Yesterday began like any other Wednesday for many in the information security industry. Coffee, mass consumption of news articles and other particulars to digest. Perhaps a danish, protein shake or some other delectable to provide added fuel for the day. Last, but not least, another malicious endeavor targeting innocent IoT devices. The analysts at Cisco Talos released their findings through the Cyber Threat Alliance (CTA) membership on a malware campaign they have dubbed “VPNFilter”.

VPNFilter currently targets multiple IoT devices including NetGear, Linksys, MikroTik, TP-Link, and QNAP. Running on MIPS and x86 hardware architectures. The codebase is similar to Black Energy which is believed to be state-sponsored malware attributed to multiple attacks on devices in Ukraine. Given the global popularity of these devices, the malware's reach is expected to surpass the estimated 500,000 affected devices. In its current iteration, VPNFilter has the following capabilities.

VPNFilter Core Functionality 

  • TOR Communication
  •  Device Destruction (Bricking)
  • MODBUS Protocol monitoring
  • Download additional components.
  • Create custom service for C2 Communication


  • Update firmware on IoT devices.
  • Monitor IoT devices inbound/outbound traffic.
  • Factory reset and reboot suspected devices to remove stage 2 and 3 malware components.
  • Monitor ICS and SCADA for anomalous or potentially malicious activity.

Cisco Talos is still analyzing and researching the full capabilities and objectives of VPNFilter; its researchers will continue to update the public as new details emerge. As a precautionary, all traffic inbound and outbound of IoT devices should be monitored. Though a device you run at home or in the office may not be on the affected device list, target platforms could change in the future, as actors look to expand and enhance their operations. Eventually, any unsecured or vulnerable device is fair game for achieving their nefarious goals.