{
	"id": "ed4e5f6d-500e-4329-9f27-24d98f878144",
	"created_at": "2026-04-06T00:15:18.565308Z",
	"updated_at": "2026-04-10T03:21:54.824564Z",
	"deleted_at": null,
	"sha1_hash": "d57853783c3b6ab30f18560f5caa4db6cd838787",
	"title": "STRT-TA03 CPE - Destructive Software | Splunk",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 61963,
	"plain_text": "STRT-TA03 CPE - Destructive Software | Splunk\r\nBy Splunk Threat Research Team\r\nPublished: 2022-04-15 · Archived: 2026-04-05 22:47:31 UTC\r\nThe Splunk Threat Research Team is monitoring several malicious payloads targeting Customer Premise Equipment (CPE)\r\ndevices. These are defined as devices that are at customer (Commercial, Residential) premises and that provide connectivity\r\nand services to the internet backbone. Examples include:\r\nCable Modems\r\nInternet Gateways\r\nSatellite Modems\r\nFirewalls\r\nHome routers, cable set-top boxes, DSL modems\r\nVOIP telephones\r\nThe above devices are prevalent and fundamental for internet connectivity. Malicious actors can target these devices to build\r\nvery powerful botnets which in combination with tactical payloads, can potentially exert a significant effect on critical\r\ninternet infrastructure or even Operational Technologies devices. CPE devices are generally not very powerful in terms of\r\nprocessing or functionality, however, when hundreds of thousands of these devices are compromised and work in\r\naggregation via Command and Control they can cause significant damage. An example of this type of payload is VPNFilter\r\ndiscovered by Cisco Talos and said to have compromised 500,000 devices worldwide.\r\nBased on the current, ongoing geopolitical events and the recent takedown of a similar malicious payload by the FBI named\r\n“Cyclops Blink” and attributed to Russian Federation’s Main Intelligence Directorate (GRU). The Splunk Threat Research\r\nTeam has developed specific analytics to detect this type of malicious code, including Cyclops Blink, and AcidRain.\r\nThe main malicious functions of these malicious payloads can be resumed in:\r\nSystem discovery and footprinting\r\nIn some cases resists removal/reboot\r\nDestroys infected equipment (Wipes flash memory, sd, memory card, and block devices)\r\nModification of routing traffic rules\r\nAbility to download and install additional payloads\r\nObfuscated multiple C2 callback failover (TOR, VPS, Geolocation)\r\nAnother common thing about these payloads is that they target popular commercial CPE brands. This speaks of the intention\r\nof targeting critical infrastructure to gain access, implant malicious payloads, and hoard as many compromised devices as\r\npossible that can be used for subsequent attacks.\r\nDue to the ability to download additional payloads, these additional payloads may likely be implemented based on tactical\r\nobjectives (DDoS, Destruction, Corporate Espionage, Lateral Movement, etc). It is important to notice that many of these\r\ndevices are not just commercial, industrial, or military but used in civilian networks, which exposes the general population\r\nto these attacks and presents a direct threat to civilian infrastructure and livelihood.\r\nFor specific make and model of affected devices please refer to the reference section at the end of this advisory.\r\nThe following are the detections crafted for these payloads.\r\nCyclops Blink\r\nhttps://www.splunk.com/en_us/blog/security/strt-ta03-cpe-destructive-software.html\r\nPage 1 of 3\n\nThe above searches will be available at research.splunk.com, the Splunk Threat Research Team (STRT) security content\r\nrepository, and the Splunk ES Content Update (ESCU) application at Splunkbase.\r\nIOC:\r\nMitigations\r\nThe above detections were crafted under a Linux environment and can be used as guidelines for other architectures such as\r\nMISP or PowerPC. The key to implementing these types of detections is the ability to monitor via a logging mechanism (i.e\r\nsyslog).\r\nAddressing the threat of these types of payloads can be very difficult as many of these devices do not allow for the\r\nimplementation of centralized logging which impairs monitoring and defense. Considering that many enterprises have had\r\nremote work programs since the pandemic started, their perimeter may likely have a device affected by these payloads, in\r\nwhich case the best course of action is to disconnect, discard and replace them. Some other mitigation options are:\r\nDiscard affected hardware as payload resists removal, and rebooting.\r\nImplement integrity validation mechanisms on CPEs software and hardware\r\nUpgrade and harden CPE devices, discard them if the device has reached the end of life (EOL). If a device cannot be\r\nmonitored, the device must be discarded.\r\nConsult with vendors, ISP on how to improve security on CPE devices\r\nEnable logging of these devices to implement detections\r\nFollow CISA Home Network Security Guide (ST15-002)\r\nFollow CISA Securing Network Infrastructure Devices (ST18-001)\r\nIt is also important to consider that an advanced adversary as the aforementioned has likely devised other ways of access,\r\nexploitation or persistence that may be yet unknown and that may target these devices after remediation. This is why\r\nprevention, monitoring, and detection are fundamental to defend against these threats.\r\nReference\r\nCISA Alert (AA22-054A): https://www.cisa.gov/uscert/ncas/alerts/aa22-054a\r\nWatchguard advisory: https://detection.watchguard.com\r\nNCSC Password Administration for System Owners Guide: https://www.ncsc.gov.uk/collection/passwords\r\nNCSC Cyclops Blink Malware Analysis Report: https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf\r\nCISCO how to harden IOS Devices: https://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html\r\nCISA advises D-LINK users to take vulnerable routers offline: https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/cisa-advises-d-link-users-to-take-vulnerable-routers-offline/\r\nCisco Talos VPNFilter advisory and affected devices: https://en.wikipedia.org/wiki/VPNFilter#cite_note-ars-9\r\nCyclops Blink affected devices: https://www.zdnet.com/article/cyclops-blink-botnet-launches-assault-against-asus-routers/\r\nSentinel One AcidRain analysis: https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe\r\nNSA - Protecting VAST Communications:\r\nhttps://media.defense.gov/2022/Jan/25/2002927101/-1/-1/0/CSA_PROTECTING_VSAT_COMMUNICATIONS_01252022.P\r\nASUS security bulletin: https://www.asus.com/content/ASUS-Product-Security-Advisory/\r\nLearn More\r\nYou can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security Essentials also\r\nhas all these detections available via push update. In the upcoming weeks, the Splunk Threat Research Team will be\r\nhttps://www.splunk.com/en_us/blog/security/strt-ta03-cpe-destructive-software.html\r\nPage 2 of 3\n\nreleasing a more detailed blog post on this analytic story. Stay tuned!\r\nFor a full list of security content, check out the release notes on Splunk Docs.\r\nFeedback\r\nAny feedback or requests? Feel free to put in an issue on GitHub and we’ll follow up. Alternatively, join us on the Slack\r\nchannel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on Slack.\r\nWe would like to thank the following for their contributions to this post.\r\nTeoderick Contreras\r\nRod Soto\r\nJose Hernandez\r\nPatrick Barreiss\r\nLou Stella\r\nMauricio Velazco\r\nMichael Haag\r\nBhavin Patel\r\nEric McGinnis\r\nSource: https://www.splunk.com/en_us/blog/security/strt-ta03-cpe-destructive-software.html\r\nhttps://www.splunk.com/en_us/blog/security/strt-ta03-cpe-destructive-software.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.splunk.com/en_us/blog/security/strt-ta03-cpe-destructive-software.html"
	],
	"report_names": [
		"strt-ta03-cpe-destructive-software.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434518,
	"ts_updated_at": 1775791314,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d57853783c3b6ab30f18560f5caa4db6cd838787.pdf",
		"text": "https://archive.orkl.eu/d57853783c3b6ab30f18560f5caa4db6cd838787.txt",
		"img": "https://archive.orkl.eu/d57853783c3b6ab30f18560f5caa4db6cd838787.jpg"
	}
}