The Cyclops Blink malware has been associated with the Sandworm group from Russia. The recent association was disclosed by the U.S. and the U.K. agencies in a joint security advisory.

About the malware

According to FBI, CISA, NSA, and NCSC analysis, the Cyclops Blink malware is a replacement for the VPNFilter malware earlier used by Sandworm. 
  • The Cyclops Blink malware comes with modules designed to upload or download files to and from its C2 server, collect and exfiltrate device details, and update the malware as well.
  • The malware uses the infected devices' genuine firmware update channels to manage access to targeted systems. It injects malicious code and deploy repacked firmware images.
  • The Cyclops Blink malware can survive a reboot and all over the legitimate firmware update process. It targets WatchGuard Firebox along with Small Office/Home Office (SOHO) network devices.
  • The group has mostly deployed the Cyclops Blink to WatchGuard devices.

Run Checking the Sandworm group

Sandworm is a Russian-sponsored cyberespionage group active since the mid-2000s. Its members are believed to be part of Unit 74455 of the Russian GRU's Main Center for Special Technologies (GTsST).
  • As per the report, the group is capable of developing the malware for other architectures and firmware too.
  • The Sandworm group has a long history of attacks. It is thought to be involved in the BlackEnergy disruption of Ukrainian electricity in 2015, Industroyer in 2016, and the infamous NotPetya attack in 2017.
  • Later, the group was discovered launching cyberattacks against the Winter Olympics and Paralympics in 2018 and a series of disruptive attacks against Georgia in 2019.


The recent revelations will help in better understanding the Sandworm group’s attack techniques and malware deployment. Further, the joint advisory recommends referring to indicators of compromise and provides guidance on how to better detect any possible activity on networks.

Cyware Publisher