Cyclops Blink - Threat Group Cards: A Threat Actor Encyclopedia
Archived: 2026-04-05 15:10:58 UTC
Home > List all groups > List all tools > List all groups using tool Cyclops Blink
 Tool: Cyclops Blink
Names
Cyclops Blink
CyclopsBlink
Category Malware
Type Reconnaissance, Backdoor, Downloader, Info stealer, Exfiltration, Botnet
Description
(CISA) The NCSC, CISA, the FBI, and NSA, along with industry partners, have now
identified a large-scale modular malware framework (T1129) which is targeting network
devices. The new malware is referred to here as Cyclops Blink and has been deployed
since at least June 2019, fourteen months after VPNFilter was disrupted. In common
with VPNFilter, Cyclops Blink deployment also appears indiscriminate and widespread.
The actor has so far primarily deployed Cyclops Blink to WatchGuard devices, but it is
likely that Sandworm would be capable of compiling the malware for other architectures
and firmware.
Information
MITRE ATT&CK Malpedia Last change to this tool card: 30 December 2022
Download this tool card in JSON format
All groups using tool Cyclops Blink
Changed Name Country Observed
https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c097a8f7-313e-4d79-94b1-1f09d3013be7
Page 1 of 2

APT groups
  Sandworm Team, Iron Viking, Voodoo Bear 2009-Dec 2024
1 group listed (1 APT, 0 other, 0 unknown)
Source: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c097a8f7-313e-4d79-94b1-1f09d3013be7
https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c097a8f7-313e-4d79-94b1-1f09d3013be7
Page 2 of 2