Categories: MalwareSecurity News

Hackers Infect More than 500,000 Routers Worldwide with a Potentially Destructive VPNFilter Malware

Hackers infected more than 500,000 in at least 54 countries with a potentially destructive malware dubbed VPNFilter malware.

It is a multi-stage malware that supports both data gathering and destructive cyber attack operations. Now the malware actively targeting Ukraine hosts at a rapid phase.

According to Talos researchers who uncovered VPNFilter malware, this is a global deployed threat that is actively seeking to increase its footprint.

Following are the devices Linksys, MikroTik, NETGEAR and TP-Link in small and home offices routers, (SOHO) space, and QNAP(NAS) devices are affected.

Researchers believe the authors of BlackEnergy malware behind the new sophisticated modular malware system we call VPNFilter.

VPNFilter Malware Multi-Stage Operations

Stage 1 malware ensures persistence., it can survive after a reboot, where most of the malware that targets internet-of-things devices does not survive after reboot. The recent version of Hide and Seek is the first bot with the ability to survive a reboot.

The Stage 2 malware with multiple capabilities such as file collection, command execution, data exfiltration and device management. With some version, it is self-destructive and damages router firmware which makes router unusable. Stage 2 malware is not persistent.

VPNFilter malwareVPNFilter malware

Stage 3 malware acts as a plugin for Stage 2, it contains sniffer module for collecting traffic data and communication module that allows Stage 2 malware to connect to C2 server through Tor Service.

According to researchers “this malware is used to create an expansive, hard-to-attribute infrastructure that can be used to serve multiple operational needs of the threat actor.”

Starting from early may the infected devices conducting scans on TCP scans on ports 23, 80, 2000 and 8080 to find additional Mikrotik and QNAP NAS devices. The Scan targets more than 100 countries.

“Finally, on May 8, we observed a sharp spike in VPNFilter infection activity. Almost all of the newly acquired victims were located in Ukraine. Also of note, a majority of Ukrainian infections shared a separate stage 2 C2 infrastructure from the rest of the world, on IP 46.151.209[.]33.”

It is hard to defend against these attack as those devices are directly connected to the internet without any security devices between them. Still, now it’s unclear how threat actors exploiting the affected devices, but researchers believe no zero-day exploitation is required for VPNFilter.

Cisco published a complete list of Devices to be affected by this threat. It is always recommended to place the firewall behind routers and limit it to be accessible from single or multiple IP.

VPNFilter is an expansive, robust, highly capable, and dangerous threat that targets devices that are challenging to defend. “Talos believe this malware could be used to conduct a large-scale destructive attack by using the “kill” command, which would render some or all of the physical devices unusable.”

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect servers…

1 hour ago

Healthcare Sector Becomes a Major Target for Cyber Attacks in 2025

The healthcare sector has emerged as a prime target for cyber attackers, driven by the…

2 hours ago

SysAid ITSM Vulnerabilities Enables Pre-Auth Remote Command Execution

Security researchers have disclosed a chain of critical vulnerabilities affecting SysAid ITSM’s On-Premise solution, enabling…

2 hours ago

CISA Warns of Cyber Threats to Oil and Gas SCADA and ICS Networks

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a new alert warning critical infrastructure…

2 hours ago

Russian Company Gains Full Control Over Critical Open Source Easyjson Library

A startling discovery by Hunted Labs has brought to light a potential security risk lurking…

2 hours ago

Researchers Simulate DPRK’s Largest Cryptocurrency Heist Through Compromised macOS Developer and AWS Pivoting

Security researchers at Elastic have recreated the intricate details of the February 21, 2025, ByBit…

3 hours ago