[3][4] In February 2022, the CISA announced that a new malware called Cyclops Blink produced by Sandworm had replaced VPNFilter.
It seems to be designed in part to target serial networking devices using the Modbus protocol to talk to and control industrial hardware, as in factories and warehouses.
[7] This software installs itself in multiple stages: Both Cisco and Symantec suggest that people who own affected devices do a factory reset.
Before connecting the factory-reset router to the internet again, the device's default passwords should be changed to prevent reinfection.
[9] The initial worm that installs VPNFilter can only attack devices running embedded firmware based on Busybox on Linux compiled only for specific processors.
[10] Manufacturer-provided firmware on the following router models is known to be at risk:[11][8] VPNFilter is described by Cisco Talos as having infected as many as 500,000 devices worldwide,[10] in perhaps 54 different countries, though proportionately the focus has been on Ukraine.