Slingshot Router Malware Won't Hurt You — But Protect Yourself Anyway

Slingshot, discovered by Kaspersky Lab, is one of the more interesting pieces of recently discovered malware. From an everyday threat standpoint, it’s negligible, having infected 100 or so PCs in the last six years. However, from an international conspiracy standpoint, Slingshot would feel right at home in a spy thriller.

Credit: Public Domain

(Image credit: Public Domain)

Here’s what Kaspersky Lab discovered, in an exhaustive 25-page research paper (and a much more digestible FAQ): Slingshot is a piece of malware that can compromise any device on a network, down to the deepest kernel levels. However, it doesn’t live on PCs or smartphones; the malware installs directly onto routers, particularly those from Latvian manufacturer Mikrotik.

MORE: Best Wi-Fi Routers

How to Protect Yourself

Even if you’re not running a Mikrotik router, Kaspersky allowed that “some victims may have been infected through other routes.” If you haven’t updated your router firmware recently (or ever), now is as good a time to do that as any. Check out our guide to keeping routers up-to-date, and make sure that you repeat the process once every month or two. Slingshot is by no means the only router-centric threat out there.

Remember that even though it’s not easy to see what your router does directly, it’s responsible for every piece of Internet traffic that travels through your home or workplace. It doesn’t matter how thoroughly you’ve protected your computer; if your router’s firmware has holes in it, cybercriminals could draft your computer into a botnet, force it to mine cryptocurrency or just steal all of your social media, email and financial logins.

How Slingshot Happened

The exact attack vector is not clear, but Slingshot replaced a Microtik software called Winbox with a compromised, nearly identical version. This software could then — through a process that’s too complex and involved to explain in brief — gather any information that goes through the router’s network, and exfiltrate it to a foreign server.

Interestingly, this doesn’t appear to be a concentrated Latvian effort at data-sniffing. Kaspersky Lab called Slingshot “very expensive, complex and well-designed,” as well as “professional and probably state-sponsored.” The 100 or so computers targeted were all located in Kenya, Yemen, Libya, Afghanistan, Iraq, Tanzania, Jordan, Mauritius, Somalia, the Democratic Republic of the Congo, Turkey, Sudan and the United Arab Emirates.

The company didn’t hazard a direct guess as to which organization might have programmed it, but contextual clues led researchers to believe that the Slingshot masterminds are both native English-speakers and J.R.R. Tolkien aficionados. The CIA, MI5 or a similar organization is not out of the question.

Mikrotik does sell a handful of routers in the U.S., but even if you’re one of the twelve or so people who own one, there’s no evidence that Slingshot has targeted any systems in the West.

Still, as is the case with so many routers, the problem isn’t Mikrotik’s firmware, per se — it’s that no one ever updates his or her router. Mikrotik’s latest router firmware patches the hole that allowed Slingshot to take root. If you’re running a Mikrotik router and haven’t updated the firmware in the last, well, six years, you should download the appropriate package from its website.

TOPICS
Marshall Honorof

Marshall Honorof is a senior editor for Tom's Guide, overseeing the site's coverage of gaming hardware and software. He comes from a science writing background, having studied paleomammalogy, biological anthropology, and the history of science and technology. After hours, you can find him practicing taekwondo or doing deep dives on classic sci-fi. 

Latest in Malware & Adware
Green skull on smartphone screen.
Malicious Android apps with 60 million installs bombarding phones with ads and phishing attacks — how to stay safe
Malware
Dangerous new password-stealing trojan automatically reinstalls itself on infected PCs
An FBI agent typing on a computer
FBI issues warning to millions of Americans to avoid these websites that can steal your passwords and banking info
A hacker typing quickly on a keyboard
New MassJacker malware is hijacking digital wallets to steal large sums from users
A person trying to set up a new Wi-Fi router
Thousands of TP-Link routers have been infected by a botnet to spread malware
A smartphone screen displaying the Android name and logo next to a sign reading 'MALWARE'.
Fake Google Play Store pages are spreading Trojan malware that can steal your financial data
Latest in News
Nintendo Switch 2
Nintendo Switch 2 tipster may have just leaked release month and launch plans
Disney Plus logo
Disney Plus upgrade just fixed one of my biggest problems with the home page
Tom Hiddleston as Robert Laing in "High Rise" now streaming on Netflix
5 best Netflix movies in March you haven't watched yet
iPhone 16 with Apple Intelligence logo for iOS 18.1
iOS 18.4: All the newest Apple Intelligence features coming to your iPhone
Maria Debska in "Just One Look" now streaming on Netflix
3 best Netflix shows in March you haven't watched yet
Split image featuring the Galaxy S25 Edge (left) and Galaxy S25 Ultra (right)
Samsung Galaxy S25 Edge just tipped for two Galaxy S25 Ultra-level features