Monday, June 16, 2025
HomeMalwareHackers Infect More than 500,000 Routers Worldwide with a Potentially Destructive VPNFilter...

Hackers Infect More than 500,000 Routers Worldwide with a Potentially Destructive VPNFilter Malware

Published on

SIEM as a Service

Follow Us on Google News

Hackers infected more than 500,000 in at least 54 countries with a potentially destructive malware dubbed VPNFilter malware.

It is a multi-stage malware that supports both data gathering and destructive cyber attack operations. Now the malware actively targeting Ukraine hosts at a rapid phase.

According to Talos researchers who uncovered VPNFilter malware, this is a global deployed threat that is actively seeking to increase its footprint.

- Advertisement - Google News

Following are the devices Linksys, MikroTik, NETGEAR and TP-Link in small and home offices routers, (SOHO) space, and QNAP(NAS) devices are affected.

Researchers believe the authors of BlackEnergy malware behind the new sophisticated modular malware system we call VPNFilter.

VPNFilter Malware Multi-Stage Operations

Stage 1 malware ensures persistence., it can survive after a reboot, where most of the malware that targets internet-of-things devices does not survive after reboot. The recent version of Hide and Seek is the first bot with the ability to survive a reboot.

The Stage 2 malware with multiple capabilities such as file collection, command execution, data exfiltration and device management. With some version, it is self-destructive and damages router firmware which makes router unusable. Stage 2 malware is not persistent.

VPNFilter malware

Stage 3 malware acts as a plugin for Stage 2, it contains sniffer module for collecting traffic data and communication module that allows Stage 2 malware to connect to C2 server through Tor Service.

According to researchers “this malware is used to create an expansive, hard-to-attribute infrastructure that can be used to serve multiple operational needs of the threat actor.”

Starting from early may the infected devices conducting scans on TCP scans on ports 23, 80, 2000 and 8080 to find additional Mikrotik and QNAP NAS devices. The Scan targets more than 100 countries.

“Finally, on May 8, we observed a sharp spike in VPNFilter infection activity. Almost all of the newly acquired victims were located in Ukraine. Also of note, a majority of Ukrainian infections shared a separate stage 2 C2 infrastructure from the rest of the world, on IP 46.151.209[.]33.”

It is hard to defend against these attack as those devices are directly connected to the internet without any security devices between them. Still, now it’s unclear how threat actors exploiting the affected devices, but researchers believe no zero-day exploitation is required for VPNFilter.

Cisco published a complete list of Devices to be affected by this threat. It is always recommended to place the firewall behind routers and limit it to be accessible from single or multiple IP.

VPNFilter is an expansive, robust, highly capable, and dangerous threat that targets devices that are challenging to defend. “Talos believe this malware could be used to conduct a large-scale destructive attack by using the “kill” command, which would render some or all of the physical devices unusable.”

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Kali Linux 2025.2 Released: New Tools, Smartwatch and Car Hacking Added

Kali Linux, the preferred distribution for security professionals, has launched its second major release...

Arsen Launches AI-Powered Vishing Simulation to Help Organizations Combat Voice Phishing at Scale

Arsen, the cybersecurity startup known for defending organizations against social engineering threats, has announced...

NIST Releases New Guide – 19 Strategies for Building Zero Trust Architectures

The National Institute of Standards and Technology (NIST) has released groundbreaking guidance to help...

Spring Framework Flaw Enables Remote File Disclosure via “Content‑Disposition” Header

A medium-severity reflected file download (RFD) vulnerability (CVE-2025-41234) in VMware's Spring Framework has been...

Credential Abuse: 15-Min Attack Simulation

Credential Abuse Unmasked

Credential abuse is #1 attack vector in web and API breaches today (Verizon DBIR 2025). Join our live, 15-min attack simulation with Karthik Krishnamoorthy (CTO - Indusface) and Phani Deepak Akella (VP of Marketing - Indusface) to see hackers move from first probe to full account takeover.

Discussion points


Username & email enumeration – how a stray status-code reveals valid accounts.
Password spraying – low-and-slow guesses that evade basic lockouts.
Credential stuffing – lightning-fast reuse of breach combos at scale.
MFA / session-token bypass – sliding past second factors with stolen cookies.

More like this

Cybercriminals Exploiting Expired Discord Invite Links to Deploy Multi-Stage Malware

Recent investigations by Check Point Research have uncovered a sophisticated malware campaign that leverages...

Don’t Click “Unsubscribe” links blindly It May Leads to Loss of Credentials

Imagine your inbox is overflowing with promotional emails—some from familiar companies, others less so....

Interpol Dismantles 20,000 Malicious IPs and Domains Tied to 69 Malware Variants

In a landmark global cybercrime crackdown, INTERPOL’s Operation Secure has seen the takedown of...