How Sandworm’s Cyclops Blink Russian Malware Works

The purpose of this article is to explore Sandworm’s Cyclops Blink Malware such as what it is, how it works, and how to remediate an infection. There are fears that this malware is creating firewall botnets to attack Ukraine and has been recently identified as being used by Russia in the Ukraine conflict.

What is the Sandworm Hacking Group?

Sandworm is a Russian hacking group, but they have been found in other countries too. The Sandworm hackers usually use the Russian language during their attacks.

Sandworm, a division of the Russian Federation’s intelligence service, is an underground hacking group that have been known to spread and operate Russian malware and botnets that pose a significant threat to the United States and other Western nations. After taking a look at their history and modus operandi it also looks at some of the tactics they are suspected of using in conjunction with cyber-attacks.

What is malware and how does it work?

Malware is a type of malicious software that can infect computers and harm the data stored on them. Malware often takes the form of viruses, Trojan horses, worms, ransomware, or adware. The most common way for malware to enter a computer is through unsafe downloads from a webpage or via email attachments.

Cyclops Blink is a special kind of malware called a BotNet.

What is a BotNet and how does it work?

A BotNet is a collection of Internet-connected devices, which are infected with malware and controlled as a group without the owner\’s knowledge.

Botnets are used for various purposes:

  • Distribute spam and phishing emails
  • Conduct DDoS attacks
  • Steal personal information
  • Spread malware

Cyclops Blink is known to infect firewalls to create a firewall botnet.

What is the VPNFilter malware?

Before there was Cyclops Blink, there was VPNFilter. The VPNFilter is malware that has been found in at least 54 countries and targets major brands such as Linksys, MikroTik, NETGEAR, and TP-Link. The VPNFilter malware is a high-level threat that is capable of infiltrating devices by accessing the networks they are connected to and can cause severe damage before anyone even realizes they were compromised. Cyclops Blink malware has replaced VPNFilter as a recent security threat.

What is the Cyclops Blink Malware?

Cyclops Blink malware is a new type of malware that can disable, destroy or take over the security functions of a Watchguard firewall device. It can also allow an attacker to bypass the firewall and attack other devices. Watchguard Firewall Devices are considered vulnerable to this malware since 2019.

Cyclops Blink malware is a known cyber threat that creates botnets. Once a hacker start the small networks, they can then steal personal data and create fake identities. It also sends out spam emails.

How does Cyclops Blink Malware work?

Cyclops Blink creates clusters of victim devices by geo-location and each deployment has a list of IP addresses ports from which it communicates with a C2. Every known C2 IP address so far has been associated with compromised WatchGuard firewall devices. Cyclops Blink communication is encrypted at the TLS protocol level, so no cleartext traffic can be examined. Sandworm harnesses the power of Blink Cyclops by connecting to the control layer through the Tor network. The image below shows the configuration of the Cyclops Blink Malware.


What is Tor and how does it work?

Tor is open-source software that allows people to browse the internet anonymously. Tor is a volunteer-run service that helps people preserve their personal privacy and security on the internet.

Tor stands for The Onion Router. It is free software that protects your privacy online by bouncing your communications around a distributed network of relays run by volunteers all around the world. This makes it hard for someone watching your Internet connection to tell where you are or what you\’re doing online.

Tor is being used by Sandworm in the Cyclops Blink Malware.

How do you remediate Cyclops Blink malware?

WatchGuard shared that it patched this vulnerability with a May 2021 update and is now able to screen for the malware. The hackers were able to gain unauthorized access to the Watchguard devices and loaded their own firmware onto them. This had the effect of making it possible for them to get back inside after rebooting. Watchguard has estimated that about 1% of all its firewalls installed were infected but did not disclose exactly how many devices that apply to. Watchguard has released tools to detect malware on its firewalls. They will remove any found infections quickly and effectively.


This article reviews Sandworm’s Cyclop’s Blink malware, what it is, how does it work, and how do you remediate the infection. This malware is being used in the Ukraine-Russia conflict as reported by numerous sources.

If you have any questions, please let me know in the comments. I appreciate any feedback on this article. Thanks.

Dr. M

Dr. M

Leave a Reply

Your email address will not be published. Required fields are marked *