Skip to content

S0687 Cyclops Blink

Cyclops Blink is a modular malware that has been used in widespread campaigns by Sandworm Team since at least 2019 to target Small/Home Office (SOHO) network devices, including WatchGuard and Asus.321

Item Value
ID S0687
Associated Names
Version 1.0
Created 03 March 2022
Last Modified 14 April 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Cyclops Blink can download files via HTTP and HTTPS.31
enterprise T1037 Boot or Logon Initialization Scripts -
enterprise T1037.004 RC Scripts Cyclops Blink has the ability to execute on device startup, using a modified RC script named S51armled.3
enterprise T1132 Data Encoding -
enterprise T1132.002 Non-Standard Encoding Cyclops Blink can use a custom binary scheme to encode messages with specific commands and parameters to be executed.3
enterprise T1005 Data from Local System Cyclops Blink can upload files from a compromised host.3
enterprise T1140 Deobfuscate/Decode Files or Information Cyclops Blink can decrypt and parse instructions sent from C2.3
enterprise T1573 Encrypted Channel -
enterprise T1573.002 Asymmetric Cryptography Cyclops Blink can encrypt C2 messages with AES-256-CBC sent underneath TLS. OpenSSL library functions are also used to encrypt each message using a randomly generated key and IV, which are then encrypted using a hard-coded RSA public key.3
enterprise T1041 Exfiltration Over C2 Channel Cyclops Blink has the ability to upload exfiltrated files to a C2 server.3
enterprise T1083 File and Directory Discovery Cyclops Blink can use the Linux API statvfs to enumerate the current working directory.31
enterprise T1562 Impair Defenses -
enterprise T1562.004 Disable or Modify System Firewall Cyclops Blink can modify the Linux iptables firewall to enable C2 communication via a stored list of port numbers.31
enterprise T1070 Indicator Removal -
enterprise T1070.006 Timestomp Cyclops Blink has the ability to use the Linux API function utime to change the timestamps of modified firmware update images.3
enterprise T1105 Ingress Tool Transfer Cyclops Blink has the ability to download files to target systems.31
enterprise T1559 Inter-Process Communication Cyclops Blink has the ability to create a pipe to enable inter-process communication.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location Cyclops Blink can rename its running process to [kworker:0/1] to masquerade as a Linux kernel thread. Cyclops Blink has also named RC scripts used for persistence after WatchGuard artifacts.3
enterprise T1106 Native API Cyclops Blink can use various Linux API functions including those for execution and discovery.3
enterprise T1571 Non-Standard Port Cyclops Blink can use non-standard ports for C2 not typically associated with HTTP or HTTPS traffic.3
enterprise T1542 Pre-OS Boot -
enterprise T1542.002 Component Firmware Cyclops Blink has maintained persistence by patching legitimate device firmware when it is downloaded, including that of WatchGuard devices.3
enterprise T1057 Process Discovery Cyclops Blink can enumerate the process it is currently running under.3
enterprise T1572 Protocol Tunneling Cyclops Blink can use DNS over HTTPS (DoH) to resolve C2 nodes.1
enterprise T1090 Proxy -
enterprise T1090.003 Multi-hop Proxy Cyclops Blink has used Tor nodes for C2 traffic.2
enterprise T1082 System Information Discovery Cyclops Blink has the ability to query device information.3
enterprise T1016 System Network Configuration Discovery Cyclops Blink can use the Linux API if_nameindex to gather network interface names.31

Groups That Use This Software

ID Name References
G0034 Sandworm Team 21