{ "id": "e10a9410-50f3-4fcf-8fe5-30e8b5df026c", "created_at": "2026-04-06T00:11:00.302747Z", "updated_at": "2026-04-10T13:12:56.730896Z", "deleted_at": null, "sha1_hash": "fb4631b97d77ada1b7bea8756972dd5150e873c1", "title": "FBI to all router users: Reboot now to neuter Russia's VPNFilter malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48164, "plain_text": "FBI to all router users: Reboot now to neuter Russia's VPNFilter\r\nmalware\r\nBy Written by\r\nArchived: 2026-04-05 15:05:15 UTC\r\nSecurity\r\nThe FBI is urging small businesses and households to immediately reboot routers following Cisco's report that\r\n500,000 infected devices could be destroyed with a single command.\r\nThe malware, dubbed VPNFilter, was developed by the Russian state-sponsored hacking group Sofacy, also\r\nknown as Fancy Bear and APT28, according to the FBI, which last week obtained a warrant to seize a domain\r\nused to control the infected routers.\r\nCisco's Talos Intelligence researchers revealed in a report last week that 500,000 routers made by Linksys,\r\nMikroTik, Netgear, and TP-Link had been infected with VPNFilter.\r\nThe malware is capable of collecting traffic sent through infected routers, such as website credentials.\r\nHowever, the most worrying capability is that malware allows its controllers to wipe a portion of an infected\r\ndevice's firmware, rendering it useless. The attackers can selectively destroy a single device or wipe all infected\r\ndevices at once.\r\nSee: Special report: Cybersecurity in an IoT and mobile world (free PDF)\r\nCisco released the report on Wednesday after observing a spike this month in infections in the Ukraine, which\r\naccused Russia of planning an attack to coincide with Saturday's Champions Cup final in Kiev.\r\nThe country also blamed Russia for last June's NotPetya attacks that mostly affected Ukraine organizations but\r\nalso spread within multinational corporations with offices in Ukraine.\r\nUsers with infected routers can remove the dangerous Stage 2 and Stage 3 components of VPNFilter by rebooting\r\nthe device. However, Stage 1 of VPNFilter will persist after a reboot, potentially allowing the attackers to reinfect\r\nthe compromised routers.\r\nThe web address the FBI seized on Wednesday, ToKnowAll[.]com, could have been used to reinstall Stage 2 and\r\nStage 3 malware, but all traffic to this address is now being directed to a server under the FBI's control.\r\nhttps://www.zdnet.com/article/fbi-to-all-router-users-reboot-now-to-neuter-russias-vpnfilter-malware/\r\nPage 1 of 3\n\nThe FBI nonetheless is urging all small office and home router owners to reboot devices even if they were not\r\nmade by one of the affected vendors. This will help neuter the threat and help the FBI identify infected devices.\r\n\"The FBI recommends any owner of small office and home office routers reboot the devices to temporarily disrupt\r\nthe malware and aid the potential identification of infected devices,\" the FBI said in a public-service\r\nannouncement.\r\n\"Owners are advised to consider disabling remote-management settings on devices and secure with strong\r\npasswords and encryption when enabled. Network devices should be upgraded to the latest available versions of\r\nfirmware.\"\r\nCisco and the Justice Department have also urged all home and small office users to reboot routers.\r\nSee: What is phishing? How to protect yourself from scam emails and more\r\nThe Justice Department said the FBI-controlled server to which infected devices are now communicating with will\r\ncollect the IP addresses of each device.\r\nThe addresses are being shared with the non-profit cyber security group, The Shadowserver Foundation, which\r\nwill disseminate the addresses to foreign CERTs and ISPs. The FBI and US DHS CERT has also notified some\r\nISPs.\r\nIt's not known how the attackers initially infected the routers, but Symantec noted in its report on VPNFilter that\r\nmany of them have known vulnerabilities.\r\n\"Most of the devices targeted are known to use default credentials and/or have known exploits, particularly for\r\nolder versions. There is no indication at present that the exploit of zero-day vulnerabilities is involved in spreading\r\nthe threat,\" wrote Symantec researchers.\r\nKnown infected devices include:\r\nLinksys E1200\r\nLinksys E2500\r\nLinksys WRVS4400N\r\nMikroTik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072\r\nNetgear DGN2200\r\nNetgear R6400\r\nNetgear R7000\r\nNetgear R8000\r\nNetgear WNR1000\r\nNetgear WNR2000\r\nQNAP TS251\r\nQNAP TS439 Pro\r\nOther QNAP NAS devices running QTS software\r\nTP-Link R600VPN\r\nhttps://www.zdnet.com/article/fbi-to-all-router-users-reboot-now-to-neuter-russias-vpnfilter-malware/\r\nPage 2 of 3\n\nPrevious and related coverage\r\nTalos finds new VPNFilter malware hitting 500K IoT devices, mostly in Ukraine\r\nCisco's Talos has published preliminary findings of the VPNFilter malware, which is targeting mostly consumer\r\ninternet routers from a range of vendors, with some consumer NAS devices also hit.\r\nRussians suspected of new German attack may 'have been inside system for a year'\r\nGerman intelligence services and federal specialists are investigating \"an IT security incident\".\r\nHackers are using a Flash flaw in fake document in this new spying campaign\r\nThe payload is delivered via phishing emails about a real defence conference -- but nothing happens until the\r\ntarget scrolls down to the third page...\r\nSource: https://www.zdnet.com/article/fbi-to-all-router-users-reboot-now-to-neuter-russias-vpnfilter-malware/\r\nhttps://www.zdnet.com/article/fbi-to-all-router-users-reboot-now-to-neuter-russias-vpnfilter-malware/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.zdnet.com/article/fbi-to-all-router-users-reboot-now-to-neuter-russias-vpnfilter-malware/" ], "report_names": [ "fbi-to-all-router-users-reboot-now-to-neuter-russias-vpnfilter-malware" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434260, "ts_updated_at": 1775826776, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fb4631b97d77ada1b7bea8756972dd5150e873c1.pdf", "text": "https://archive.orkl.eu/fb4631b97d77ada1b7bea8756972dd5150e873c1.txt", "img": "https://archive.orkl.eu/fb4631b97d77ada1b7bea8756972dd5150e873c1.jpg" } }