S0687: Cyclops Blink
Cyclops Blink is a modular malware that has been used in widespread campaigns by Sandworm Team since at least 2019 to target Small/Home Office (SOHO) network devices, including WatchGuard and Asus. Cyclops Blink is assessed to be a replacement for VPNFilter, a similar platform targeting network devices.[1][2][3]
Analyst context for executives and security teams
Cyclops Blink matters because it targets network devices rather than ordinary endpoints. Compromise of routers, firewalls, or SOHO edge devices can undermine perimeter trust, remote access paths, and incident response visibility. The supplied ATT&CK record describes a modular malware platform used by Sandworm Team since at least 2019 against SOHO network devices, including WatchGuard and Asus, and assessed as a replacement for VPNFilter.
Executive priority
Treat this as a resilience and visibility issue for unmanaged or lightly managed network infrastructure. Leaders should ask whether the organization has an accurate inventory of edge/SOHO network devices, whether firmware and configuration integrity can be proven, whether device logs are centrally collected, and whether incident response plans include network-device containment and rebuild decisions. This is also relevant to audit evidence because many controls depend on firewalls and routers remaining trustworthy.
Technical view
ATT&CK provides no dedicated detection text for Cyclops Blink, so validation should be relationship-driven. The related techniques point to discovery on network devices, persistence through RC scripts and possible firmware-related persistence, C2 over web protocols, non-standard ports, protocol tunneling, asymmetric cryptography, multi-hop proxying, ingress tool transfer, exfiltration over C2, timestomping, and network-device firewall rule changes. SOC and IR teams should confirm whether network-device telemetry is sufficient to observe configuration changes, startup script modifications, process/file enumeration, suspicious outbound web traffic, atypical port/protocol pairings, and unauthorized firewall/ACL changes.
Likely telemetry
- Network device inventory and firmware/version records
- Network device system, authentication, configuration, and administrative change logs
- Firewall, ACL, security zone, and policy change history
- Outbound network flow records from edge and SOHO devices
- Proxy, DNS, and web traffic metadata for device-originated connections
Detection direction
- Do not rely only on endpoint EDR; the ATT&CK platform is Network Devices, where telemetry is often sparse or absent.
- Baseline expected management activity, firmware versions, startup scripts, firewall rules, and outbound destinations for network devices, then alert on unauthorized drift.
- Tune for device-originated web traffic on unusual ports, protocol/port mismatches, encrypted or encoded sessions that do not match normal device behavior, and repeated connections through proxy-like infrastructure.
- Correlate discovery behaviors such as process, file, directory, system, and network configuration enumeration with subsequent tool transfer, C2, or exfiltration-like traffic.
- Review firewall and ACL modifications as security events, not just network operations, because the related technique includes network-device firewall impairment.
Mitigation priorities
- Prioritize authoritative inventory of network devices, including SOHO and edge equipment that may sit outside normal endpoint management.
- Maintain firmware and configuration management processes that can prove current state and detect unauthorized changes.
- Restrict and monitor administrative access to network devices; separate routine operations from emergency access paths.
- Centralize network-device logs and retain configuration-change history for investigation and compliance evidence.
- Limit unnecessary outbound traffic from network devices and review allowed destinations, ports, and protocols.
Analyst notes and limits
The business risk is amplified by the device class: compromised routers or firewalls can provide persistence, traffic relay, C2, and policy manipulation while avoiding many endpoint-focused controls. The relationship to Sandworm Team is supplied by ATT&CK, but this take does not infer current activity against any specific organization. The most useful defensive work is proving whether network-device telemetry and change control are strong enough to make this behavior observable.
The official ATT&CK object does not provide detection guidance, aliases, labels, or malware-level tactics. Several technical conclusions are derived from supplied ATT&CK relationships rather than a Cyclops Blink-specific detection section. Local device models, firmware, logging capability, network architecture, and administrative practices are required to determine actual exposure and coverage.
Cyclops Blink
Cyclops Blink is a modular malware that has been used in widespread campaigns by Sandworm Team since at least 2019 to target Small/Home Office (SOHO) network devices, including WatchGuard and Asus. Cyclops Blink is assessed to be a replacement for VPNFilter, a similar platform targeting network devices.[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1106 | Native API | Cyclops Blink can use various Linux API functions including those for execution and discovery.CitationNCSC Cyclops Blink February 2022 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | Cyclops Blink can encrypt C2 messages with AES-256-CBC sent underneath TLS. OpenSSL library functions are also used to encrypt each message using a randomly generated key and IV, which are then encrypted using a hard-coded RSA public key.CitationNCSC Cyclops Blink February 2022 |
| Enterprise | T1070.006 | Timestomp Sub-technique | Cyclops Blink has the ability to use the Linux API function `utime` to change the timestamps of modified firmware update images.CitationNCSC Cyclops Blink February 2022 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Cyclops Blink can rename its running process to |
| Enterprise | T1082 | System Information Discovery | Cyclops Blink has the ability to query device information.CitationNCSC Cyclops Blink February 2022 |
| Enterprise | T1542.002 | Component Firmware Sub-technique | Cyclops Blink has maintained persistence by patching legitimate device firmware when it is downloaded, including that of WatchGuard devices.CitationNCSC Cyclops Blink February 2022 |
| Enterprise | T1005 | Data from Local System | Cyclops Blink can upload files from a compromised host.CitationNCSC Cyclops Blink February 2022 |
| Enterprise | T1083 | File and Directory Discovery | Cyclops Blink can use the Linux API `statvfs` to enumerate the current working directory.CitationNCSC Cyclops Blink February 2022CitationTrend Micro Cyclops Blink March 2022 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Cyclops Blink has the ability to upload exfiltrated files to a C2 server.CitationNCSC Cyclops Blink February 2022 |
| Enterprise | T1057 | Process Discovery | Cyclops Blink can enumerate the process it is currently running under.CitationNCSC Cyclops Blink February 2022 |
| Enterprise | T1016 | System Network Configuration Discovery | Cyclops Blink can use the Linux API `if_nameindex` to gather network interface names.CitationNCSC Cyclops Blink February 2022CitationTrend Micro Cyclops Blink March 2022 |
| Enterprise | T1132.002 | Non-Standard Encoding Sub-technique | Cyclops Blink can use a custom binary scheme to encode messages with specific commands and parameters to be executed.CitationNCSC Cyclops Blink February 2022 |
| Enterprise | T1090.003 | Multi-hop Proxy Sub-technique | Cyclops Blink has used Tor nodes for C2 traffic.CitationNCSC CISA Cyclops Blink Advisory February 2022 |
| Enterprise | T1559 | Inter-Process Communication | Cyclops Blink has the ability to create a pipe to enable inter-process communication.CitationTrend Micro Cyclops Blink March 2022 |
| Enterprise | T1686.002 | Network Device Firewall Sub-technique | Cyclops Blink can modify the Linux iptables firewall to enable C2 communication on network devices via a stored list of port numbers.CitationNCSC Cyclops Blink February 2022CitationTrend Micro Cyclops Blink March 2022 |
| Enterprise | T1105 | Ingress Tool Transfer | Cyclops Blink has the ability to download files to target systems.CitationNCSC Cyclops Blink February 2022CitationTrend Micro Cyclops Blink March 2022 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Cyclops Blink can download files via HTTP and HTTPS.CitationNCSC Cyclops Blink February 2022CitationTrend Micro Cyclops Blink March 2022 |
| Enterprise | T1037.004 | RC Scripts Sub-technique | Cyclops Blink has the ability to execute on device startup, using a modified RC script named S51armled.CitationNCSC Cyclops Blink February 2022 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Cyclops Blink can decrypt and parse instructions sent from C2.CitationNCSC Cyclops Blink February 2022 |
| Enterprise | T1572 | Protocol Tunneling | Cyclops Blink can use DNS over HTTPS (DoH) to resolve C2 nodes.CitationTrend Micro Cyclops Blink March 2022 |
| Enterprise | T1571 | Non-Standard Port | Cyclops Blink can use non-standard ports for C2 not typically associated with HTTP or HTTPS traffic.CitationNCSC Cyclops Blink February 2022 |
Groups, software, and campaigns
G0034: Sandworm Team
Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.[1][2] This group has been active since at least 2009.[3][4][5][6]
In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.[1][2] Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.[7]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | f4d8cfa42083… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
NCSC Cyclops Blink February 2022
NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022.
Open source URL -
[2]
NCSC CISA Cyclops Blink Advisory February 2022
NCSC, CISA, FBI, NSA. (2022, February 23). New Sandworm malware Cyclops Blink replaces VPNFilter. Retrieved March 3, 2022.
Open source URL -
[3]
Trend Micro Cyclops Blink March 2022
Haquebord, F. et al. (2022, March 17). Cyclops Blink Sets Sights on Asus Routers. Retrieved March 17, 2022.
Open source URL -
[4]
mitre-attack S0687Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.