{ "id": "7593d2fb-918b-4c6b-b127-b4d801bbefab", "created_at": "2026-04-06T00:08:19.157093Z", "updated_at": "2026-04-10T03:37:08.970771Z", "deleted_at": null, "sha1_hash": "5091f86c4c4e0353088b04fabbb78e7c111dd68c", "title": "New Sandworm Malware Cyclops Blink Replaces VPNFilter | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 103777, "plain_text": "New Sandworm Malware Cyclops Blink Replaces VPNFilter |\r\nCISA\r\nPublished: 2022-02-23 · Archived: 2026-04-05 13:07:25 UTC\r\nSummary\r\nThe Sandworm actor, which the United Kingdom and the United States have previously attributed to the Russian\r\nGRU, has replaced the exposed VPNFilter malware with a new more advanced framework.\r\nThe United Kingdom's (UK) National Cyber Security Centre (NCSC), the Cybersecurity and Infrastructure\r\nSecurity Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) in\r\nthe U.S. have identified that the actor known as Sandworm or Voodoo Bear is using a new malware, referred to\r\nhere as Cyclops Blink. The NCSC, CISA, and the FBI have previously attributed the Sandworm actor to the\r\nRussian General Staff Main Intelligence Directorate’s Russian (GRU’s) Main Centre for Special Technologies\r\n(GTsST). The malicious cyber activity below has previously been attributed to Sandworm:\r\nThe BlackEnergy disruption of Ukrainian electricity in 2015\r\nIndustroyer in 2016\r\nNotPetya in 2017\r\nAttacks against the Winter Olympics and Paralympics in 2018  \r\nA series of disruptive attacks against Georgia in 2019\r\nCyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, and which\r\nexploited network devices, primarily small office/home office (SOHO) routers and network attached storage\r\n(NAS) devices.\r\nThis advisory summarizes the VPNFilter malware it replaces, and provides more detail on Cyclops Blink, as well\r\nas the associated tactics, techniques and procedures (TTPs) used by Sandworm. An NCSC malware analysis report\r\non Cyclops Blink is also available.\r\nIt also provides mitigation measures to help organizations defend against malware.\r\nClick here for a PDF version of this report.\r\nTechnical Details\r\nVPNFilter\r\nThe malware was first exposed in 2018\r\nA series of articles published by Cisco Talos in 2018 describes VPNFilter and its modules in detail. VPNFilter\r\nwas deployed in stages, with most functionality in the third-stage modules. These modules enabled traffic\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-054a\r\nPage 1 of 7\n\nmanipulation, destruction of the infected host device, and likely enabled downstream devices to be exploited.\r\nThey also allowed monitoring of Modbus SCADA protocols, which appears to be an ongoing requirement for\r\nSandworm, as also seen in their previous attacks against ICS networks.\r\nVPNFilter targeting was widespread and appeared indiscriminate, with some exceptions: Cisco Talos reported an\r\nincrease of victims in Ukraine in May 2018. Sandworm also deployed VPNFilter against targets in the Republic of\r\nKorea before the 2018 Winter Olympics. \r\nIn May 2018, Cisco Talos published the blog that exposed VPNFilter and the U.S. Department of Justice linked\r\nthe activity to Sandworm and announced efforts to disrupt the botnet.\r\nActivity since its exposure \r\nA Trendmicro blog in January 2021 detailed residual VPNFilter infections and provided data which showed that\r\nalthough there had been a reduction in requests to a known C2 domain, there was still more than a third of the\r\noriginal number of first-stage infections.\r\nSandworm has since shown limited interest in existing VPNFilter footholds, instead preferring to retool.\r\nCyclops Blink\r\nActive since 2019\r\nThe NCSC, CISA, the FBI, and NSA, along with industry partners, have now identified a large-scale modular\r\nmalware framework (T1129 ) which is targeting network devices. The new malware is referred to here\r\nas Cyclops Blink and has been deployed since at least June 2019, fourteen months after VPNFilter was disrupted.\r\nIn common with VPNFilter, Cyclops Blink deployment also appears indiscriminate and widespread.\r\nThe actor has so far primarily deployed Cyclops Blink to WatchGuard devices, but it is likely that Sandworm\r\nwould be capable of compiling the malware for other architectures and firmware.\r\nNote: Note that only WatchGuard devices that were reconfigured from the manufacturer default settings to open\r\nremote management interfaces to external access could be infected\r\nMalware overview \r\nThe malware itself is sophisticated and modular with basic core functionality to beacon (T1132.002 ) device\r\ninformation back to a server and enable files to be downloaded and executed. There is also functionality to add\r\nnew modules while the malware is running, which allows Sandworm to implement additional capability as\r\nrequired.\r\nThe NCSC has published a malware analysis report on Cyclops Blink which provides more detail about the\r\nmalware.\r\nPost exploitation \r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-054a\r\nPage 2 of 7\n\nPost exploitation, Cyclops Blink is generally deployed as part of a firmware ‘update’ (T1542.001 ). This\r\nachieves persistence when the device is rebooted and makes remediation harder.\r\nVictim devices are organized into clusters and each deployment of Cyclops Blink has a list of command and\r\ncontrol (C2) IP addresses and ports that it uses (T1008 ). All the known C2 IP addresses to date have been used\r\nby compromised WatchGuard firewall devices. Communications between Cyclops Blink clients and servers are\r\nprotected under Transport Layer Security (TLS) (T1071.001 ), using individually generated keys and\r\ncertificates. Sandworm manages Cyclops Blink by connecting to the C2 layer through the Tor network.\r\nMitigations\r\nCyclops Blink persists on reboot and throughout the legitimate firmware update process. Affected organizations\r\nshould therefore take steps to remove the malware. \r\nWatchGuard has worked closely with the FBI, CISA, NSA and the NCSC, and has provided tooling and guidance\r\nto enable detection and removal of Cyclops Blink on WatchGuard devices through a non-standard upgrade\r\nprocess. Device owners should follow each step in these instructions to ensure that devices are patched to the\r\nlatest version and that any infection is removed.\r\nThe tooling and guidance from WatchGuard can be found at: https://detection.watchguard.com/ .\r\nIn addition:\r\nIf your device is identified as infected with Cyclops Blink, you should assume that any passwords present\r\non the device have been compromised and replace them (see NCSC password guidance for\r\norganizations.\r\nYou should ensure that the management interface of network devices is not exposed to the internet.\r\nIndicators of Compromise\r\nPlease refer to the accompanying Cyclops Blink malware analysis report  for indicators of compromise which\r\nmay help detect this activity. \r\nMITRE ATT\u0026CK®\r\nThis advisory has been compiled with respect to the MITRE ATT\u0026CK® framework, a globally accessible\r\nknowledge base of adversary tactics and techniques based on real-world observations.\r\nTactic Technique Procedure\r\nInitial Access T1133\r\nExternal Remote Services\r\nThe actors most likely deploy modified device firmware images by\r\nexploiting an externally available service\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-054a\r\nPage 3 of 7\n\nExecution T1059.004\r\nCommand and Scripting Interpreter: Unix Shell\r\nCyclops Blink executes downloaded files using the Linux API\r\nPersistence\r\nT1542.001\r\nPre-OS Boot: System Firmware\r\nCyclops Blink is deployed within a modified device firmware image\r\nT1037.004\r\nBoot or Logon Initialization Scripts: RC Scripts\r\nCyclops Blink is executed on device startup, using a modified RC script\r\nDefense Evasion T1562.004\r\nImpair Defenses: Disable or Modify System Firewall\r\nCyclops Blink modifies the Linux system firewall to enable C2\r\ncommunication\r\n  T1036.005\r\nMasquerading: Match Legitimate Name or Location\r\nCyclops Blink masquerades as a Linux kernel thread process\r\nDiscovery T1082\r\nSystem Information Discovery\r\nCyclops Blink regularly queries device information\r\nCommand and\r\nControl\r\nT1090 Proxy\r\nT1132.002\r\nData Encoding: Non-Standard Encoding\r\nCyclops Blink command messages use a custom binary scheme to encode\r\ndata\r\nT1008\r\nFallback Channels\r\nCyclops Blink randomly selects a C2 server from contained lists of IPv4\r\naddresses and port numbers\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-054a\r\nPage 4 of 7\n\nT1071.001\r\nApplication Layer Protocol: Web Protocols\r\nCyclops Blink can download files via HTTP or HTTPS\r\nT1573.002\r\nEncrypted Channel: Asymmetric Cryptography\r\nCyclops Blink C2 messages are individually encrypted using AES-256-\r\nCBC and sent underneath TLS\r\nT1571\r\nNon-Standard Port\r\nThe list of port numbers used by Cyclops Blink includes non-standard\r\nports not typically associated with HTTP or HTTPS traffic\r\nExfiltration T1041\r\nExfiltration Over C2 Channel\r\nCyclops Blink can upload files to a C2 server\r\nA Cyclops Blink infection does not mean that an organization is the primary target, but it may be selected to be, or\r\nits machines could be used to conduct attacks.\r\nOrganizations are advised to follow the mitigation advice in this advisory to defend against this activity, and to\r\nrefer to indicators of compromise (not exhaustive) in the Cyclops Blink malware analysis report to detect\r\npossible activity on networks. \r\nUK organizations affected by the activity outlined in should report any suspected compromises to the NCSC\r\nat https://report.ncsc.gov.uk/ .\r\nFurther Guidance\r\nA variety of mitigations will be of use in defending against the malware featured in this advisory:\r\nDo not expose management interfaces of network devices to the internet: the management interface is\r\na significant attack surface, so not exposing them reduces the risk. See NCSC guidance:\r\nhttps://www.ncsc.gov.uk/guidance/acquiring-managing-and-disposing-network-devices .\r\nProtect your devices and networks by keeping them up to date: use the latest supported versions, apply\r\nsecurity patches promptly, use anti-virus and scan regularly to guard against known malware threats. See\r\nNCSC guidance: https://www.ncsc.gov.uk/guidance/mitigating-malware .\r\nUse multi-factor authentication to reduce the impact of password compromises. See NCSC guidance:\r\nhttps://www.ncsc.gov.uk/guidance/multi-factor-authentication-online-services and\r\nhttps://www.ncsc.gov.uk/guidance/setting-two-factor-authentication-2fa .\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-054a\r\nPage 5 of 7\n\nTreat people as your first line of defense. Tell staff how to report suspected phishing emails, and ensure\r\nthey feel confident to do so. Investigate their reports promptly and thoroughly. Never punish users for\r\nclicking phishing links or opening attachments. See NCSC guidance: https://www.ncsc.gov.uk/phishing . \r\nSet up a security monitoring capability so you are collecting the data that will be needed to analyze\r\nnetwork intrusions. See NCSC Guidance: https://www.ncsc.gov.uk/guidance/introduction-logging-security-purposes . \r\nPrevent and detect lateral movement in your organization’s networks. See NCSC guidance:\r\nhttps://www.ncsc.gov.uk/guidance/preventing-lateral-movement .\r\nAbout This Document\r\nThis advisory is the result of a collaborative effort by United Kingdom’s National Cyber Security Centre (NCSC),\r\nthe United States’ National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and Department of\r\nHomeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). \r\nCISA, FBI, and NSA agree with this attribution and the details provided in the report.\r\nThis advisory has been compiled with respect to the MITRE ATT\u0026CK® framework, a globally accessible\r\nknowledge base of adversary tactics and techniques based on real-world observations. \r\nDisclaimers\r\nThis report draws on information derived from NCSC and industry sources. Any NCSC findings and\r\nrecommendations made have not been provided with the intention of avoiding all risks and following the\r\nrecommendations will not remove all such risk. Ownership of information risks remains with the relevant system\r\nowner at all times.\r\nDisclaimer of Endorsement: The information and opinions contained in this document are provided \"as is\" and\r\nwithout any warranties or guarantees. Reference herein to any specific commercial products, process, or service\r\nby trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement,\r\nrecommendation, or favoring by the United States Government, and this guidance shall not be used for advertising\r\nor product endorsement purposes.\r\nFor NSA client requirements or general cybersecurity inquiries, contact the Cybersecurity Requirements Center at\r\n410-854-4200 or Cybersecurity_Requests@nsa.gov .\r\nContact Information\r\nTo report suspicious or criminal activity related to information found in this joint Cybersecurity Advisory:\r\nU.S. organizations contact your local FBI field office at fbi.gov/contact-us/field-offices, or the FBI’s 24/7 Cyber\r\nWatch (CyWatch) at (855) 292-3937 or by email at CyWatch@fbi.gov . When available, please include the\r\nfollowing information regarding the incident: date, time, and location of the incident; type of activity; number of\r\npeople affected; type of equipment used for the activity; the name of the submitting company or organization; and\r\na designated point of contact. To request incident response resources or technical assistance related to these\r\nthreats, contact CISA at Central@cisa.gov .\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-054a\r\nPage 6 of 7\n\nAustralian organizations should report incidents to the Australian Signals Directorate’s (ASD’s) ACSC via\r\ncyber.gov.au or call 1300 292 371 (1300 CYBER 1).\r\nU.K. organizations should report a significant cyber security incident: ncsc.gov.uk/report-an-incident\r\n(monitored 24 hrs) or for urgent assistance, call 03000 200 973.\r\nRevisions\r\nFebruary 23, 2022: Initial Version\r\nSource: https://www.cisa.gov/uscert/ncas/alerts/aa22-054a\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-054a\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.cisa.gov/uscert/ncas/alerts/aa22-054a" ], "report_names": [ "aa22-054a" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434099, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5091f86c4c4e0353088b04fabbb78e7c111dd68c.pdf", "text": "https://archive.orkl.eu/5091f86c4c4e0353088b04fabbb78e7c111dd68c.txt", "img": "https://archive.orkl.eu/5091f86c4c4e0353088b04fabbb78e7c111dd68c.jpg" } }