Sharing Cyclops Blink Threat Intelligence with the Community

At WatchGuard, we understand the importance of sharing threat intelligence with the information security (infosec) community when safe and appropriate. Not only does this information sharing help to directly defend against known threats, but it also helps the community at large learn from the attacks found in the wild, and appropriately adjust detection and defense strategies. With that in mind, we are sharing some additional indicators of compromise (IoCs) that WatchGuard has identified related to the Cyclops Blink (CB) botnet, which was disclosed by a joint government advisory on Feb. 23, 2022 and has been found to have affected devices from multiple organizations.

The UK GCHQ’s National Cyber Security Centre (NCSC) released an informative technical malware analysis of Cyclops Blink that covers one of the PowerPC samples, and addresses the basic, default malware and shares partial IoCs. The WatchGuard team has discovered other samples and additional add-on modules for the malware. In time, WatchGuard’s Threat Lab intends to release our technical analysis report, which will include additional research information. Until then, below are additional Cyclops Blink sample IOCs, which we have also submitted to common industry threat intelligence sharing sites like Virus Total. We hope this information helps the community further detect and prevent this threat, as well as learn from it. If you’d like additional information from WatchGuard about Cyclops Blink, please check our Corporate Blog.

Cyclops Blink Indicators of Compromise:

Cyclops Blink related hashes (SHA 256)

• CPD binary on normal victims
  • PowerPC (PPC) variants
    • 4ec5e0c5dccc5891d39ea76e3c3d3e26d8830d7aa4d63db6084dbfbec6f0d211
    • 88e568afd69fbc944a8d8268e41f2f6100e8bb007083175884ea4149033f4fcf
    • 6f4ee4e05483ca3db54040506ac21a2b49d2bd12379cafad54764907be228556
    • fc1e50172c0ce221452b967d1ef705f11bbfe2d54c533d68bd2a7a094605df2d
  • Intel (x86) variants
    • 82c3f5092d45ce0e19ac42adaf6632b954b8e78d399f673724956a89c1826d7b
    • 145bf0e879d544a17364c53e1e695adab8e927fe196cc0d21ad14be3e2cb469f
    • d186f553ad6b38951fdebabfe7ecb4ca6d86ac702a9e8c90a338ad668afdf490
    • 3830213049d64b09f637563faa470b0f2edd0034aa9e92f7908374bd1d6df116
    • cc3d51578a9dcc7e955061881490e54883904956f5ca5ee2918cd3b249415e59

• CPD binary on C2 victims
  • PowerPC (PPC) variants
    • 36b3a9dcb283fb0f9fd45f4a371006228d206ec0bdd9e3392eb2d07e72f8d7b0
    • 1454338b1bbb692dadb90c758ba8789f56c48dd52f9f94b6dc6784f0944e20f9

• Cyclops Blink related malicious scripts
  • f8e163be68e073f2a15b8986b0792c703fb712c92229806463817c5bc73677cd
  • 58f0da449724017438dcf8c7a4fba176a8f44865673dd696b48bb32799b9e9cc
  • 7d906fd3147b6746aec64d64b7c9a251ac6a1c988778a2bf0bb7845b232d104a

Cyclops Blink IP Addresses

• Command and Control (C2) IP Addresses
  • Since Cyclops Blink’s C2 infrastructure uses customer Fireboxes, many who are actively remediating, we are not sharing these IP addresses now as blocking them might also block these customers. However, we are sharing other IP addresses associated with the Cyclops Blink threat actor

• Tor exit nodes used by CB threat actor
  • 128.248.14
  • 31.49.73
  • 153.160.2
  • 153.160.131
  • 153.160.138
  • 219.236.228
  • 95.230.253
  • 142.241.194
  • 189.10.237
  • 189.12.135
  • 70.100.20
  • 70.100.78
  • 100.87.202
  • 107.70.56
  • 193.52.180
  • 195.71.244
  • 220.100.243
  • 220.100.245
  • 220.100.251
  • 220.100.252
  • 220.101.9
  • 220.101.12
  • 220.101.32
  • 220.101.48
  • 220.101.67
  • 220.101.71
  • 220.101.73
  • 220.101.132
  • 220.101.140
  • 220.101.141
  • 220.101.154
  • 220.101.165
  • 220.101.167
  • 220.101.168
  • 220.102.245