{ "id": "2e83b292-c32b-4ef7-b5dc-3725573f933c", "created_at": "2026-04-06T00:17:21.365464Z", "updated_at": "2026-04-10T13:11:39.03858Z", "deleted_at": null, "sha1_hash": "c584c097943166591bff320051df818a1c0496dc", "title": "ASUS warns of Cyclops Blink malware attacks targeting routers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1961855, "plain_text": "ASUS warns of Cyclops Blink malware attacks targeting routers\r\nBy Bill Toulas\r\nPublished: 2022-03-17 · Archived: 2026-04-05 20:16:35 UTC\r\nMultiple ASUS router models are vulnerable to the Russia-linked Cyclops Blink malware threat, causing the vendor to\r\npublish an advisory with mitigations for the security risk.\r\nCyclops Blink is a malware linked to the Russian-backed Sandworm hacking group that has historically targeted\r\nWatchGuard Firebox and other SOHO network devices.\r\nThe role of Cyclops Blink is to establish persistence for threat actors on the device, allowing them a point of remote access\r\nto compromised networks.\r\nhttps://www.bleepingcomputer.com/news/security/asus-warns-of-cyclops-blink-malware-attacks-targeting-routers/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/asus-warns-of-cyclops-blink-malware-attacks-targeting-routers/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nBecause Cyclops Blink is modular, it can be easily updated to target new devices, constantly refreshing its scope and tapping\r\ninto new pools of exploitable hardware.\r\nCyclops Blink now targets ASUS routers\r\nIn a coordinated disclosure, Trend Micro warned that the malware features a specialized module that targets several ASUS\r\nrouters, allowing the malware to read the flash memory to gather information about critical files, executables, data, and\r\nlibraries.\r\nThe malware then receives a command to nest in the flash memory and establish permanent persistence, as this storage\r\nspace doesn't get wiped even by factory resets.\r\nFor more details on the ASUS module of Cyclops Blink, Trend Micro has published a technical writeup today explaining\r\nhow it works.\r\nModule's code for writing to flash memory (Trend Micro)\r\nAt this point, the spread of Cyclops Blink appears indiscriminate and widespread, so it doesn't matter if you consider\r\nyourself a legitimate target or not.\r\nAs the malware is tied to the elite Sandworm hacking group (also tracked as Voodoo Bear, BlackEnergy, and TeleBots), we\r\nwill likely see the threat actors targeting other router manufacturers in the future.\r\nSandworm has been linked to other well-known cyberattacks, including the BlackEnergy malware behind the Ukrainian\r\nblackouts of 2015 and 2016 [1, 2, 3] and the NotPetya ransomware, which led to billions worth of damage to companies\r\nworldwide starting in June 2017.\r\nVulnerable ASUS devices\r\nIn an advisory released today, ASUS warns that the following router models and firmware versions are vulnerable to\r\nCyclops Blink attacks:\r\nGT-AC5300 firmware under 3.0.0.4.386.xxxx\r\nhttps://www.bleepingcomputer.com/news/security/asus-warns-of-cyclops-blink-malware-attacks-targeting-routers/\r\nPage 3 of 5\n\nGT-AC2900 firmware under 3.0.0.4.386.xxxx\r\nRT-AC5300 firmware under 3.0.0.4.386.xxxx\r\nRT-AC88U firmware under 3.0.0.4.386.xxxx\r\nRT-AC3100 firmware under 3.0.0.4.386.xxxx\r\nRT-AC86U firmware under 3.0.0.4.386.xxxx\r\nRT-AC68U, AC68R, AC68W, AC68P firmware under 3.0.0.4.386.xxxx\r\nRT-AC66U_B1 firmware under 3.0.0.4.386.xxxx\r\nRT-AC3200 firmware under 3.0.0.4.386.xxxx\r\nRT-AC2900 firmware under 3.0.0.4.386.xxxx\r\nRT-AC1900P, RT-AC1900P firmware under 3.0.0.4.386.xxxx\r\nRT-AC87U (EOL)\r\nRT-AC66U (EOL)\r\nRT-AC56U (EOL)\r\nAt this time, ASUS has not released new firmware updates to protect against Cyclops Blink but have released the following\r\nmitigations that can be used to secure devices:\r\nReset the device to factory default: Login into the web GUI, go to Administration → Restore/Save/Upload Setting,\r\nclick the \"Initialize all the setting and clear all the data log,\" and then click Restore button.\"\r\nUpdate to the latest available firmware.\r\nEnsure the default admin password has been changed to a more secure one.\r\nDisable Remote Management (disabled by default, can only be enabled via Advanced Settings).\r\nIf you are using any of the three models designated as EOL (end of life), note that these are no longer supported and thus\r\nwon't receive a firmware security update. In this case, you are recommended to replace your device with a new one.\r\nIf you own WatchGuard network devices and are looking for that advisory instead, you can find the vendor's threat\r\nmitigation advice on this webpage.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nhttps://www.bleepingcomputer.com/news/security/asus-warns-of-cyclops-blink-malware-attacks-targeting-routers/\r\nPage 4 of 5\n\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/asus-warns-of-cyclops-blink-malware-attacks-targeting-routers/\r\nhttps://www.bleepingcomputer.com/news/security/asus-warns-of-cyclops-blink-malware-attacks-targeting-routers/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/asus-warns-of-cyclops-blink-malware-attacks-targeting-routers/" ], "report_names": [ "asus-warns-of-cyclops-blink-malware-attacks-targeting-routers" ], "threat_actors": [ { "id": "39842197-944a-49fd-9bec-eafa1807e0ea", "created_at": "2022-10-25T16:07:24.310589Z", "updated_at": "2026-04-10T02:00:04.931264Z", "deleted_at": null, "main_name": "TeleBots", "aliases": [], "source_name": "ETDA:TeleBots", "tools": [ "BadRabbit", "Black Energy", "BlackEnergy", "CredRaptor", "Diskcoder.C", "EternalPetya", "ExPetr", "Exaramel", "FakeTC", "Felixroot", "GreyEnergy", "GreyEnergy mini", "KillDisk", "LOLBAS", "LOLBins", "Living off the Land", "NonPetya", "NotPetya", "Nyetya", "Petna", "Petrwrap", "Pnyetya", "TeleBot", "TeleDoor", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "nPetya" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434641, "ts_updated_at": 1775826699, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c584c097943166591bff320051df818a1c0496dc.pdf", "text": "https://archive.orkl.eu/c584c097943166591bff320051df818a1c0496dc.txt", "img": "https://archive.orkl.eu/c584c097943166591bff320051df818a1c0496dc.jpg" } }