VPNFilter malware: Is it still a threat in 2025?

What is VPNFilter malware?

VPNFilter is a sophisticated, multi-stage malware that specifically targets routers and network-attached storage (NAS) devices. Unlike typical malware, which often targets personal computers or mobile devices, VPNFilter infects internet-connected routers, especially those used in homes or offices. Once VPNFilter infects your device, attackers can monitor your network traffic, steal sensitive data, and even render your infected devices inoperable.

VPNFilter works in multiple stages that introduce additional functionalities. The first stage establishes persistence on the device, while the second and third enable spying, data theft, and destructive actions​. This modular architecture allows VPNFilter to be more resilient and harder to detect compared to traditional malware.

The name “VPNFilter” might be misleading because it suggests a connection to VPN technology even though it is not actually involved here. In fact, there is no such thing as a “VPN filter.” Typical VPN malware targets VPN services directly, contrary to VPNFilter which does not affect VPNs but focuses on routers and network devices instead.

What can VPNFilter malware do?

Due to its modular design, VPNFilter causes a wide range of harmful effects from data theft to network disruption and even potential physical damage to devices because it:

• Steals information. VPNFilter can monitor and exfiltrate sensitive information from devices connected to the infected network, such as passwords, financial data, or personal information. It passively intercepts network traffic flowing through the infected router, allowing attackers to spy on your activities.
• Carries out man-in-the-middle (MITM) attacks. VPNFilter can also intercept and manipulate the traffic passing through the routers it infects, which lets attackers alter data, redirect traffic, or inject malicious code. This man-in-the-middle attack capability enables them to steal sensitive information or compromise users’ privacy without their knowledge.
• Disables routers. One of VPNFilter’s more destructive capabilities is that it can disrupt entire networks. It can disable routers by corrupting their firmware, leading to loss of internet connectivity for all devices in the network.
• Survives reboots. Rebooting your device clears most malware. However, VPNFilter’s multi-stage infection process allows it to compromise the device’s firmware, ensuring the malware remains active even after rebooting. This persistence makes VPNFilter difficult to remove and getting rid of it often requires a full factory reset or hardware replacement.
• Bricks devices. One of the most alarming features of VPNFilter is its ability to “brick” devices and make them permanently unusable. Its kill-switch function corrupts the device’s firmware and turns the hardware into a useless object. This can cause widespread damage, forcing organizations to replace their entire network infrastructure.

How does VPNFilter infiltrate routers?

VPNFilter infiltrates routers through a sophisticated, multi-stage approach that allows it to gain access, establish control, and remain active. It typically operates by:

• Exploiting vulnerabilities. VPNFilter targets known weaknesses in router firmware to gain initial access, often utilizing outdated or unpatched software.
• Downloading malicious code. Once inside, the malware downloads additional malicious modules from online services to further compromise the router.
• Adapting communication. VPNFilter uses redundant methods to communicate with its command and control server so that it can continue receiving instructions even if one communication channel is blocked.
• By surviving reboots. VPNFilter’s core code remains intact even after a reboot, which makes it more persistent and difficult to eliminate.

What routers have been affected by VPNFilter?

VPNFilter has primarily affected routers from several popular manufacturers, particularly those with known vulnerabilities or outdated firmware. The malware has targeted enterprise and small office/home routers produced by Linksys, MikroTik, Netgear, Asus, D-link, Huawei, TP-Link, Ubiquiti, Upvel, and ZTE, as well as QNAP network-attached storage devices.

Who is behind VPNFilter malware?

Security experts attribute VPNFilter to the APT28 group, also known as Fancy Bear, a Russian state-sponsored cyber-espionage group linked to Russia’s military intelligence agency (GRU). Analysts base this attribution on the malware’s sophistication, scope, and targets. The way VPNFilter spreads is also similar to techniques that Fancy Bear used in some of its malware campaigns.

State-sponsored cyberattacks often aim at espionage and disruption of critical systems to destabilize their adversaries. Unlike criminal cyberattacks, state-sponsored threats are usually more sophisticated, persistent, and capable of causing widespread damage. These attacks are devastating enough to impact national security, public infrastructure, and economic stability. They also raise geopolitical tensions because other nations can see them as acts of cyberwarfare.

Is VPNFilter still a threat?

At its peak, VPNFilter infected over 500,000 routers and NAS devices globally. After coordinated efforts by law enforcement and cybersecurity organizations in 2018, the immediate threat of VPNFilter has diminished.

However, VPNFilter paved the way for similar malware strains and campaigns. For example, the Cyclops Blink malware also targets routers and NAS devices, proving that VPNFilter-like threats are still relevant.

Understanding VPNFilter is still important because this malware represents a blueprint for modular, persistent malware that can target critical infrastructure. Future attacks are likely to be based on similar techniques to the ones that attackers used in the VPNFilter campaigns. Therefore, it’s important to know how this type of malware operates and how to defend yourself against it.

How to protect yourself from VPNFilter malware

You have to be proactive to protect yourself from VPNFilter malware. But how can you do that?

Cybersecurity experts believe VPNFilter primarily exploits known vulnerabilities in outdated or unpatched router firmware to gain access. They also suspect that default or weak passwords and unprotected remote management interfaces (which allow external access to routers) also play a role in the initial compromise.

Based on these hypotheses, you should take the following steps to stay safe from VPNFilter:

• Keep router firmware updated. Regularly update your router’s firmware to patch vulnerabilities exploited by malware like VPNFilter. Most router manufacturers release security patches that address known flaws, including those that router viruses or malware could utilize.
• Use secure routers. Use routers known for their security features and regular updates. You can check out our list of the most secure routers to choose models that can better protect your network from malware.
• Use strong passwords for router access. Replace the default password with a strong password to prevent attackers from easily gaining access. A unique, complex password makes it much harder for malware to take control of your router.
• Enable two-factor authentication (2FA). If your router supports it, enable 2FA for an additional layer of security. 2FA requires a second form of verification beyond just a password, which makes it even more difficult for attackers to access the router.
• Use cybersecurity tools. A reliable VPN service will encrypt your online traffic, making it much harder for malware like VPNFilter to intercept or tamper with data through MITM attacks. Even if malware infects your router, it can’t easily read or alter the encrypted traffic. NordVPN’s advanced anti-malware tool Threat Protection Pro™ will also block access to malicious websites and prevent downloads of harmful software that might result in malware infections.
• Additional security steps. Consider disabling remote management unless necessary, regularly rebooting your router, and monitoring network traffic for unusual activity.

Staying informed about the latest malware and adopting strong cybersecurity practices is key to elevating your network’s protection. By following the steps outlined above, you can effectively reduce the risk of infection and improve the security of your entire network.