{ "id": "e5a3a63b-983b-47cd-89bd-2a7c2994589d", "created_at": "2026-04-06T00:15:28.977067Z", "updated_at": "2026-04-10T13:11:45.650405Z", "deleted_at": null, "sha1_hash": "adc7bc001c35b4c6559486291e0af185199d6bdb", "title": "Shadowserver Special Reports – Cyclops Blink", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3143034, "plain_text": "Shadowserver Special Reports – Cyclops Blink\r\nArchived: 2026-04-05 20:56:15 UTC\r\nUPDATE 2022-04-21: Fifth special report sent overnight containing 511 IPs likely still infected with Cyclops\r\nBlink, corresponding to 270 ASNs in 60 countries. Remediation continuing.\r\nUPDATE 2022-04-13: Overnight 2022-04-12/13 we sent out a fourth special report with 537 IPs likely infected\r\nwith Cyclops Blink, corresponding to 281 ASNs in 61 countries. The top countries were still United States (154),\r\nCanada (58), Sweden (38), Russia (26), Germany (25). A mix of Watchguard and ASUS devices. Remediation\r\ncontinuing, but more patching required.\r\nUPDATE 2022-04-08: Overnight 2022-04-07/08 we sent out a third special report with an additional 553 IPs\r\nlikely infected with Cyclops Blink, corresponding to 285 ASNs in 61 countries. The top countries were United\r\nStates (157), Canada (58), Sweden (38), Russia (27), Germany (26).\r\nUPDATE 2022-04-06: US DoJ announcement about disruption action against Cyclops Blink infected devices.\r\nUPDATE 2022-04-01: ASUS released updated firmware for devices impacted by Cyclops Blink.\r\nUPDATE 2022-03-25: ASUS released a security advisory about Cyclops Blink impacting ASUS devices.\r\nUPDATE 2022-03-17: Trend Micro published research detailing ASUS devices also being impacted by Cyclops\r\nBlink (some ASUS device IPs were included in our second special report, but not explicitly called out at that time,\r\nsince details were not public).\r\nUPDATE 2022-03-03: On 2022-03-03 we sent out a second special report with an additional 673 IPs likely\r\ninfected with Cyclops Blink, observed on 2022-02-24. These IPs are different to those sent out in the first report.\r\nCountries with top infections: USA (188), France (92), Italy (65), Canada (55), Germany (39).\r\nOriginal Article\r\nOn May 23rd 2018, the US Department of Justice (DoJ), Federal Bureau of Investigation (FBI) and Cisco Talos\r\npublicly announced the disruption of a novel multi-stage modular malware platform called VPNFilter. This was\r\ndesigned to infect small office and home office (SOHO) routers and other network devices. At the time, VPNFilter\r\nwas believed to be operated by the threat actor known as APT28 (also known as Fancy Bear, Pawn Storm,\r\nSandworm, Sofacy Group, Sednit X-Agent, STRONTIUM and Tsar Team), which was allegedly associated with\r\nthe Russian military intelligence agency (GRU). You can read more about that sinkholing effort in our original\r\n2018 blog post, which includes links to supporting technical information.\r\nSince then, we have continued notifying VPNFilter victims about infected devices worldwide via Shadowserver’s\r\nfree daily network reports.\r\nIn January 2021, we collaborated with partner Trend Micro on a joint analysis of the remaining global VPNFilter\r\nvictim population. This added some further scan-based insights about third stage victim prevalence into our daily\r\nhttps://www.shadowserver.org/news/shadowserver-special-reports-cyclops-blink/\r\nPage 1 of 10\n\ndatasets.\r\nFrom our vantage point as sinkhole operators, the peak day for VPNFilter infections globally was 2018-07-24,\r\nwhich saw 14,966 unique IP addresses being observed hitting the sinkhole. After the initial fairly rapid (by global\r\nInternet response standards) remediation of infected devices, a typical long tail of not yet remediated victims still\r\nremains today:\r\nFigure 1 – Unique sinkholed VPNFIlter IP address per day\r\nNote the lack of variation in the daily/weekly number of detected IP addresses. As expected, this suggests that the\r\ninfected devices are always-on routers (which is unlike the typical overnight or weekend patterns of change we\r\nusually see in sinkholed home or office PCs).\r\nThe IP-geolocated distribution of sinkholed VPNFilter unique IP addresses on that peak day was:\r\nFigure 2 – Unique sinkholed VPNFIlter geolocated IP addresses (2018-07-24)\r\nWith Ukraine having by far and away the most infected victim devices.\r\nThis compares to the current sinkholed VPNFilter IP address distribution observed yesterday:\r\nhttps://www.shadowserver.org/news/shadowserver-special-reports-cyclops-blink/\r\nPage 2 of 10\n\nFigure 3 – Unique sinkholed VPNFIlter geolocated IP addresses (2022-02-22)\r\nCyclops Blink replaces VPNFilter\r\nOn February 23rd 2022, the UK National Cyber Security Centre (NCSC), the Cybersecurity and Infrastructure\r\nSecurity Agency (CISA), the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI)\r\njointly announced that they had identified that the threat actor known as Sandworm or Voodoo Bear has deployed\r\na new, large-scale modular malware framework which is affecting network devices. They have named the\r\nmalware Cyclops Blink. The NCSC, CISA, FBI and NSA have previously attributed the Sandworm threat actor to\r\nthe Russian GRU’s Main Centre for Special Technologies GTsST.\r\nThe Cyclops Blink malware is believed to be a more advanced replacement for VPNFilter. It is installed on\r\nexploited network devices as part of a legitimate firmware upgrade, allowing persistence between reboots. The\r\nUK NCSC’s analysis explains that it is possible to recalculate the Hash-based Message Authentication Code\r\n(HMAC) value for the modified firmware image because the WatchGuard FireBox devices use a hard-coded key\r\nto initialize the hash calculation. This allows their malware to pass checks and appear to be legitimate, vendor-supplied firmware updates.\r\nInfected victims’ devices are grouped into clusters, each with a list of Command and Control (C2) servers. They\r\ncommunicate with their operators using Transport Layer Security (TLS) running over The Onion Router (Tor)\r\nnetwork. To date, Cyclops Blink malware is believed to have been primarily deployed onto WatchGuard firewall\r\ndevices (which are Linux ELF 32-bit PowerPC big-endian platforms), and all C2 servers identified to date have\r\nbeen for WatchGuard firewalls. However, the assessment published today indicates that it is likely that the\r\nCyclops Blink malware could also be compiled and deployed onto other architectures and firmware. This botnet\r\nappears to have been active since at least June 2019.\r\nA detailed technical analysis of Cyclops Blink by the UK NCSC can be found here, which includes Indicators of\r\nCompromise (IoCs) and YARA signatures to assist in detection.\r\nhttps://www.shadowserver.org/news/shadowserver-special-reports-cyclops-blink/\r\nPage 3 of 10\n\nCyclops Blink Malware Remediation\r\nWatchGuard have provided remediation information for system owners infected with the Cyclops Blink malware:\r\nhttps://detection.watchguard.com\r\nWatchGuard estimate that Cyclops Blink malware may have infected approximately 1% of WatchGuard firewall\r\ndevices. They advise that the default configuration is to prevent access to their management interface from the\r\nInternet, so this configuration must be manually enabled by the system administrator.\r\nAll WatchGuard device owners should follow each step in these instructions to ensure that devices are patched to\r\nthe latest version and that any infection is removed.\r\nIf your device is identified as infected with Cyclops Blink, you should assume that any passwords present\r\non the device have been compromised and replace them immediately.\r\nYou should ensure that the management interfaces of your network devices are not exposed to the Internet.\r\nUPDATES 2022-03-25 and 2022-04-01: Asus have also provided remediation information and updated\r\nfirmaware for impacted customers.\r\nShadowserver Cyclops Blink Special Report\r\nWe send out Special Reports whenever we are able to share one-time, high value datasets that we feel should be\r\nreported responsibly for maximum public benefit. Although the events included in these Special Reports\r\nsometimes fall outside of our usual 24-hour daily reporting window, we believe that there would still be\r\nsignificant benefit to our constituents in receiving and hopefully acting on the data.\r\nOn February 23rd 2022, we sent out a new Special Report covering network devices that are believed to be likely\r\ninfected with the Cyclops Blink malware. This one off Cyclops Blink Special Report contained:\r\n1,573 unique victim IP addresses in 495 different Autonomous System Numbers (ASNs) across 70\r\ndifferent countries\r\n25 Command and Control (C2) server IP addresses in 19 different Autonomous System Numbers (ASNs)\r\nin 7 different countries\r\nA direct link to the Cyclops Blink Special Report format is here.\r\nCyclops Blink Data Visualisation\r\nThe data contained in this new Cyclops Blink Special Report was provided to Shadowserver to disseminate\r\nrapidly to National CERTs/CSIRTs and network owners globally, to maximise remediation efforts.\r\nOf the 1,573 IPv4 addresses included in the Cyclops Blink Special Report, the majority of likely infected network\r\ndevices IP-geolocate as being located in the United States, Canada and Central Europe:\r\nhttps://www.shadowserver.org/news/shadowserver-special-reports-cyclops-blink/\r\nPage 4 of 10\n\nFigure 4 – Map of likely Cyclops Blink infected devices (2022-02-23)\r\nLooking at the data in another way, more than half of the network devices believed to be infected with Cyclops\r\nBlink malware are located in the United States, France, Italy, Canada and Germany:\r\nFigure 5 – Tree Map of likely Cyclops Blink infected devices (2022-02-23)\r\nhttps://www.shadowserver.org/news/shadowserver-special-reports-cyclops-blink/\r\nPage 5 of 10\n\nShadowserver conducts daily Internet-wide scanning of all IPv4 /0, which includes identification of Internet\r\nfacing devices, where possible, thanks to the EU HaDEA VARIoT project. We began making this information\r\navailable to National CERT/CSIRTs and Network Owners who subscribe to our free daily network reports in the\r\nform of our Daily Device Identification Report in September 2021, which can be used to establish your exposed\r\nattack surface. We highly recommend subscribing and reviewing this report for your network, since this is the\r\nsame profile an attacker scanning to perform reconnaissance from the outside will also see.\r\nThe location of the likely Cyclops Blink infected devices generally matches our scan-based understanding of the\r\nglobal distribution WatchGuard firewall devices which are currently exposed to the Internet:\r\nFigure 6 – Identified WatchGuard firewall devices detected – World (2022-02-22 IPv4 /0 scan)\r\nhttps://www.shadowserver.org/news/shadowserver-special-reports-cyclops-blink/\r\nPage 6 of 10\n\nFigure 7 – Identified WatchGuard firewall devices detected – US States (2022-02-22 IPv4 /0 scan)\r\nFigure 8 – Identified WatchGuard firewall devices detected – US Counties (2022-02-22 IPv4 /0 scan)\r\nhttps://www.shadowserver.org/news/shadowserver-special-reports-cyclops-blink/\r\nPage 7 of 10\n\nFigure 9 – Identified WatchGuard firewall devices detected – World (2022-02-22 IPv4 /0 scan)\r\nFigure 10 – Identified WatchGuard firewall device models – World (2022-02-22 IPv4 /0 scan)\r\nShadowserver’s daily scanning will obviously not detect all WatchGuard devices. However, comparing the 1,573\r\nunique IP addresses reported out as potentially infected with Cyclops Blink malware to the number of publicly\r\nexposed systems identified through scanning, does represent similar orders of magnitude to the 1% infection ratio\r\nsuggested by WatchGuard.\r\nCyclops Blink C2 Server Distribution\r\nIn addition to the 1,573 IPv4 addresses corresponding to likely infected victim network devices included in our\r\nCyclops Blink Special Report, 25 Cyclops Blink C2 servers have also been identified:\r\nhttps://www.shadowserver.org/news/shadowserver-special-reports-cyclops-blink/\r\nPage 8 of 10\n\nFigure 11 – Cyclops Blink C2 Server Location Map (2022-02-23)\r\nFigure 12 – Cyclops Blink C2 Server Location Countries (2022-02-23)\r\nNot Yet Subscribed to Shadowserver’s Free Daily Reports?\r\nIf you missed this Special Report because you were not yet a subscriber to our free daily network reports, do not\r\nworry: simply subscribe for your network or country now and specifically request all recent Shadowserver Special\r\nReports. We will resend the Special Report specifically for your network or country (for National CERT/CSIRTs).\r\nhttps://www.shadowserver.org/news/shadowserver-special-reports-cyclops-blink/\r\nPage 9 of 10\n\nIf you have a data set which you feel could also be of benefit to National CERT/CSIRTs and network owners\r\nworld-wide to help protect victims of cybercrime, please get in touch and discuss the options for using\r\nShadowserver’s proven reporting systems for distribution and remediation.\r\nSource: https://www.shadowserver.org/news/shadowserver-special-reports-cyclops-blink/\r\nhttps://www.shadowserver.org/news/shadowserver-special-reports-cyclops-blink/\r\nPage 10 of 10\n\nThe location global distribution of the likely Cyclops WatchGuard Blink infected firewall devices devices which are generally matches currently exposed our scan-based to the Internet: understanding of the\nFigure 6-Identified WatchGuard firewall devices detected -World (2022-02-22 IPv4 /0 scan)\n Page 6 of 10 \n\n https://www.shadowserver.org/news/shadowserver-special-reports-cyclops-blink/ \nFigure 7-Identified WatchGuard firewall devices detected -US States (2022-02-22 IPv4 /0 scan)\nFigure 8-Identified WatchGuard firewall devices detected -US Counties (2022-02-22 IPv4 /0 scan)\n Page 7 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.shadowserver.org/news/shadowserver-special-reports-cyclops-blink/" ], "report_names": [ "shadowserver-special-reports-cyclops-blink" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434528, "ts_updated_at": 1775826705, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/adc7bc001c35b4c6559486291e0af185199d6bdb.pdf", "text": "https://archive.orkl.eu/adc7bc001c35b4c6559486291e0af185199d6bdb.txt", "img": "https://archive.orkl.eu/adc7bc001c35b4c6559486291e0af185199d6bdb.jpg" } }