Cyclops Blink

Malware updated 7 days ago (2024-11-29T14:30:18.568Z)
Download STIX
Preview STIX
Cyclops Blink, a modular malware first identified in 2019, was designed to target network infrastructure. It was often referred to as the "Son of VPNFilter" due to its similarities with that campaign. The malware was specifically engineered to run on Linux systems, particularly those using the 32-bit PowerPC architecture. This malicious software was used predominantly for espionage and financial gain by creating proxy botnets that helped mask the origin of its illicit activities. In 2022, Cyclops Blink was found to be targeting Watchguard firewalls and ASUS routers, with attribution linked to the Russian Sandworm threat group. The malware was part of dedicated botnets, including Sandworm's own, which consisted of compromised Watchguard and ASUS routers. These botnets were subsequently disrupted by the FBI and the UK National Cyber Security Centre (NCSC). The malware was also implicated in attacks against Ukraine, where it was used alongside other botnets like VPNFilter. Following these disruptions, the malware was observed to shift tactics. After the dismantling of the Cyclops Blink botnet, the associated IP address was found to have been used in attacks against Danish energy firms in May, exploiting a vulnerability in Zyxel firewalls. These attacks were linked to the Katana Mirai botnet. The Department of Justice (DOJ) managed to take down the Russian GRU-backed botnet Cyclops Blink in April, marking a significant step in curtailing its activities. Despite these successes, the persistent use of routers for launching attacks by nation-state hackers continues to pose a serious cybersecurity concern.
Description last updated: 2024-11-21T10:30:29.545Z
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Botnet
Cybercrime
Apt
Fbi
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Sandworm Threat Actor is associated with Cyclops Blink. Sandworm, a threat actor linked to Russia, has been identified as the primary cyber attack unit supporting Russian military activities in Ukraine. This group is notorious for its sophisticated and disruptive cyber attacks, including the compromise of 11 Ukrainian telecommunications providers which cUnspecified
3
Source Document References
Information about the Cyclops Blink Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
16 days ago
Trend Micro
7 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
InfoSecurity-magazine
a year ago
CERT-EU
a year ago
CSO Online
2 years ago
CERT-EU
2 years ago
Securityaffairs
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago