Introduction
VPNFilter is not a singular piece of malware but a sophisticated, multi-stage, modular framework designed for espionage, data theft, network manipulation, and potentially large-scale destructive attacks. Attributed to the state-sponsored Sofacy Group (also known as APT28 or Fancy Bear), VPNFilter has infected an estimated 500,000 Small Office/Home Office (SOHO) routers and Network-Attached Storage (NAS) devices across at least 54 countries.
Its capabilities included harvesting website credentials, monitoring sensitive SCADA protocols used in Industrial Control Systems (ICS), injecting malicious content into network traffic, and deploying a destructive payload capable of rendering devices permanently inoperable.
Multi-Stage Network Architecture
VPNFilter operates in three distinct stages, each with a specific role in the attack lifecycle.
Stage 1 (Persistent Loader)
The primary objective of Stage 1 is to establish a persistent foothold on the compromised device that can survive a reboot. This critical feature distinguishes VPNFilter from more common, ephemeral IoT malware like Mirai, which is wiped from memory upon a device restart.
The Stage 1 component achieves persistence by modifying non-volatile configuration memory (NVRAM) and adding itself to the system’s crontab, a scheduler for running tasks. Its sole network-facing function is to locate and download the Stage 2 payload using a series of redundant and highly evasive command and control (C2) acquisition mechanisms, which I discuss below.
Stage 2 (Core Payload & C2 Engine)
This stage is non-persistent and is removed by a device reboot. It functions as the central command hub of the operation, establishing a covert C2 channel, beaconing device information back to the attackers, and, most importantly, managing the deployment and execution of various Stage 3 modules. It is the engine that drives the malware’s active operations.
Stage 3 (Modular Plugins)
These are also non-persistent plugins that provide the framework’s advanced, network-centric functionalities.1 The modular design allows the attacker to selectively deploy capabilities based on the target environment, minimizing the implant’s footprint and tailoring the attack to specific objectives. This “à la carte” approach enhances stealth by ensuring that only necessary tools are present on the device at any given time.
Modular Design Optimizes OPSEC
The deliberate separation of the persistent loader (Stage 1) from the more complex and potentially “louder” operational modules (Stages 2 and 3) reveals an intimate understanding of incident response.
By making the active tools non-persistent, the attackers ensure that simple mitigation efforts, such as a device reboot, will not fully eradicate their presence. A reboot only removes the active tools, while the persistent Stage 1 implant remains dormant, ready to re-establish contact with its C2 infrastructure and re-download the subsequent stages.
This design choice forces defenders to undertake a full factory reset and firmware update to remove Stage 1 - a far more disruptive and technically challenging process for the average device owner, thereby increasing the malware’s overall resilience. This architecture demonstrates that the attackers planned for discovery and built in mechanisms to withstand initial remediation efforts, reflecting a long-term strategic mindset focused on maintaining their foothold.
Stage 1 Command & Control Acquisition Protocols
The Stage 1 implant employs a resilient, three-tiered C2 acquisition strategy designed to ensure it can download the Stage 2 payload under various network conditions and survive infrastructure takedowns.
Primary C2 Channel: EXIF Data Steganography
The malware’s first and most novel method for locating its C2 server involves steganography. The Stage 1 implant attempts to download an image from a list of public gallery pages on the legitimate, high-reputation image hosting site photobucket.com.
Once an image is downloaded, the malware does not use the image content itself but instead parses its EXIF metadata. Specifically, it searches for GPS information. The parser locates the “GPS Info” tag (hexadecimal0x8825) and extracts the integer values for latitude and longitude.
These six integer values are then algorithmically converted into an IPv4 address, which serves as the C2 server for the Stage 2 download. For instance, analysis of one such image from the domain. toknowall.com revealed GPS data that resolved to the known C2 IP address 217.12.202.40.
Secondary C2 Channel: Hardcoded Fallback Domain
If the connection to Photobucket fails or if the EXIF data cannot be successfully extracted, the malware falls back to its second C2 acquisition method. It attempts to connect to a hardcoded domain, toknowall.com, to download an image and perform the same EXIF-to-IP conversion process.
Tertiary C2 Channel: Passive Network Listener
In the event that both the Photobucket and toknowall.com methods fail, Stage 1 activates its most resilient and stealthy mode: it becomes a passive listener, ceasing all outbound C2-seeking traffic. This makes the implant nearly impossible to detect through network monitoring alone.
First, the implant attempts to determine its own public IP address by making a DNS query to api.ipify.org. It then opens a raw socket and begins inspecting all incoming TCP/IPv4 packets that have the SYN flag set, which indicates the start of a new connection attempt from anywhere on the internet.
The listener waits for a specific trigger packet that contains the 4-byte magic sequence \x0c\x15\x22\x2b. When a packet matching these criteria is received, the malware interprets the 4 bytes immediately following the magic sequence as the IP address for the Stage 2 C2 server.
The implant then initiates a connection to this newly supplied IP address to download the next stage of the malware. This fallback mechanism shifts the burden of establishing contact from the implant to the attacker, providing an ultimate fail-safe that survives the takedown of its predefined C2 infrastructure and generates no suspicious outbound traffic.
The design of this trimodal C2 channel acquisition strategy demonstrates an exceptionally high level of operational security and fault tolerance. The attackers anticipated that their primary channels might be discovered and disrupted, as indeed eventually happened with the seizure of toknowall.com and the removal of the Photobucket galleries. The layers of redundancy, moving from stealthy steganography on a legitimate site to a hardcoded domain, and finally to a completely passive listener, ensured the botnet’s resilience and longevity.
Stage 2 Core C2 Channel Analysis
Once the Stage 1 loader successfully acquires a C2 address and downloads the Stage 2 payload, this core component takes over to establish a persistent, interactive command channel.
Communication Protocols and Encryption
The Stage 2 malware is responsible for all primary C2 communications. It is capable of communicating over standard SSL/TLS and also possesses a module for routing its traffic through the Tor network for anonymization.
A critical finding in the analysis of VPNFilter was its use of a flawed implementation of the RC4 stream cipher for encrypting internal strings and some network data. Specifically, the RC4 key-scheduling algorithm contained an error where values in the permutation phase were XORed but not swapped.
This identical, non-standard flaw was previously observed in the BlackEnergy malware, which has been strongly linked to the same threat group. This operational security failure stands in stark contrast to the overall sophistication of the malware framework, suggesting that even the most advanced actors can make mistakes, or that the developers of VPNFilter were part of, or had direct access to, the BlackEnergy codebase.
Beaconing and Command Structure
Upon execution, the Stage 2 implant creates a working environment in the /var/run/vpnfilterw directory and begins a recurring loop to contact its C2 server. The beacon sent to the C2 server is a JSON object containing profiling information about the compromised device.
This data is then Base64-encoded and transmitted in an HTTP POST request, typically to the URI path /bin32/update.php on the C2 server.
The JSON beacon allows the attacker to catalog and manage their fleet of infected devices, containing key fields such as:
uq: A unique identifier, usually the device’s MAC address.pv: The platform version of the device.ad: The device’s public IP address.bv: The malware version for both Stage 1 and Stage 2.nn: The node name of the device.tnandon: Flags indicating the status and use of Tor.
The C2 server replies with its own JSON object containing instructions. Key fields in the server’s response include:
tr: A value to set the delay (sleep time) for the main C2 loop.pxs: An updated list of C2 proxy servers to use.tor: The name and version of the Tor module to download or use.mds: A list of Stage 3 modules to download and execute. This field specifies a command ID, the module name, and any necessary arguments, which are Base64-encoded.
Stage 2 C2 Command Reference
The following table details the core commands that the Stage 2 malware can receive and execute. This serves as a functional dictionary for the malware’s primary operations.
| Command | Functionality | Network Implication |
|---|---|---|
download | Downloads a file from a specified URL to the device’s local storage. | Outbound HTTP/Tor traffic to a new, attacker-specified URL will be observed. |
copy | Exfiltrates a specified file from the infected device to the C2 server. | Outbound HTTP/Tor POST request containing the file data. |
exec | Executes a shell command or a downloaded Stage 3 plugin module. | Varies based on command. Could initiate new network connections, scans, or other activities. |
kill | Triggers the destructive payload, overwriting the first 5,000 bytes of /dev/mtdblock0 and rebooting, rendering the device inoperable. | Device will go offline permanently. No further network traffic. |
reboot | Reboots the device. | Device will go offline temporarily and then reappear. Stage 1 will re-initiate C2 acquisition. |
delay/relay | Sets the delay interval (in seconds) between C2 beaconing attempts. | Changes the frequency of C2 beaconing traffic. |
seturl | Sets the URL for the C2 control panel. | Future C2 beacons will be directed to a new URL. |
proxy/port | Sets the IP address and port for a proxy server to be used for C2 communications. | C2 traffic will be routed through a new proxy server. |
tor | Enables or disables the use of the Tor network for C2 communications. | C2 traffic will either be sent directly (SSL) or routed through the Tor network. |
stop | Terminates the Stage 2 malware process. | All C2 beaconing will cease until the device is rebooted, which triggers Stage 1 to re-infect. |
Network-Based Capabilities of Stage 3 Modules
Introduction to Stage 3 Modularity
The true operational power of the VPNFilter framework is realized through its Stage 3 modules. These plugins are downloaded and executed on demand by the Stage 2 payload, allowing the attackers to deploy specialized, network-oriented tools tailored to the specific environment they have compromised.
This modularity enhances stealth by avoiding the deployment of unnecessary or noisy capabilities. The following sections detail the network functions of the most significant Stage 3 modules discovered.
Stage 3 Module Capabilities and Network Signatures
| Module Name | Primary Function | Key Network Protocols/Ports | Observable Behavior/Signature |
|---|---|---|---|
ps | Packet Sniffing | Raw Socket, HTTP (TCP/80), Modbus (TCP/502) | Intercepts traffic. Logs HTTP Basic Authentication credentials and flags Modbus TCP/IP packets. No traffic modification. |
ssler | MITM & JS Injection | HTTP (TCP/80), HTTPS (TCP/443) | Redirects TCP/80 traffic to local port 8888. Performs SSL stripping (https:// to http://). Injects external JavaScript into web pages. |
htpx | Executable Patching | HTTP (TCP/80) | Redirects TCP/80 traffic. Inspects passing data for Windows executables (.exe) for on-the-fly patching/trojanizing. |
dstr | Device Destruction | N/A | Deletes files, overwrites flash memory, executes rm -rf /*, and reboots. Device ceases all network communication permanently. |
nm | Network Mapper | ARP, ICMP, TCP, MNDP (UDP/5678) | Originates ARP scans, ICMP pings, and TCP port scans on the internal LAN. Sends MNDP probes to discover MikroTik devices. |
ndbr | SSH Tool & Port Scanner | SSH (TCP/63914), TCP (various) | Acts as an SSH client/server on a non-standard port. Can be used to launch port scans against internal or external targets. |
socks5proxy | SOCKS5 Proxy Server | SOCKS5 (TCP/5380) | Opens a SOCKS5 proxy on the device, allowing attackers to route arbitrary traffic through it. |
portforwarding | Traffic Relay | TCP/UDP (configurable) | Installs iptables rules to forward traffic from one IP/port to an attacker-specified destination. |
tcpvpn | Reverse TCP VPN | RC4-encrypted TCP | Establishes a reverse VPN tunnel to an attacker server, granting access to the internal network behind the router. |
netfilter | Denial-of-Service | TCP (configurable) | Installs iptables rules to drop TCP packets with the PUSH flag set, potentially disrupting specific applications. |
tor | Anonymization | Tor Protocol | Provides Stage 2 with the ability to route all C2 communications through the Tor network. |
Passive Intelligence Gathering and Data Exfiltration
The ps (packet sniffer) module is a passive intelligence-gathering tool that uses a raw socket to inspect traffic passing through the infected device. It has two primary functions that reveal the attackers’ interests:
Credential Theft
It inspects traffic for HTTP Basic Authentication headers (Authorization: Basic) and exfiltrates the captured credentials. It uses a complex set of exclusion rules to avoid logging benign data, focusing only on valuable authentication material.
Industrial Espionage The module is explicitly coded to identify and flag traffic on TCP port 502, the standard port for the Modbus protocol. This demonstrates a clear intent to monitor Industrial Control Systems (ICS) and SCADA environments, a capability rarely seen outside of nation-state threat actors.
This duality of purpose, targeting both common IT credentials and specialized OT protocols, is a strong indicator of a multi-mission state-level actor with broad intelligence requirements.
Active Traffic Manipulation and Man-in-the-Middle (MITM) Attacks
The ssler and htpx modules grant the attacker powerful Man-in-the-Middle capabilities, allowing them to actively manipulate traffic.
ssler Module
The ssler module redirects all unencrypted web traffic (TCP port 80) to a local service it controls. It performs:
- SSL Stripping by replacing
https://links withhttp://, forcing browsers to communicate in plaintext so the malware can intercept data, including credentials.6 - JavaScript injection by modifying HTML responses to include a
<script>tag that loads malicious code from an attacker-controlled server. This allows the attackers to compromise the endpoints of users on the network, not just the router itself.
htpx Module
The htpx module is an evolution of ssler. It also redirects port 80 traffic but is specifically designed to inspect the data stream for Windows executables. It is assessed to be capable of on-the-fly patching, injecting a secondary payload into legitimate software as it is being downloaded by an unsuspecting user on the network.
Advanced C2 and Proxy Infrastructure
Several modules are dedicated to turning the compromised devices into a resilient and anonymized C2 and attack-launching infrastructure.
socks5proxy
The socks5proxy module starts a SOCKS5 proxy server on the infected device, allowing the attacker to route arbitrary traffic through it, effectively masking their true origin.
portforwarding
The portforwarding module acts as a simple traffic relay, installing iptables rules to forward traffic from one IP and port to an attacker-specified destination.
tcpvpn
The tcpvpn module is particularly dangerous, as it establishes a reverse-TCP VPN. This creates an inbound tunnel from the attacker’s server to the infected router, granting the attacker direct access to the internal network behind the router’s firewall.
Internal Network Reconnaissance and Lateral Movement
The combination of the nm and ndbr modules reveals a clear strategy for post-perimeter exploitation and lateral movement.
nm (Network Mapper)
The nm (Network Mapper) module is used to discover assets on the internal LAN. It performs ARP scans, ICMP pings, and TCP port scans to identify live hosts. It also has a specific function to discover other MikroTik devices using the proprietary MikroTik Network Discovery Protocol (MNDP), extracting version and identity information to find other vulnerable devices.
ndbr (SSH Tool)
The ndbr (SSH Tool) module is a modified version of the dropbear SSH utility. It can function as an SSH client or server (on the non-standard port TCP/63914) and includes an nmap-like function for port scanning. Once the nm module identifies a high-value target on the LAN (like a server), the attacker can use ndbr to attempt to access it via SSH, moving laterally from the router into the core of the network.
This combination of capabilities provide the attacker with two distinct pathways to compromise the internal network. They can either:
- Passively wait for a user to download a file and Trojanize it in transit (using
htpx), or - They can actively map the internal network (
nm) and use the SSH tool (ndbr) to move laterally to a target of interest.
Destructive Capabilities
The dstr module’s sole function is to render the infected device permanently inoperable. When triggered by a C2 command, it first deletes its own files and terminates related processes (vpnfilter, tor) in an attempt at anti-forensics.
It then proceeds to wipe key system files and directories, overwrite the device’s flash memory with garbage data, and finally executes the command rm -rf /* to delete the entire file system before rebooting. This “bricking” process leaves the device unable to boot and is typically unrecoverable.
Conclusion
VPNFilter’s design provides a masterclass in operational resilience and adaptability, provides critical insights for red teamers seeking to emulate the tactics of a sophisticated nation-state adversary. What makes VPNFilter truly noteworthy is not any single capability, but the seamless integration of its components into a cohesive and survivable whole.
The three-stage architecture is a deliberate and brilliant stroke of operational security. By divorcing the persistent Stage 1 loader from the non-persistent, high-functionality modules of Stages 2 and 3, the attackers created a strategic dilemma for defenders. A simple reboot, the most common remediation for IoT devices, purges the active tools but leaves the persistent beachhead intact, ready to resurrect the entire framework. This forces a far more complex full firmware restoration to remediate, requiring a level of operational friction and effort that serves its persistence.
Functionally, VPNFilter is a Swiss Army knife for network-based attacks. Its modularity allows for a tailored, “à la carte” deployment that minimizes the operational footprint and avoids unnecessary detection. The framework allows for a remarkable diversity of attacks - its equally adept at broad-stroke credential harvesting and highly specific industrial espionage. This duality is rare and points to a multi-faceted intelligence mission.
Ultimately, VPNFilter’s most defining characteristic is its position as a weaponized network infrastructure. It transforms ubiquitous SOHO routers from simple gateways into forward operating bases. From these positions, the attackers could launch man-in-the-middle attacks to compromise internal users, pivot deeper into protected networks using the reverse VPN and SSH tools, and build a massive, anonymized proxy network for subsequent operations.