VPNFilter malware infects half a million routers!

24 May 2018

A new malware known as VPNFilter targets networking devices in small and home office (SOHO) spaces, including routers from Linksys, MikroTik, NETGEAR, QNAP NAS and TP-Link. It is estimated that at least 500,000 networking devices in at least 54 countries.

VPNFilter malware  targets the following networking devices:

  • Linksys Device model: E1200, E2500, WRVS4400N

  • MikroTik RouterOS Versions for Cloud Core Routers: 1016, 1036, 1072

  • NETGEAR Device model: DGN2200, R6400, R7000, R8000, WNR1000, WNR2000

  • QNAP Network-Attached Storage Device model: TS251, TS439 Pro

  • TP-Link Device model: R600VPN


VPNFilter can sniff on data flowing through an infected device, essentially conducting data exfiltration which can lead to credentials theft. It searches for Modbus, a communication protocol used to connect a supervisory computer with a remote terminal unit in SCADA (Supervisory Controls and Data Acquisition) system, with the intent and mean to destruct the SCADA equipment. Infected devices also allow threat actors to remotely execute a self-destruct command all at once, rendering thousands of devices unusable.


Administrators and owners of affected devices are recommended to:

  • Perform a factory reset, reboot and patch their devices with the latest firmware/software version.

  • Turn off the remote administrative access feature on the device if not used.

  • Refer to the following device manufacturer's website for more information on how to upgrade their devices’ firmware accordingly: