SYNful Knock
SYNful Knock is a Cisco router firmware implant/backdoor consisting of a modified Cisco IOS image. It provides persistent, covert access to compromised Cisco devices and survives reboots. The implant permits the threat actor to load modules and maintain a hidden foothold on infected devices. It has been described as custom malware for Cisco devices and was first publicly reported in 2015.
The malware has been associated in the provided content with Russian state-linked espionage activity, particularly the group tracked as Static Tundra and related aliases including Berserk, Energetic Bear, Dragonfly, and Berserk Bear, which reporting links to the FSB’s Center 16. In that activity, attackers exploited CVE-2018-0171 in Cisco Smart Install on unpatched or end-of-life Cisco IOS/IOS XE devices to gain initial access, then used SYNful Knock or reused SNMP credentials for long-term persistence. Reported post-compromise behavior included extracting startup configurations, exposing passwords and SNMP community strings, modifying running configurations via spoofed SNMP commands, creating new local accounts, enabling Telnet, disabling TACACS+ logging, modifying ACLs, and using GRE tunnels plus TFTP, FTP, or SNMP CONFIG-COPY MIB operations for collection and exfiltration.
The content states that this activity targeted organizations in telecommunications, higher education, and manufacturing, with victims reported in Ukraine and allied countries as well as broader activity across North America, Asia, Africa, and Europe. Historical reporting cited in the content also noted confirmed SYNful Knock implants on Internet-facing infrastructure in Ukraine, the Philippines, Mexico, and India. High-confidence references in the content identify Cisco routers and Cisco IOS images as the affected platform; no specific file hashes or other malware-specific IOCs are provided beyond the malware name and the Cisco reference to the SYNful Knock incident response material.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
According to research from Cisco Talos, the unit has targeted Cisco devices since 2021 by exploiting a seven-year-old vulnerability in the Smart Install feature of Cisco IOS software and Cisco IOS XE software. Tracked as CVE-2018-0171, the bug has been left unpatched by Cisco for said devices due to their retired status. The remote code execution (RCE) vulnerability allows attackers to either force the affected device to restart, causing a denial-of-service (DoS) condition, or to execute arbitrary code on it. | Persistent access is maintained with reused SNMP credentials or, when required, the SYNful Knock malware, which survives reboots.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Persistent access is maintained with reused SNMP credentials or, when required, the SYNful Knock malware, which survives reboots.
Persistent access is maintained with reused SNMP credentials or, when required, the SYNful Knock malware, which survives reboots.
Techniques & procedures
6 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesPersistent access is maintained with reused SNMP credentials or, when required, the SYNful Knock malware, which survives reboots.
Their attack chain typically begins with exploiting the Smart Install vulnerability to gain initial access... When exploited, CVE-2018-0171 allows unauthenticated remote attackers to execute arbitrary code or cause denial of service conditions by triggering device reloads.
Persistence
4 techniquesPersistent access is maintained with reused SNMP credentials or, when required, the SYNful Knock malware, which survives reboots.
Persistent access is maintained with reused SNMP credentials or, when required, the SYNful Knock malware, which survives reboots.
Privilege Escalation
1 techniqueStealth
3 techniquesPersistent access is maintained with reused SNMP credentials or, when required, the SYNful Knock malware, which survives reboots.
Defense Impairment
2 techniquesCredential Access
1 techniqueCommand and Control
1 techniqueRecent activity
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A malware implant/backdoor used to maintain persistent access on compromised Cisco network devices, including surviving device reboots.
Backdoor used to maintain persistent, covert access to compromised Cisco networking devices, providing a hidden foothold that can survive reboots.
SYNful Knock is a custom backdoor implant for Cisco routers that modifies device firmware to provide persistent access, allowing attackers to return at will, steal configuration files, and use the router as a launch point for further attacks.
SYNful Knock is a custom malware implant/backdoor for Cisco routers, allowing persistent unauthorized access and control over compromised network devices.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.