Cyclops Blink

Cyclops Blink can download files via HTTP and HTTPS.(Citation: NCSC Cyclops Blink February 2022)(Citation: Trend Micro Cyclops Blink March 2022)

Cyclops Blink has the ability to execute on device startup, using a modified RC script named S51armled.(Citation: NCSC Cyclops Blink February 2022)

Cyclops Blink can use a custom binary scheme to encode messages with specific commands and parameters to be executed.(Citation: NCSC Cyclops Blink February 2022)

Cyclops Blink can encrypt C2 messages with AES-256-CBC sent underneath TLS. OpenSSL library functions are also used to encrypt each message using a randomly generated key and IV, which are then encrypted using a hard-coded RSA public key.(Citation: NCSC Cyclops Blink February 2022)

Cyclops Blink can modify the Linux iptables firewall to enable C2 communication via a stored list of port numbers.(Citation: NCSC Cyclops Blink February 2022)(Citation: Trend Micro Cyclops Blink March 2022)

Cyclops Blink has the ability to use the Linux API function `utime` to change the timestamps of modified firmware update images.(Citation: NCSC Cyclops Blink February 2022)

Cyclops Blink can rename its running process to [kworker:0/1] to masquerade as a Linux kernel thread. Cyclops Blink has also named RC scripts used for persistence after WatchGuard artifacts.(Citation: NCSC Cyclops Blink February 2022)

Cyclops Blink has maintained persistence by patching legitimate device firmware when it is downloaded, including that of WatchGuard devices.(Citation: NCSC Cyclops Blink February 2022)

Cyclops Blink has used Tor nodes for C2 traffic.(Citation: NCSC CISA Cyclops Blink Advisory February 2022)