New malware targets Wi-Fi routers and NAS devices - VPNFilter

The latest security problem to make headlines doesn’t involve your phone or your computer - if you’ve bought your own Wi-Fi router or NAS storage server, hackers might have taken it over for their own purposes, making it a participant in internet attacks directed against companies or countries. There’s also the disturbing possibility that the malware may include a ‘kill switch’ that disables your equipment - permanently.

This sophisticated attack has been christened VPNFilter after the name of a folder that the malware creates on the equipment. Research into this is ongoing and you can get more details at Cisco’s blog (thanks @jben).

Fortunately, the list of susceptible equipment isn’t too large, at least as of what we know today (6/9/2018). If you’re reading this months later, check the above article to see if there’s been an update to include more devices. Today’s list includes the following models (those marked (new) were added since this was first published)::


  • RT-AC66U (new)
  • RT-N10 (new)
  • RT-N10E (new)
  • RT-N10U (new)
  • RT-N56U (new)
  • RT-N66U (new)


  • DES-1210-08P (new)
  • DIR-300 (new)
  • DIR-300A (new)
  • DSR-250N (new)
  • DSR-500N (new)
  • DSR-1000 (new)
  • DSR-1000N (new)


  • HG8245 (new)


  • E1200
  • E2500
  • E3000 (new)
  • E3200 (new)
  • E4200 (new)
  • RV082 (new)
  • WRVS4400N


  • CCR1009 (new)
  • CCR1016
  • CCR1036
  • CCR1072
  • CRS109 (new)
  • CRS112 (new)
  • CRS125 (new)
  • RB411 (new)
  • RB450 (new)
  • RB750 (new)
  • RB911 (new)
  • RB921 (new)
  • RB941 (new)
  • RB951 (new)
  • RB952 (new)
  • RB960 (new)
  • RB962 (new)
  • RB1100 (new)
  • RB1200 (new)
  • RB2011 (new)
  • RB3011 (new)
  • RB Groove (new)
  • RB Omnitik (new)
  • STX5 (new)


  • DG834 (new)
  • DGN1000 (new)
  • DGN2200
  • DGN3500 (new)
  • FVS318N (new)
  • MBRN3000 (new)
  • R6400
  • R7000
  • R8000
  • WNR1000
  • WNR2000
  • WNR2200 (new)
  • WNR4000 (new)
  • WNDR3700 (new)
  • WNDR4000 (new)
  • WNDR4300 (new)
  • WNDR4300-TN (new)
  • UTM50 (new)


  • TS251
  • TS439 Pro
  • Other QNAP NAS devices running QTS software


  • R600VPN
  • TL-WR741ND (new)
  • TL-WR841N (new)


  • NSM2 (new)
  • PBE M5 (new)

To guard against your equipment being co-opted by this malware, it’s recommended that you:

  1. Reset the router or NAS device to factory settings
  2. Make sure you’re running the latest firmware available from the manufacturer.
  3. Set an administration password that is not a common word or number that might be easily guessed.
  4. Turn off remote administration or management
  5. Check with the manufacturer for any other advice or bulletins.

Why I recommended ASUS brand routers over others. They are very good in keeping even their much older networking products up to date with new firmware to fix bugs and security issues.
I have various other brands of networking devices that are newer than some of my Asus stuff, and they have not had any new firmware since maybe 3 months after the item was released, none for recent years of security holes.

Reset mine and changed admin & password, even though it is not on the list. Took the opportunity to upgrade firmware, which apparently I hadn’t done previously.


Did the same with mine that isn’t on the list, but no firmware upgrade. Nothing new since 2016 and I already have that.

They just added a bunch of routers to the list recently.

1 Like

My folks have my old Asus N56U router…however, it is on custom firmware, that hasn’t been updated in years, but is not effected by this it seems.

Tough, its interesting how they don’t really give in easy to understand terms how to see if your router is even infected.

I personally would continue to rely on the information provided by Cisco’s Talos Intelligence Group, the research team that discovered it.

  1. Initial (5/23/18) announce from Talos
  2. 6 June 18 update from Talos

Could you please cite your reference on DNS?

First article that came up when I ran a web search for “How to tell if router infected with VPNfilter”
was a howto geek article that said check dns…however, upon double checking article, its from 2015 and a general malware article.

Can u provide a good, non super technical article on how one would check to see of their router is indeed infected? I have several folks who are requesting such thing, but all I can find is super technical babel articles.

It appears to be an extremely complex exploit/delivery system, and I only grasp it at a very hi level, my understanding is quit limited, so I don’t feel qualified to try to explain it
At this point, my suggestion is stay informed of devices known to have been exploited and ensure that users update their routers as suggested by their manufactures.

  • You might want to edit your original entry and include the latest devices as reported in the 6 June 18 update from Talos … that would be a great service to the community.
Message an
Expert customer