\nrendering it unusable.\r\nThere are several known Stage 3 modules, which act as plugins for Stage 2. These include a packet sniffer for\r\nspying on traffic that is routed through the device, including theft of website credentials and monitoring of\r\nModbus SCADA protocols. Another Stage 3 module allows Stage 2 to communicate using Tor.\r\nA newly discovered (disclosed on June 6) Stage 3 module known as “ssler” is capable of intercepting all traffic\r\ngoing through the device via port 80, meaning the attackers can snoop on web traffic and also tamper with it to\r\nperform man-in-the-middle (MitM) attacks. Among its features is the capability to change HTTPS requests to\r\nordinary HTTP requests, meaning data that is meant to be encrypted is sent insecurely. This can be used to harvest\r\ncredentials and other sensitive information from the victim’s network. The discovery of this module is significant\r\nsince it provides the attackers with a means of moving beyond the router and on to the victim’s network.\r\nA fourth Stage 3 module known as “dstr” (disclosed on June 6) adds a kill command to any Stage 2 module which\r\nlacks this feature. If executed, dstr will remove all traces of VPNFilter before bricking the device.\r\nDetails on seven more Stage 3 modules were released on September 26, 2018. These include:\r\n“htpx”: Similar to ssler, it redirects and inspects all HTTP traffic transmitted through the infected device to\r\nidentify and log any Windows executables. This may be used to Trojanize executables as they pass through\r\ninfected routers, providing attackers with a way of installing malware on computers connected to the same\r\nnetwork.\r\n“ndbr”: A multi-function SSH tool.\r\n“nm”: A network mapping tool which can be used to scan and map the local subnet.\r\n“netfilter”: A denial of service utility which may be used to block access to some encrypted applications.\r\n“portforwarding”: Module which forwards network traffic to attacker-specified infrastructure.\r\n“socks5proxy”: Module to enable establishment of a SOCKS5 proxy on compromised devices.\r\n“tcpvpn”: Allows establishment of a Reverse-TCP VPN on compromised devices, enabling remote attacker to\r\naccess internal networks behind infected devices.\r\nQ: What should I do if I’m concerned my router is infected?\r\nConcerned users are advised to use Symantec's free online tool to help check if their router is impacted by\r\nVPNFilter. This also includes instructions on what to do if the router is infected.\r\nQ: What do the attackers intend to do with VPNFilter’s destructive capability?\r\nA: This is currently unknown. One possibility is using it for disruptive purposes, by bricking a large number of\r\ninfected devices. Another possibility is more selective use to cover up evidence of attacks.\r\nQ: Do Symantec/Norton products (Win/Mac/NMS) protect against this threat? \r\nA: Symantec and Norton products detect the threat as Linux.VPNFilter.\r\nAcknowledgement: Symantec wishes to thank Cisco Talos and the Cyber Threat Alliance for sharing information\r\non this threat in advance of publication.\r\nhttps://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware\r\nPage 4 of 5\n\nUPDATE: Netgear is advising customers that, in addition to applying the latest firmware updates and changing\r\ndefault passwords, users should ensure that remote management is turned off on their router. Remote management\r\nis turned off by default and can only be turned on using the router's advanced settings. To turn it off, they should\r\ngo to www.routerlogin.net in their browser and log in using their admin credentials. From there, they should click\r\n\"Advanced\" followed by \"Remote Management\". If the check box for \"Turn Remote Management On\" is selected,\r\nclear it and click \"Apply\" to save changes.\r\nUPDATE May 24, 2018: The FBI has announced that it has taken immediate action to disrupt the VPNFilter,\r\nsecuring a court order, authorizing it to seize a domain that is part of the malware's C\u0026C infrastructure.\r\nMeanwhile, Linksys is advising customers to change administration passwords periodically and ensure software is\r\nregularly updated. If they believe they have been infected, a factory reset of their router is recommended.  Full\r\ninstructions can be found here.\r\nMikroTik has said that it is highly certain that any of its devices infected by VPNFilter had the malware installed\r\nthrough a vulnerability in MikroTik RouterOS software, which was patched by MikroTik in March 2017.\r\nUpgrading RouterOS software deletes VPNFilter, any other third-party files and patches the vulnerability.\r\nUPDATE May 25, 2018: QNAP has published a security advisory on VPNFilter. It contains guidance on how to\r\nuse the company’s malware removal tool to remove any infections.\r\nSource: https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware\r\nhttps://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware"
	],
	"report_names": [
		"vpnfilter-iot-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434460,
	"ts_updated_at": 1775826691,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4184308575726d6c4c1e316bbeab7f91b7c3e9a0.pdf",
		"text": "https://archive.orkl.eu/4184308575726d6c4c1e316bbeab7f91b7c3e9a0.txt",
		"img": "https://archive.orkl.eu/4184308575726d6c4c1e316bbeab7f91b7c3e9a0.jpg"
	}
}