Cyclops Blink Special Report

This Special Report contains information about IP addresses for network devices that are believed to be infected with a new, large-scale modular malware framework which is affecting network devices named Cyclops Blink . You can read more on the background on Cyclops Blink and this Special Report in our blog post here.

Shadowserver Special Reports are unlike all of our other standard free daily network reports. They do not cover a specific time period.

Instead, we send out Special Reports in situations where we are able to share one-time, high value datasets that we feel should be reported responsibly for maximum public benefit. Sometimes there are incidents when it would be useful to be able to notify potential victims about events or breaches that may have impacted them outside of the previous 24 hour period, when it may take a number of days for incident responders to conduct forensic investigations and analyzed data becomes available for sharing with potential victims. Although the events included in these Special Reports will fall outside of our usual 24 hour daily reporting window, we believe that there would still be significant benefit to our constituents in receiving and hopefully acting on the retrospective data.

If you have missed a Special Report because you were NOT yet a subscriber at the time a report was pushed out, simply subscribe for your network now and specifically request all recent Shadowserver Special Reports – and we will regenerate them specifically for your network, at no cost.

Note that the data shared across special reports may differ on a case by case basis hence the report formats for different Special Reports may be different.

The data in this Cyclops Blink Special Report was provided to Shadowserver to disseminate rapidly to National CERTs/CSIRTs and network owners globally, to maximise remediation efforts. Note that exact timestamps were not available for individual events, so the timestamp field is set to “2022-02-23 00:00:00“. Infection status is believed to be likely to be accurate and up to date, so all systems that receive notifications should be investigated and remediated as a matter of urgency.



  • timestamp
    Timestamp when the IP address was seen, in UTC+0
  • ip
    IP address of the affected device
  • port
    TCP or UDP port identified
  • protocol
    Protocol associated with the malicious activity
  • asn
    Autonomous System Number of the affected device
  • geo
    Country of the affected device
  • region
    Region of the affected device
  • city
    City of the affected device
  • hostname
    Hostname of the affected device (may be from reverse DNS)
  • naics
    North American Industry Classification System Code
  • sector
    Sector of the IP in question
  • tag
    Additional tags for more insight
  • public_source
    Source of the data
  • status
    Status of the affected IP, for example, "likely compromised" (likely to be infected with the Cyclops Blink malware) or "C2 server"
  • method


"2022-02-23 00:00:00",xx.xx.19.50,,,701,US,"NEW YORK","NEW ROCHELLE",,517312,"Communications, Service Provider, and Hosting Service",cyclops-blink,,"likely compromised",
"2022-02-23 00:00:00",xx.xx.220.234,,,14265,US,CALIFORNIA,"LOS ANGELES",,517919,"Communications, Service Provider, and Hosting Service",cyclops-blink,,"likely compromised"
"2022-02-23 00:00:00",xx.xx.1.198,,,4812,CN,"SHANGHAI SHI",SHANGHAI,,517311,,cyclops-blink,,,"likely compromised",
"2022-02-23 00:00:00",xx.xx.153.146,,,9381,HK,"HONG KONG","HONG KONG",,,,cyclops-blink,,,"likely compromised",
"2022-02-23 00:00:00",xx.xx.85.69,,,138999,KH,"BANTEAY MEAN CHOAY","OU CHROV",,,,cyclops-blink,,,"likely compromised",
"2022-02-23 00:00:00",xx.xx.122.141,,,139563,IN,MAHARASHTRA,ANDHERI,,443142,,cyclops-blink,,,"likely compromised",
"2022-02-23 00:00:00",xx.xx.191.42,,,17995,ID,"JAKARTA RAYA",JAKARTA,,,,cyclops-blink,,vulnerable,

Our 134 Report Types