Your Asus Router May Already Be Compromised: Inside the Cyclops Blink Threat That Won’t Go Away

Cyclops Blink malware linked to Russia's Sandworm group continues to threaten unpatched Asus routers years after fixes were released. The real danger isn't the malware itself — it's the millions of routers that never get updated, serving as silent infrastructure for state-sponsored cyber operations.
Your Asus Router May Already Be Compromised: Inside the Cyclops Blink Threat That Won’t Go Away
Written by Ava Callegari

Somewhere in your home or small office, a router hums along quietly, directing traffic, connecting devices, doing its job. If that router is made by Asus, there’s a non-trivial chance it’s also doing someone else’s job — serving as a node in a state-linked botnet that has persisted far longer than most people realize.

The threat is called Cyclops Blink. And it’s not new. But it remains dangerous precisely because router security occupies a blind spot for most users and even many IT professionals. The malware, attributed to Sandworm — a cyber-espionage group linked to Russia’s GRU military intelligence agency — was first identified in early 2022 targeting WatchGuard firewall appliances. Within weeks, researchers confirmed it had spread to Asus routers as well, exploiting vulnerabilities in consumer and small-business networking equipment that rarely receives the same security attention as enterprise-grade gear.

As Lifehacker recently reported, the issue continues to demand attention because a startling number of affected Asus routers remain unpatched and potentially compromised. The publication urged users to check their devices immediately, noting that Asus released firmware updates to address the vulnerabilities but that adoption has been sluggish.

That sluggishness is the real story here.

Cyclops Blink is modular malware, meaning its operators can push new functionality to infected devices after the initial compromise. It establishes persistence by writing itself to flash memory, surviving reboots and even some basic factory resets. Once embedded, it communicates with command-and-control servers using encrypted channels, making detection from network traffic analysis alone exceptionally difficult. The infected router becomes a proxy, a relay point, a staging ground — all while continuing to pass your Netflix streams and Zoom calls without a hiccup.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.K.’s National Cyber Security Centre, and the FBI jointly issued advisories about Cyclops Blink in February 2022. The Department of Justice went further in April 2022, announcing a court-authorized operation to disrupt the botnet by removing malware from compromised WatchGuard devices. But the Asus side of the equation received less direct intervention. CISA’s advisory listed specific Asus models affected, including the GT-AC5300, GT-AC2900, RT-AC68U, and several others in the RT and GT product families. Asus published its own security bulletin and released patched firmware.

And then, as so often happens with consumer networking equipment, the world moved on.

The Patch Gap That Keeps Security Researchers Up at Night

The fundamental problem isn’t that a fix doesn’t exist. It does. The problem is that home routers occupy a uniquely neglected category of computing devices. People update their phones. They grudgingly update their laptops. They almost never update their routers. A 2024 report from the Fraunhofer Institute found that a significant majority of home routers run outdated firmware with known vulnerabilities. The Asus Cyclops Blink situation is a textbook case of this pattern.

Consider the typical lifecycle. A consumer buys a router, plugs it in, runs through a basic setup wizard, and never logs into the administration panel again. The device works. There’s no visible prompt on a screen they look at every day, no pop-up notification demanding action. The firmware update sits on Asus’s support page, waiting. It could wait forever.

This is what makes router-targeting malware so strategically valuable to threat actors. The devices are always on, always connected, rarely monitored, and infrequently patched. They’re the perfect persistent foothold.

Sandworm, the group behind Cyclops Blink, is not a casual operation. The group has been linked to the 2015 and 2016 attacks on Ukraine’s power grid, the NotPetya ransomware outbreak in 2017 that caused an estimated $10 billion in global damage, and ongoing cyber operations against Ukrainian infrastructure during the current war. Cyclops Blink is widely understood as a successor to VPNFilter, an earlier Sandworm botnet that infected over 500,000 routers globally before being disrupted by the FBI in 2018.

The pattern is consistent: compromise consumer and small-business network devices at scale, establish quiet persistence, and maintain the infrastructure for future operations. The routers themselves aren’t usually the final target. They’re infrastructure. Relay points. Anonymization layers. When Sandworm or affiliated groups need to launch an operation — whether espionage, destructive attacks, or influence campaigns — a distributed network of compromised routers across dozens of countries provides ideal cover.

So what should Asus router owners actually do? The steps aren’t complicated, but they require deliberate action. First, check whether your model appears on Asus’s affected devices list, which was published in their March 2022 security advisory. If it does, update the firmware immediately through the router’s administration panel, typically accessible by navigating to 192.168.1.1 or router.asus.com in a web browser. If the router hasn’t been updated since before March 2022, assume it could be compromised. In that case, Asus recommends performing a full factory reset after applying the firmware update, then reconfiguring the device from scratch.

Change the admin password. Don’t reuse the old one. Disable remote management — the WAN-side administration access that Cyclops Blink exploited — unless you have a specific, pressing need for it. Disable AiCloud and any other cloud-based remote access features that expand the router’s attack surface. These features are convenient. They’re also doors.

For users running older Asus routers that have reached end-of-life and no longer receive firmware updates, the calculus is harsher. Replace the device. A router that can’t be patched against a known, actively exploited vulnerability isn’t saving you money. It’s a liability sitting on your network perimeter.

The broader industry context matters here too. Asus is far from the only router manufacturer whose products have been targeted by state-linked actors. TP-Link routers have faced scrutiny from U.S. lawmakers over potential security concerns and Chinese government influence, with the Commerce Department reportedly considering restrictions. Cisco, Netgear, MikroTik, and others have all had products conscripted into botnets over the past decade. The problem is structural, not brand-specific.

But Cyclops Blink’s specific targeting of Asus models popular with enthusiasts and small businesses — devices often chosen precisely because they offer advanced features and configurability — carries a particular irony. The users most likely to own a GT-AC5300 are often more technically sophisticated than average. And yet the patch adoption data suggests even this demographic isn’t keeping firmware current.

Some of this falls on manufacturers. Router firmware update processes remain clunky compared to the automatic, background updates that smartphone and PC operating systems have normalized. Asus has improved its update notification system in newer models, and some recent routers support automatic firmware updates. But the installed base of older devices is enormous, and those devices will sit in closets and on shelves for years to come, running whatever firmware they shipped with or whatever version was last manually installed.

The Cyclops Blink threat also raises questions about the adequacy of the response infrastructure. The DOJ’s 2022 operation targeted WatchGuard devices specifically, using court orders to remotely remove malware. No equivalent operation targeted compromised Asus routers. The legal and technical frameworks for remotely patching consumer devices remain underdeveloped and politically contentious. Nobody wants the government reaching into their router, even to remove Russian military malware. But the alternative — millions of compromised devices sitting untouched because their owners don’t know or don’t care — isn’t great either.

Recent threat intelligence reporting suggests that while the original Cyclops Blink command-and-control infrastructure was significantly degraded by disruption efforts, the underlying vulnerabilities in unpatched routers persist. And Sandworm has shown a consistent ability to rebuild and adapt. The group’s tooling evolves. The routers don’t.

For enterprise security teams, the implications extend beyond the devices themselves. Remote and hybrid work means corporate data regularly traverses home networks anchored by consumer routers. A compromised Asus router in an employee’s home could provide a vantage point for intercepting VPN credentials, conducting man-in-the-middle attacks, or pivoting into corporate networks. Zero-trust architectures mitigate some of this risk, but implementation remains uneven, particularly among small and midsize businesses.

The advice is simple. The execution is what’s hard. Log into your router today. Check the firmware version. Update it. Change the default credentials if you haven’t. Turn off services you don’t use. And if the device is old enough that the manufacturer has stopped issuing patches, it’s time to let it go.

Your router is the front door to every device in your home. Right now, for too many Asus owners, that door has a known broken lock — and the fix has been sitting on a shelf for over three years.

Subscribe for Updates

CybersecurityUpdate Newsletter

The CybersecurityUpdate Email Newsletter is your essential source for the latest in cybersecurity news, threat intelligence, and risk management strategies. Perfect for IT security professionals and business leaders focused on protecting their organizations.

By signing up for our newsletter you agree to receive content related to ientry.com / webpronews.com and our affiliate partners. For additional information refer to our terms of service.

Notice an error?

Help us improve our content by reporting any issues you find.

Get the WebProNews newsletter delivered to your inbox

Get the free daily newsletter read by decision makers

Subscribe
Advertise with Us

Ready to get started?

Get our media kit

Advertise with Us