Researchers continue to analyze the VPNFilter attack and they have discovered new capabilities and determined that the threat targets a larger number of devices than initially believed.
Cisco Talos’ initial report on VPNFilter said the threat targeted 16 routers and network-attached storage (NAS) devices from Linksys, MikroTik, Netgear, TP-Link and QNAP. It turns out that not only is the malware capable of hacking more device models from these vendors, it can also take control of products from ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE.
Talos now lists a total of more than 50 impacted devices. While researchers have identified a sample targeting UPVEL products, they have not been able to determine exactly which models are affected.
Experts have also found a new stage 3 endpoint exploitation module that injects malicious content into traffic as it passes through a compromised network device.
The new module, dubbed “ssler,” provides data exfiltration and JavaScript injection capabilities by intercepting traffic going to port 80. Attackers can control which websites are targeted and where the stolen data is stored.
“With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself, and extends the threat into the networks that a compromised network device supports,” Talos explained.
Another new stage 3 module discovered after the initial analysis, dubbed “distr,” allows stage 2 modules to remove the malware from a device and then make that device unusable.
One interesting capability of VPNFilter is to monitor the network for communications over the Modbus SCADA protocol. Talos has conducted further analysis of this sniffer and published additional details.
When it was discovered, the VPNFilter botnet had ensnared roughly 500,000 devices across 54 countries. However, experts believe the main target is Ukraine and, along with U.S. authorities, attributed the threat to Russia, specifically the group known as Sofacy, with possible involvement of the actor tracked as Sandworm.
The FBI has managed to disrupt the botnet by seizing one of its domains, but researchers noticed that the attackers have not given up and continue to target routers in Ukraine.
Related: FBI Attribution of ‘VPNFilter’ Attack Raises Questions
Related: Massive Russia-Linked Botnet Raises Concerns of New Attack on Ukraine

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Siemens License Manager Vulnerabilities Allow ICS Hacking
- CISA Releases Open Source Recovery Tool for ESXiArgs Ransomware
- ICS Cybersecurity Firm Opscura Launches With $9.4 Million in Series A Funding
- Patch Released for Actively Exploited GoAnywhere MFT Zero-Day
- VMware Says No Evidence of Zero-Day Exploitation in ESXiArgs Ransomware Attacks
- Critical Baicells Device Vulnerability Can Expose Telecoms Networks to Snooping
- SecurityWeek Analysis: Over 450 Cybersecurity M&A Deals Announced in 2022
- VMware ESXi Servers Targeted in Ransomware Attack via Old Vulnerability
Latest News
- Minister: Cybercrimes Now 20% of Spain’s Registered Offenses
- Skybox Security Raises $50M, Hires New CEO
- Spies, Hackers, Informants: How China Snoops on the US
- Australian Man Sentenced for Scam Related to Optus Hack
- Chrome 110 Patches 15 Vulnerabilities
- Application Security Protection for the Masses
- Tor Network Under DDoS Pressure for 7 Months
- Siemens License Manager Vulnerabilities Allow ICS Hacking
