MalwareUsed by 2 actors

VPNFilter

VPNFilter is a modular multi-stage malware platform targeting SOHO and enterprise routers and QNAP NAS devices. Public reporting cited in the content states it infected more than 500,000 devices worldwide, with affected vendors including Linksys, MikroTik, Netgear, TP-Link, and QNAP, and infections observed across dozens of countries with notable focus on Ukraine. Cisco Talos is credited with publicly revealing the malware. VPNFilter is not related to virtual private networks despite its name.

The malware is described as consisting of three payload stages. Stage 1 establishes boot persistence and survives device reboots. Stage 2 functions as a remote access trojan that enables command execution and data theft. Stage 3 consists of plugins that extend functionality. Reported capabilities across the stages and plugins include stealing files and information, inspecting and sniffing network traffic, man-in-the-middle interception, communication over Tor, monitoring SCADA/ICS traffic including Modbus on port 502, and a destructive capability that can wipe part of device firmware and render devices unusable. A destructive Stage 3 plugin named "dstr" is specifically referenced; later research found developmental similarities between this plugin and the AcidRain modem/router wiper.

The content associates VPNFilter with Russian state activity. Multiple cited sources say the FBI and U.S. Department of Justice attributed the 2018 VPNFilter campaign to the Russian government. Some reporting in the content attributes development to Sofacy/Fancy Bear/APT28/GRU Unit 26165, while other government and joint-advisory references state that GRU Unit 74455 (Sandworm) deployed VPNFilter against home and office routers worldwide in 2018 and describe Cyclops Blink as Sandworm’s apparent successor to VPNFilter. Because the content contains differing attribution references, the strongest high-confidence statement is that U.S. authorities attributed the 2018 campaign to the Russian government.

Operationally, the malware was discussed as a botnet used for large-scale compromise of networking devices, with concern that it could support disruptive operations against Ukrainian infrastructure and other targets. The FBI disrupted the botnet in 2018 through a court-authorized operation that seized a domain used for command and control, including ToKnowAll[.]com in one cited report. Rebooting affected devices was said to disrupt non-persistent Stage 2 and Stage 3 components, but not remove persistent Stage 1; factory reset, firmware updates, password changes, and disabling remote administration were recommended in cited reporting.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

APT28

The most notable case is VPNFilter, a modular malware aimed at SOHO routers and QNAP storage devices, discovered by Talos.

via sentinelone labssentinelone.com

Sandworm

The most notable case is VPNFilter, a modular malware aimed at SOHO routers and QNAP storage devices, discovered by Talos.

via sentinelone labssentinelone.com

MITRE ATT&CK

Techniques & procedures

26 distinct techniques documented for this family, organized by ATT&CK tactic.

Reconnaissance

1 technique

T1595Active ScanningEvidence1

All scans looked for Mikrotik routers with port 2000 exposed online, and only routers located on Ukrainian networks.

Resource Development

2 techniques

T1584Compromise InfrastructureEvidence1

Cyclops Blink, originally discovered in late February, was found attacking firewall appliances from WatchGuard Technologies and routers from Asus to attack users.

T1584.005BotnetEvidence1

The Justice Department today announced a court-authorized operation, conducted in March 2022, to disrupt a two-tiered global botnet of thousands of infected network hardware devices under the control of a threat actor known to security researchers as Sandworm.

Initial Access

3 techniques

T1078Valid AccountsEvidence2

Most of the devices targeted are known to use default credentials and/or have known exploits, particularly for older versions.

T1133External Remote ServicesEvidence1

Owners are advised to consider disabling remote-management settings on devices and secure with strong passwords and encryption when enabled.

T1190Exploit Public-Facing ApplicationEvidence3

Cisco says no zero-days were used to create this botnet, but just older public vulnerabilities.

Execution

1 technique

T1059Command and Scripting InterpreterEvidence1

Stage 2 allows the attackers execute commands and steal data.

Persistence

5 techniques

T1037Boot or Logon Initialization ScriptsEvidence1

The first-stage payload can achieve boot persistence on devices and survive reboot operations

T1078Valid AccountsEvidence2

Most of the devices targeted are known to use default credentials and/or have known exploits, particularly for older versions.

T1133External Remote ServicesEvidence1

Owners are advised to consider disabling remote-management settings on devices and secure with strong passwords and encryption when enabled.

T1542Pre-OS BootEvidence1

Stage 1 is installed first and allows the malware to stay persistent even when the router is rebooted.

T1547Boot or Logon Autostart ExecutionEvidence1

The Stage One bot is the most lightweight and simple, as its only role is to infect the device and obtain boot persistence.

Privilege Escalation

3 techniques

T1037Boot or Logon Initialization ScriptsEvidence1

The first-stage payload can achieve boot persistence on devices and survive reboot operations

T1078Valid AccountsEvidence2

Most of the devices targeted are known to use default credentials and/or have known exploits, particularly for older versions.

T1547Boot or Logon Autostart ExecutionEvidence1

The Stage One bot is the most lightweight and simple, as its only role is to infect the device and obtain boot persistence.

Stealth

2 techniques

T1078Valid AccountsEvidence2

Most of the devices targeted are known to use default credentials and/or have known exploits, particularly for older versions.

T1542Pre-OS BootEvidence1

Stage 1 is installed first and allows the malware to stay persistent even when the router is rebooted.

Credential Access

2 techniques

T1040Network SniffingEvidence3

Cisco says that until now it has spotted Stage Three plugins that can: Monitor for the presence of Modbus SCADA protocols | Cisco says that until now it has spotted Stage Three plugins that can: Sniff network packets and intercept traffic

T1557Adversary-in-the-MiddleEvidence1

"...VPNFilter attack... targeting networking devices on a massive scale... providing control of the network traffic as well as allowing MITM attacks."

Discovery

2 techniques

T1040Network SniffingEvidence3

T1046Network Service DiscoveryEvidence2

researchers say botnet started an intense scanning activity in recent months, growing to a huge size.

Lateral Movement

1 technique

T1021Remote ServicesEvidence1

many people heard the reboot part, but did not read the rest of the recommendations of turning off remote administration

Collection

3 techniques

T1039Data from Network Shared DriveEvidence1

The malware is capable of collecting traffic sent through infected routers, such as website credentials.

T1213Data from Information RepositoriesEvidence1

VPNFilter is malware that targets routers and NAS devices in order to steal files, information, and examine network traffic as it flows through the device.

T1557Adversary-in-the-MiddleEvidence1

"...VPNFilter attack... targeting networking devices on a massive scale... providing control of the network traffic as well as allowing MITM attacks."

Command and Control

5 techniques

T1071Application Layer ProtocolEvidence4

The operation copied and removed malware from vulnerable internet-connected firewall devices that Sandworm used for command and control (C2) of the underlying botnet.

T1090ProxyEvidence1

They could use the botnet's hacked devices to hide the source of other malicious attacks

T1090.003Multi-hop ProxyEvidence3

Communicate with C&C servers via the Tor network

T1219Remote Access ToolsEvidence1

the second-stage component is akin to a remote access trojan (RAT), while the third-stage payloads are plugins for this RAT, which add extra functionality

T1572Protocol TunnelingEvidence1

Stage 3 consists of various plugins that can be installed into the malware that allow it to perform different functionality such as sniff the network, monitor SCADA communication, and to communicate over TOR.

Impact

5 techniques

T1485Data DestructionEvidence6

AcidRain is an ELF MIPS malware designed to wipe modems and routers.

T1490Inhibit System RecoveryEvidence1

Among its many plugins, it also included functionality to wipe and brick devices...

T1495Firmware CorruptionEvidence1

This renders any device unusable, as the code needed to start the device has been replaced with jumbled data.

T1498Network Denial of ServiceEvidence1

Among its many plugins, it also included functionality to wipe and brick devices as well as DDoS a target.

T1561.001Disk Content WipeEvidence3

This wiper iterates over all possible device file identifiers (e.g., mtdblock0 – mtdblock99), opens the device file, and either overwrites it with up to 0x40000 bytes of data or (in the case of the /dev/mtd* device file) uses the following IOCTLS to erase it: MEMGETINFO, MEMUNLOCK, MEMERASE, and MEMWRITEOOB.

INDICATORS OF COMPROMISE

IOCs tracked for this family

3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Hashes

3 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting

hash.md5●●●●●●●●●●●●View more in app1 year ago

hash.sha1●●●●●●●●●●●●View more in app1 year ago

hash.sha256●●●●●●●●●●●●View more in app1 year ago

ACTIVITY FEED

Recent activity

32 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

32 SOURCESView more in app

cyberscoopNews

Apr 9, 2026

Inside the FBI’s router takedown that cut off APT28’s ‘tremendous access’ | CyberScoop

A router-targeting botnet used to communicate with infected routers.

boingboingNews

Mar 24, 2026

FCC bans foreign-made routers from US sale - Boing Boing

Malware infecting home routers at scale; described here as compromising large numbers of routers.

risky biz rssNews

Mar 13, 2026

Another residential proxy provider falls as authorities continue crackdowns

A botnet listed among notable prior takedowns involving compromised networking devices.

infosec writeupsNews

Mar 7, 2026

CTI Research: Sandworm / APT44. Evidence-Labeled Threat Intelligence… | by Andrey Pautov | Mar, 2026 | InfoSec Write-ups

Earlier Sandworm malware on network devices referenced as the predecessor replaced by Cyclops Blink.

+27 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching3

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping26

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.