HIGHMalware
Verified
Global

Sandworm Uses Compromised Ubiquiti Routers as C2 Infrastructure

Sunday, March 8, 2026 at 02:00 PM UTC·Source: FBI / NSA Joint Advisory

Updated: Monday, March 9, 2026 at 10:00 AM UTC

Executive Summary

FBI warns Sandworm is using a botnet of compromised Ubiquiti EdgeRouters as proxy C2 infrastructure for espionage operations against NATO targets.

Analysis

FBI advisory reveals Sandworm has compromised thousands of Ubiquiti EdgeRouters worldwide using default credentials and known vulnerabilities. The routers serve as proxy infrastructure for command-and-control communications, making it difficult to attribute network traffic back to Russian GRU operations. Targets include NATO military installations and European government networks.

Timeline

Discovered
Feb 1, 2026
Published
Mar 8, 2026
Source Attribution

Originally published by FBI / NSA Joint Advisory on Mar 8, 2026. Verified by: FBI, NSA, CISA.

Related Threats

MEDIUMMalware

Claude Code leak used to push infostealer malware on GitHub

Threat actors are exploiting the recent Claude Code source code leak by using fake GitHub repositories to deliver Vidar information-stealing malware. [...]

BleepingComputer
MEDIUMMalware

Bank Trojan 'Casbaneiro' Worms Through Latin America

Augmented Marauder's multipronged banking-Trojan cyber campaigns are targeting Spanish speakers, evading detection, and replicating rapidly.

Dark Reading
MEDIUMMalware

GitHub Used as Covert Channel in Multi-Stage Malware Campaign

LNK files use GitHub C2, embedded decoders and PowerShell for persistence and data exfiltration

Infosecurity Magazine