{"id":89414,"date":"2018-06-06T08:42:24","date_gmt":"2018-06-06T15:42:24","guid":{"rendered":"https:\/\/securingtomorrow.mcafee.com\/?p=89414"},"modified":"2025-06-08T19:19:12","modified_gmt":"2025-06-09T02:19:12","slug":"vpnfilter-malware-adds-capabilities-to-exploit-endpoints","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/vpnfilter-malware-adds-capabilities-to-exploit-endpoints\/","title":{"rendered":"VPNFilter Malware Adds Capabilities to Exploit Endpoints"},"content":{"rendered":"<p>VPNFilter, a botnet-controlled malware that infects networking devices, was first documented by researchers from Cisco Talos. McAfee Labs also <a href=\"https:\/\/securingtomorrow.mcafee.com\/mcafee-labs\/vpnfilter-botnet-targets-networking-devices\/\" target=\"_blank\" rel=\"noopener\">published a blog<\/a> on May 23 with some initial information.<\/p>\n<p>In our last post we discussed the three stages of infection and the devices affected by the malware, and how it can maintain a persistent presence on an infected device even after a reboot. The malware can also monitor traffic routed through the infected device. (Read <a href=\"https:\/\/securingtomorrow.mcafee.com\/mcafee-labs\/vpnfilter-botnet-targets-networking-devices\/\" target=\"_blank\" rel=\"noopener\">the first post<\/a> for more details.)<\/p>\n<p>In this post we will report new information released by Cisco Talos. The findings reveal that that malware now targets additional devices, including products from Huawei, Asus, D-Link, Ubiquiti Networks, MikroTik, Upvel, ZTE Linksys, Netgear, and TP-Link.<\/p>\n<p>In our previous post, we discussed two modules, a traffic sniffer and Tor, used in Stage 3 of the infection. Now researchers have analysed a third module in the third stage that intercepts network traffic by using a man-in-the-middle attack and injects malicious code while content passes through the router. Using this new module, an attacker can launch an exploit, and perform data exfiltration or a JavaScript injection onto the victim\u2019s device.<\/p>\n<p>The malware added another module that deletes its traces on the infected device. It then clears the flash memory and deletes operating system files, rendering the device inoperable.<\/p>\n<p>The new Stage-3 module\u2019s packet sniffer looks for basic authentication in the traffic content, and also monitors connections for industrial control systems traffic related to the Modbus protocol, which is typically used in SCADA systems.<strong>\u00a0<\/strong><\/p>\n<h2><strong>Coverage and Mitigation<\/strong><\/h2>\n<p>The aforementioned IOCs are covered as follows:<\/p>\n<ul>\n<li>Detection names for files: Linux\/VPNFilter<\/li>\n<li>V3 DAT with coverage version: 3367<\/li>\n<li>V2 DAT with coverage version: 8916<\/li>\n<\/ul>\n<p>All samples are classified in the GTI cloud as malware, as well as all relevant URLs.<\/p>\n<h2><strong>Further Recommendations from the Talos Threat Research Team<\/strong><\/h2>\n<ul>\n<li>Reboot SOHO routers and NAS devices to remove the potentially destructive, nonpersistent Stage 2 and Stage 3 malware<\/li>\n<li>Work with the manufacturer to ensure that your device is up to date with the latest patches. Apply the updated patches immediately.<\/li>\n<li>ISPs should aggressively work with their customers to ensure their devices are patched to the most recent firmware<strong>\u00a0<\/strong><\/li>\n<\/ul>\n<h2><strong>Updated Indicators of Compromise and Sample Hashes<\/strong><strong>\u00a0<\/strong><\/h2>\n<h4><em><strong>URLs and IP addresses<\/strong><\/em><\/h4>\n<ul>\n<li>photobucket[.]com\/user\/millerfred\/library<\/li>\n<li>photobucket[.]com\/user\/jeniferaniston1\/library<\/li>\n<li>photobucket[.]com\/user\/lisabraun87\/library<\/li>\n<li>photobucket[.]com\/user\/eva_green1\/library<\/li>\n<li>photobucket[.]com\/user\/suwe8\/library<\/li>\n<li>photobucket[.]com\/user\/bob7301\/library<\/li>\n<li>toknowall[.]com<\/li>\n<li>photobucket[.]com\/user\/amandaseyfried1\/library<\/li>\n<li>photobucket[.]com\/user\/nikkireed11\/library<\/li>\n<li>4seiwn2ur4f65zo4[.]onion\/bin256\/update.php<\/li>\n<li>zm3lznxn27wtzkwa[.]onion\/bin16\/update.php<\/li>\n<li>photobucket[.]com\/user\/kmila302\/library<\/li>\n<li>photobucket[.]com\/user\/monicabelci4\/library<\/li>\n<li>photobucket[.]com\/user\/katyperry45\/library<\/li>\n<li>photobucket[.]com\/user\/saragray1\/library<\/li>\n<li>zuh3vcyskd4gipkm[.]onion\/bin32\/update.php<\/li>\n<li>6b57dcnonk2edf5a[.]onion\/bin32\/update.php<\/li>\n<li>tljmmy4vmkqbdof4[.]onion\/bin32\/update.php<\/li>\n<\/ul>\n<ul>\n<li>46.151.209[.]33<\/li>\n<li>217.79.179[.]14<\/li>\n<li>91.214.203[.]144<\/li>\n<li>94.242.222[.]68<\/li>\n<li>82.118.242[.]124<\/li>\n<li>95.211.198[.]231<\/li>\n<li>195.154.180[.]60<\/li>\n<li>5.149.250[.]54<\/li>\n<li>94.185.80[.]82<\/li>\n<li>91.121.109[.]209<\/li>\n<li>217.12.202[.]40<\/li>\n<li>62.210.180[.]229<\/li>\n<li>91.200.13[.]76<\/li>\n<\/ul>\n<h2><strong>File Hashes<\/strong><\/h2>\n<ul>\n<li>00C9BBC56388E3FFFC6E53EF846AD269E7E31D631FE6068FF4DC6C09FB40C48B<\/li>\n<li>0424167DA27214CF2BE0B04C8855B4CDB969F67998C6B8E719DD45B377E70353<\/li>\n<li>055BBE33C12A5CDAF50C089A29EAECBA2CCF312DFE5E96183B810EB6B95D6C5A<\/li>\n<li>0649FDA8888D701EB2F91E6E0A05A2E2BE714F564497C44A3813082EF8FF250B<\/li>\n<li>081E72D96B750A38EF45E74D0176BEB982905AF4DF6B8654EA81768BE2F84497<\/li>\n<li>0DC1E3F36DC4835DB978A3175A462AA96DE30DF3E5031C5D0D8308CDD60CBEDE<\/li>\n<li>11533EEDC1143A33C1DEAE105E1B2B2F295C8445E1879567115ADEBFDDA569E2<\/li>\n<li>1367060DB50187ECA00AD1EB0F4656D3734D1CCEA5D2D62F31F21D4F895E0A69<\/li>\n<li>14984EFDD5343C4D51DF7C79FD6A2DFD791AA611A751CC5039EB95BA65A18A54<\/li>\n<li>181408E6CE1A215577C1DAA195E0E7DEA1FE9B785F9908B4D8E923A2A831FCE8<\/li>\n<li>1CB3B3E652275656B3AE824DA5FB330CCCD8B27892FB29ADC96E5F6132B98517<\/li>\n<li>1E741EC9452AAB85A2F7D8682EF4E553CD74892E629012D903B521B21E3A15BF<\/li>\n<li>218233CC5EF659DF4F5FDABE028AB43BC66451B49A6BFA85A5ED436CFB8DBC32<\/li>\n<li>24B3931E7D0F65F60BBB49E639B2A4C77DE83648FF08E097FF0FA6A53F5C7102<\/li>\n<li>29AE3431908C99B0FFF70300127F1DB635AF119EE55CD8854F6D3270B2E3032E<\/li>\n<li>2AA7BC9961B0478C552DAA91976227CFA60C3D4BD8F051E3CA7415CEAEB604CA<\/li>\n<li>2AF043730B632D237964DD6ABD24A7F6DB9DC83AAB583532A1238B4D4188396B<\/li>\n<li>2B39634DCE9E7BB36E338764EF56FD37BE6CD0FAA07EE3673C6E842115E3CEB1<\/li>\n<li>2C2412E43F3FD24D766832F0944368D4632C6AA9F5A9610AB39D23E79756E240<\/li>\n<li>2EF0E5C66F6D46DDEF62015EA786B2E2F5A96D94AB9350DD1073D746B6922859<\/li>\n<li>2FFBE27983BC5C6178B2D447D8121CEFAA5FFA87FE7B9E4F68272CE54787492F<\/li>\n<li>313D29F490619E796057D50BA8F1D4B0B73D4D4C6391CF35BAAAACE71EA9AC37<\/li>\n<li>33D6414DCF91B9A665D38FAF4AE1F63B7AA4589FE04BDD75999A5E429A53364A<\/li>\n<li>350EAA2310E81220C409F95E6E1E53BEADEC3CFFA3F119F60D0DAACE35D95437<\/li>\n<li>36E3D47F33269BEF3E6DD4D497E93ECE85DE77258768E2FA611137FA0DE9A043<\/li>\n<li>375EDEDC5C20AF22BDC381115D6A8CE2F80DB88A5A92EBAA43C723A3D27FB0D6<\/li>\n<li>39DC1ADED01DAAF01890DB56880F665D6CAFAB3DEA0AC523A48AA6D6E6346FFF<\/li>\n<li>3BBDF7019ED35412CE4B10B7621FAF42ACF604F91E5EE8A903EB58BDE15688FF<\/li>\n<li>3BD34426641B149C40263E94DCA5610A9ECFCBCE69BFDD145DFF1B5008402314<\/li>\n<li>3DF17F01C4850B96B00E90C880FDFABBD11C64A8707D24488485DD12FAE8EC85<\/li>\n<li>4497AF1407D33FAA7B41DE0C4D0741DF439D2E44DF1437D8E583737A07EC04A1<\/li>\n<li>47F521BD6BE19F823BFD3A72D851D6F3440A6C4CC3D940190BDC9B6DD53A83D6<\/li>\n<li>4896F0E4BC104F49901C07BC84791C04AD1003D5D265AB7D99FD5F40EC0B327F<\/li>\n<li>48BFCBC3162A0B00412CBA5EFF6C0376E1AE4CFBD6E35C9EA92D2AB961C90342<\/li>\n<li>49A0E5951DBB1685AAA1A6D2ACF362CBF735A786334CA131F6F78A4E4C018ED9<\/li>\n<li>4AF2F66D7704DE6FF017253825801C95F76C28F51F49EE70746896DF307CBC29<\/li>\n<li>4BEBA775F0E0B757FF32EE86782BF42E997B11B90D5A30E5D65B45662363ECE2<\/li>\n<li>4BFC43761E2DDB65FEDAB520C6A17CC47C0A06EDA33D11664F892FCF08995875<\/li>\n<li>4C596877FA7BB7CA49FB78036B85F92B581D8F41C5BC1FA38476DA9647987416<\/li>\n<li>4D6CBDE39A81F2C62D112118945B5EEB1D73479386C962ED3B03D775E0DCCFA0<\/li>\n<li>4E022E4E4EE28AE475921C49763EE620B53BF11C2AD5FFFE018AD09C3CB078CC<\/li>\n<li>4FA1854FBEC31F87AE306034FD01567841159CA7793EBA58B90BE5F7FC714D62<\/li>\n<li>4FFE074AD2365DFB13C1C9CE14A5E635B19ACB34A636BAE16FAF9449FB4A0687<\/li>\n<li>51E92BA8DAC0F93FC755CB98979D066234260EAFC7654088C5BE320F431A34FA<\/li>\n<li>579B2E6290C1F7340795E42D57BA300F96AEF035886E80F80CD5D0BB4626B5FC<\/li>\n<li>5BE57B589E5601683218BB89787463CA47CE3B283D8751820D30EEE5E231678C<\/li>\n<li>5CF43C433FA1E253E937224254A63DC7E5AD6C4B3AB7A66EC9DB76A268B4DEEB<\/li>\n<li>5D94D2B5F856E5A1FC3A3315D3CD03940384103481584B80E9D95E29431F5F7A<\/li>\n<li>5DABBCE674B797AAA42052B501FB42B20BE74D9FFCB0995D933FBF786C438178<\/li>\n<li>5E715754E9DA9ED972050513B4566FB922CD87958ECF472D1D14CD76923AE59A<\/li>\n<li>5F6EE521311E166243D3E65D0253D12D1506750C80CD21F6A195BE519B5D697F<\/li>\n<li>638957E2DEF5A8FDA7E3EFEFFF286E1A81280D520D5F8F23E037C5D74C62553C<\/li>\n<li>6449AAF6A8153A9CCBCEF2E2738F1E81C0D06227F5CF4823A6D113568F305D2A<\/li>\n<li>6807497869D9B4101C335B1688782AB545B0F4526C1E7DD5782C9DEB52EE3DF4<\/li>\n<li>6A76E3E98775B1D86B037B5EE291CCFCFFB5A98F66319175F4B54B6C36D2F2BF<\/li>\n<li>6D8877B17795BB0C69352DA59CE8A6BFD7257DA30BD0370EED8428FAD54F3128<\/li>\n<li>6E7BBF25EA4E83229F6FA6B2FA0F880DDE1594A7BEC2AAC02FF7D2D19945D036<\/li>\n<li>7093CC81F32C8CE5E138A4AF08DE6515380F4F23ED470B89E6613BEE361159E1<\/li>\n<li>70C271F37DC8C3AF22FDCAD96D326FE3C71B911A82DA31A992C05DA1042AC06D<\/li>\n<li>776CB9A7A9F5AFBAFFDD4DBD052C6420030B2C7C3058C1455E0A79DF0E6F7A1D<\/li>\n<li>78FEE8982625D125F17CF802D9B597605D02E5EA431E903F7537964883CF5714<\/li>\n<li>797E31C6C34448FBECDA10385E9CCFA7239BB823AC8E33A4A7FD1671A89FE0F6<\/li>\n<li>7A66D65FA69B857BEEEAAEF67EC835900EEE09A350B6F51F51C83919C9223793<\/li>\n<li>7E5DCA90985A9FAC8F115EAACD8E198D1B06367E929597A3DECD452AAA99864B<\/li>\n<li>7EE215469A7886486A62FEA8FA62D3907F59CF9BF5486A5FE3A0DA96DABEA3F9<\/li>\n<li>7F6F7C04826C204E2FC5C1EDDB8332AFE1669A4856229921C227694899E7ADA8<\/li>\n<li>80C20DB74C54554D9936A627939C3C7EA44316E7670E2F7F5231C0DB23BC2114<\/li>\n<li>81CBE57CD80B752386EE707B86F075AD9AB4B3A97F951D118835F0F96B3AE79D<\/li>\n<li>82CD8467E480BCD2E2FC1EFB5257BBE147386F4A7651D1DA2BFD0AB05E3D86B9<\/li>\n<li>840BA484395E15782F436A7B2E1EEC2D4BF5847DFD5D4787AE64F3A5F668ED4F<\/li>\n<li>8505ECE4360FAF3F454E5B47239F28C48D61C719B521E4E728BC12D951ECF315<\/li>\n<li>879BE2FA5A50B7239B398D1809E2758C727E584784BA456D8B113FC98B6315A2<\/li>\n<li>8A20DC9538D639623878A3D3D18D88DA8B635EA52E5E2D0C2CCE4A8C5A703DB1<\/li>\n<li>8DE0F244D507B25370394BA158BD4C03A7F24C6627E42D9418FB992A06EB29D8<\/li>\n<li>8F3E1E3F0890AD40D7FA66939561E20C0E5FD2A02B1DEA54F3899AFF9C015439<\/li>\n<li>90EFCAEAC13EF87620BCAAF2260A12895675C74D0820000B3CD152057125D802<\/li>\n<li>94EEFB8CF1388E431DE95CAB6402CAA788846B523D493CF8C3A1AA025D6B4809<\/li>\n<li>952F46C5618BF53305D22E0EAE4BE1BE79329A78AD7EC34232F2708209B2517C<\/li>\n<li>95840BD9A508CE6889D29B61084EC00649C9A19D44A29AEDC86E2C34F30C8BAF<\/li>\n<li>98112BD4710E6FFE389A2BEB13FF1162017F62A1255C492F29238626E99509F3<\/li>\n<li>99944AD90C7B35FB6721E2E249B76B3E8412E7F35F6F95D7FD3A5969EAA99F3D<\/li>\n<li>9B039787372C6043CCE552675E3964BF01DE784D1332DDC33E4419609A6889F1<\/li>\n<li>9B455619B4CBFEB6496C1246BA9CE0E4FFA6736FD536A0F99686C7E185EB2E22<\/li>\n<li>A15B871FCB31C032B0E0661A2D3DD39664FA2D7982FF0DBC0796F3E9893AED9A<\/li>\n<li>A168D561665221F992F51829E0B282EEB213B8ACA3A9735DBBAECC4D699F66B9<\/li>\n<li>A3CF96B65F624C755B46A68E8F50532571CEE74B3C6F7E34EECB514A1EB400CF<\/li>\n<li>A41DA0945CA5B5F56D5A868D64763B3A085B7017E3568E6D49834F11952CB927<\/li>\n<li>A6E3831B07AB88F45DF9FFAC0C34C4452C76541C2ACD215DE8D0109A32968ACE<\/li>\n<li>AB789A5A10B4C4CD7A0EB92BBFCF2CC50CB53066838A02CFB56A76417DE379C5<\/li>\n<li>ACF32F21EC3955D6116973B3F1A85F19F237880A80CDF584E29F08BD12666999<\/li>\n<li>AE1353E8EFE25B277F52DECFAB2D656541FFDF7FD10466D3A734658F1BC1187A<\/li>\n<li>AE74F62881EB224E58F3305BB1DA4F5CB7CCFF53C24AB05DB622807D74E934FB<\/li>\n<li>AFACB38EA3A3CAFE0F8DBD26DEE7DE3D0B24CDECAE280A9B884FBAD5ED195DE7<\/li>\n<li>B0EDF66D4F07E5F58B082F5B8479D48FBAB3DBE70EBA0D7E8254C8D3A5E852EF<\/li>\n<li>B431AEBC2783E72BE84AF351E9536E8110000C53EBB5DB25E89021DC1A83625E<\/li>\n<li>B9770EC366271DACDAE8F5088218F65A6C0DD82553DD93F41EDE586353986124<\/li>\n<li>BA9FEE47DCC7BAD8A7473405AABF587E5C8D396D5DD5F6F8F90F0FF48CC6A9CE<\/li>\n<li>BAD8A5269E38A2335BE0A03857E65FF91620A4D1E5211205D2503EF70017B69C<\/li>\n<li>BC51836048158373E2B2F3CDB98DC3028290E8180A4E460129FEF0D96133EA2E<\/li>\n<li>BE3DDD71A54EC947BA873E3E10F140F807E1AE362FD087D402EFF67F6F955467<\/li>\n<li>BFD028F78B546EDA12C0D5D13F70AB27DFF32B04DF3291FD46814F486BA13693<\/li>\n<li>C084C20C94DBBFFED76D911629796744EFF9F96D24529B0AF1E78CDA54CDBF02<\/li>\n<li>C0CFB87A8FAED76A41F39A4B0A35AC6847FFC6AE2235AF998EE1B575E055FAC2<\/li>\n<li>C2BCDE93227EB1C150E555E4590156FE59929D3B8534A0E2C5F3B21EDE02AFA0<\/li>\n<li>C8A82876BEED822226192EA3FE01E3BD1BB0838AB13B24C3A6926BCE6D84411B<\/li>\n<li>CA0BB6A819506801FA4805D07EE2EBAA5C29E6F5973148FE25ED6D75089C06A7<\/li>\n<li>CCCBF9BFF47B3FD391274D322076847A3254C95F95266EF06A3CA8BE75549A4B<\/li>\n<li>CD8CF5E6A40C4E87F6EE40B9732B661A228D87D468A458F6DE231DD5E8DE3429<\/li>\n<li>D09F88BAF33B901CC8A054D86879B81A81C19BE45F8E05484376C213F0EEDDA2<\/li>\n<li>D1BC07B962CCC6E3596AA238BB7EDA13003EA3CA95BE27E8244E485165642548<\/li>\n<li>D1E6EC5761F78899332B170C4CA7158DCCD3463DAB2E58E51E5B6C0D58C7D84F<\/li>\n<li>D2DE662480783072B82DD4D52AB6C57911A1E84806C229F614B26306D5981D98<\/li>\n<li>D9A60A47E142DDD61F6C3324F302B35FEECA684A71C09657DDB4901A715BD4C5<\/li>\n<li>DBEDE977518143BCEE6044ED86B8178C6FC9D454FA346C089523EEDEE637F3BE<\/li>\n<li>DD88273437031498B485C380968F282D09C9BD2373EF569952BC7496EBADADDE<\/li>\n<li>E6C5437E8A23D50D44EE47AD6E7CE67081E7926A034D2AC4C848F98102DDB2F8<\/li>\n<li>E70A8E8B0CD3C59CCA8A886CAA8B60EFB652058F50CC9FF73A90BC55C0DC0866<\/li>\n<li>E74AE353B68A1D0F64B9C8306B2DB46DFC760C1D91BFDF05483042D422BFF572<\/li>\n<li>E7AEE375215E33FC5AEBD7811F58A09C37D23E660F3250D3C95AEC48AD01271C<\/li>\n<li>E7F65AEEC592B047AC1726EF0D8245229041474A2A71B7386E72AD5DB075F582<\/li>\n<li>EAF879370387A99E6339377A6149E289655236ACC8DE88324462DCD0F22383FF<\/li>\n<li>EC88FE46732D9AA6BA53EED99E4D116B7444AFD2A52DB988EA82F883F6D30268<\/li>\n<li>EEB3981771E448B7B9536BA5D7CD70330402328A884443A899696A661E4E64E5<\/li>\n<li>EEC5CD045F26A7B5D158E8289838B82E4AF7CF4FC4B9048EAF185B5186F760DB<\/li>\n<li>F30A0FE494A871BD7D117D41025E8D2E17CD545131E6F27D59B5E65E7AB50D92<\/li>\n<li>F3D0759DFAB3FBF8B6511A4D8B5FC087273A63CBB96517F0583C2CCE3FF788B8<\/li>\n<li>F4F0117D2784A3B8DFEF4B5CB7F2583DD4100C32F9EE020F16402508E073F0A1<\/li>\n<li>F5D06C52FE4DDCA0EBC35FDDBBC1F3A406BDAA5527CA831153B74F51C9F9D1B0<\/li>\n<li>F989DF3AEEDE247A29A1F85FC478155B9613D4A416428188EDA1A21BD481713A<\/li>\n<li>FA229CD78C343A7811CF8314FEBBC355BB9BAAB05B270E58A3E5D47B68A7FC7D<\/li>\n<li>FA4B286EEAF7D74FE8F3FB36D80746E18D2A7F4C034AE6C3FA4C917646A9E147<\/li>\n<li>FC9594611445DE4A0BA30DAF60A7E4DEC442B2E5D25685E92A875ACA2C0112C9<\/li>\n<li>FCB6FF6A679CA17D9B36A543B08C42C6D06014D11002C09BA7C38B405B50DEBE<\/li>\n<li>FE46A19803108381D2E8B5653CC5DCE1581A234F91C555BBFFF63B289B81A3DC<\/li>\n<li>FF118EDB9312C85B0B7FF4AF1FC48EB1D8C7C8DA3C0E1205C398D2FE4A795F4B<\/li>\n<li>FF471A98342BAFBAB0D341E0DB0B3B9569F806D0988A5DE0D8560B6729875B3E<\/li>\n<li>FF70462CB3FC6DDD061FBD775BBC824569F1C09425877174D43F08BE360B2B58<\/li>\n<li>FFB0E244E0DABBAABF7FEDD878923B9B30B487B3E60F4A2CF7C0D7509B6963BA<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>VPNFilter, a botnet-controlled malware that infects networking devices, was first documented by researchers from Cisco Talos. McAfee Labs also published&#8230;<\/p>\n","protected":false},"author":930,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[49,4452,180,18],"coauthors":[5136,784],"class_list":["post-89414","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-botnet","tag-cybersecurity","tag-malware","tag-network-security"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>VPNFilter Malware Adds Capabilities to Exploit Endpoints | McAfee Blog<\/title>\n<meta name=\"description\" content=\"VPNFilter, a botnet-controlled malware that infects networking devices, was first documented by researchers from Cisco Talos. McAfee Labs also published a\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"VPNFilter Malware Adds Capabilities to Exploit Endpoints | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"VPNFilter, a botnet-controlled malware that infects networking devices, was first documented by researchers from Cisco Talos. McAfee Labs also published a\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/vpnfilter-malware-adds-capabilities-to-exploit-endpoints\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2018-06-06T15:42:24+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-09T02:19:12+00:00\" \/>\n<meta name=\"author\" content=\"Xiaobing Lin, Guilherme Venere\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Xiaobing Lin, Guilherme Venere\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"13 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/vpnfilter-malware-adds-capabilities-to-exploit-endpoints\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/vpnfilter-malware-adds-capabilities-to-exploit-endpoints\/\"},\"author\":{\"name\":\"Xiaobing Lin\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/c37fe7abb0d82dac55d844171aaa775c\"},\"headline\":\"VPNFilter Malware Adds Capabilities to Exploit Endpoints\",\"datePublished\":\"2018-06-06T15:42:24+00:00\",\"dateModified\":\"2025-06-09T02:19:12+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/vpnfilter-malware-adds-capabilities-to-exploit-endpoints\/\"},\"wordCount\":2583,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"keywords\":[\"botnet\",\"cybersecurity\",\"malware\",\"network security\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/vpnfilter-malware-adds-capabilities-to-exploit-endpoints\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/vpnfilter-malware-adds-capabilities-to-exploit-endpoints\/\",\"name\":\"VPNFilter Malware Adds Capabilities to Exploit Endpoints | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"datePublished\":\"2018-06-06T15:42:24+00:00\",\"dateModified\":\"2025-06-09T02:19:12+00:00\",\"description\":\"VPNFilter, a botnet-controlled malware that infects networking devices, was first documented by researchers from Cisco Talos. McAfee Labs also published a\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/vpnfilter-malware-adds-capabilities-to-exploit-endpoints\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/vpnfilter-malware-adds-capabilities-to-exploit-endpoints\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/vpnfilter-malware-adds-capabilities-to-exploit-endpoints\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"VPNFilter Malware Adds Capabilities to Exploit Endpoints\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/c37fe7abb0d82dac55d844171aaa775c\",\"name\":\"Xiaobing Lin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/3b3a6813ef4a423e0b8050d103d27260\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/72bbcc4a74b07e10e4a1db775bbe4b33?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/72bbcc4a74b07e10e4a1db775bbe4b33?s=96&d=mm&r=g\",\"caption\":\"Xiaobing Lin\"},\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/xiaobing-lin\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"VPNFilter Malware Adds Capabilities to Exploit Endpoints | McAfee Blog","description":"VPNFilter, a botnet-controlled malware that infects networking devices, was first documented by researchers from Cisco Talos. McAfee Labs also published a","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"VPNFilter Malware Adds Capabilities to Exploit Endpoints | McAfee Blog","og_description":"VPNFilter, a botnet-controlled malware that infects networking devices, was first documented by researchers from Cisco Talos. McAfee Labs also published a","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/vpnfilter-malware-adds-capabilities-to-exploit-endpoints\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2018-06-06T15:42:24+00:00","article_modified_time":"2025-06-09T02:19:12+00:00","author":"Xiaobing Lin, Guilherme Venere","twitter_card":"summary_large_image","twitter_creator":"@McAfee","twitter_site":"@McAfee","twitter_misc":{"Written by":"Xiaobing Lin, Guilherme Venere","Est. reading time":"13 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/vpnfilter-malware-adds-capabilities-to-exploit-endpoints\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/vpnfilter-malware-adds-capabilities-to-exploit-endpoints\/"},"author":{"name":"Xiaobing Lin","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/c37fe7abb0d82dac55d844171aaa775c"},"headline":"VPNFilter Malware Adds Capabilities to Exploit Endpoints","datePublished":"2018-06-06T15:42:24+00:00","dateModified":"2025-06-09T02:19:12+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/vpnfilter-malware-adds-capabilities-to-exploit-endpoints\/"},"wordCount":2583,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"keywords":["botnet","cybersecurity","malware","network security"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/vpnfilter-malware-adds-capabilities-to-exploit-endpoints\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/vpnfilter-malware-adds-capabilities-to-exploit-endpoints\/","name":"VPNFilter Malware Adds Capabilities to Exploit Endpoints | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"datePublished":"2018-06-06T15:42:24+00:00","dateModified":"2025-06-09T02:19:12+00:00","description":"VPNFilter, a botnet-controlled malware that infects networking devices, was first documented by researchers from Cisco Talos. McAfee Labs also published a","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/vpnfilter-malware-adds-capabilities-to-exploit-endpoints\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/vpnfilter-malware-adds-capabilities-to-exploit-endpoints\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/vpnfilter-malware-adds-capabilities-to-exploit-endpoints\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"VPNFilter Malware Adds Capabilities to Exploit Endpoints"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/c37fe7abb0d82dac55d844171aaa775c","name":"Xiaobing Lin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/3b3a6813ef4a423e0b8050d103d27260","url":"https:\/\/secure.gravatar.com\/avatar\/72bbcc4a74b07e10e4a1db775bbe4b33?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/72bbcc4a74b07e10e4a1db775bbe4b33?s=96&d=mm&r=g","caption":"Xiaobing Lin"},"url":"https:\/\/www.mcafee.com\/blogs\/author\/xiaobing-lin\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/89414","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/930"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=89414"}],"version-history":[{"count":2,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/89414\/revisions"}],"predecessor-version":[{"id":215279,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/89414\/revisions\/215279"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=89414"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=89414"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=89414"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=89414"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}