VPNFilter Malware: What You Need To Know To Protect Your Home Network

These days most homes and small businesses are using a SOHO style router to provide internet connectivity and sharing among multiple devices, such as computers, smart phones, tablets and gaming systems. Although there has been malware in the past that can infect your Router (also known as an IoT device – “Internet of Things”), VPNFilter is particularly dangerous, because it is capable of restarting even after a reboot of your router.

VPNFilter is quite capable of sticking around and can be very stubborn if nigh impossible to remove for the average internet user. What can you do to protect yourself, your home network, and your personally identifiable information (PII)?  We’ll go through 3 simple steps you can take now that will help secure your personal network from VPNFilter as well as any future malware that may surface.

To begin with, let’s talk about how VPNFilter works.  Created by the Russian hacking group “Fancy Bear,” VPNFilter was designed to operate in 3 stages.   The job of stage 1 is to setup a foothold in your router, by infecting it with a persistent program that will remain even after a reboot. Stage 1  then attempts to contact one of several fake accounts on photobucket.com or its backup site at toknowall.com.  In the event that neither of these sources are available, stage 1 then goes into “listen mode,” quietly waiting for a direct connection from the hacker.

Stage 2 is non-persistent, and is not capable of remaining after a reboot. We should consider ourselves lucky, as future malware might not be so poorly designed.  Stage 2 allows the hacker to have complete control over your router, including file collection, monitoring and self destruct capabilities as well.

Stage 3 adds even more capabilities through the use of router plugins.  These plugins can be used to coordinate attacks against internet infrastructure using multiple IoT devices.  For you personally, there is a known packet sniffer plugin that collects and transmits data flowing through your device, such as website credentials.  Another plugin is a kill command that could render all the infected routers useless.

Fortunately, the FBI has been very proactive regarding VPNFilter malware, and has been able to get the bogus Photobucket accounts closed and has seized the toknowall.com domain which should keep your router from reaching stage 3 level of infection. There is always the possibility of direct communication from a hacker, so it’s best to shore up your router’s defenses.

What can you to do to protect yourself?  Let’s outline 3 simple steps.

  1. Reboot your router immediately, even if you think it’s not infected.
  2. Update the firmware on your router using the method provided in your documentation.

    TP-Link Router FIrmware Upgrade
    The router upgrade screen for the author’s TP-Link RE580D, updated to the latest firmware version.
  3. Check and see if your router is on the list of infected devices. if it is, consider upgrading to a newer router in the future. Even if it is not on the list, complete steps 1-2 ASAP.

The list of affected routers according to Talos Intelligence is below. be sure to visit the link here for the most up to date listAs mentioned by Talos Intelligence, there is likely many more routers infected. Do not assume your router is safe. Complete steps 1 and 2 above to ensure you are as secure as you can be for now.

Linksys Devices:


Mikrotik RouterOS Versions for Cloud Core Routers:


Netgear Devices:


QNAP Devices:

TS439 Pro

Other QNAP NAS devices running QTS software

TP-Link Devices:



  1. New VPNFilter malware targets at least 500K networking devices worldwide
  2. Exclusive: FBI Seizes Control of Russian Botnet

  3. U.S. seeks to take control of infected routers from hackers

  4. FBI Seizes Control of Russian Botnet


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: