top of page
perceptive_background_267k.jpg

Authorities Disrupt SocksEscort Proxy Botnet Exploiting 369,000 IPs Across 163 Countries

Published:

13 maart 2026 om 05:26:00

Alert date:

13 maart 2026 om 07:01:18

Source:

thehackernews.com

Click to open the original link from this advisory

Mobile & IoT, Network Infrastructure, Ransomware & Malware

International law enforcement dismantled SocksEscort, a criminal proxy service that infected home and small business internet routers with malware. The botnet enslaved thousands of residential routers worldwide, exploiting 369,000 IP addresses across 163 countries. The malware allowed cybercriminals to use compromised routers as proxies for committing large-scale fraud. This court-authorized operation successfully disrupted the criminal infrastructure that was being used for malicious activities.

Technical details

SocksEscort proxy service was powered by AVrecon malware that infected home and small business routers through vulnerabilities in residential modems. The malware allowed traffic redirection through infected routers to sell proxy access. AVrecon is written in C language and targets MIPS and ARM devices, approximately 1,200 device models from various manufacturers. It establishes remote shells, acts as a loader for additional payloads, and achieves persistence by flashing custom firmware containing AVrecon that executes on startup while disabling update mechanisms. The service operated from summer 2020, offering 369,000 IP addresses across 163 countries, with 8,000 infected routers as of February 2026.

Mitigation steps:

Router owners should check if their devices have been compromised by AVrecon malware. Since the malware disables update and flashing features causing permanent infection, affected devices may require factory reset or firmware replacement. Organizations should monitor for unusual network traffic patterns and implement network segmentation to limit potential impact from compromised edge devices.

Affected products:

Cisco routers
D-Link routers
Hikvision routers
Mikrotik routers
Netgear routers
TP-Link routers
Zyxel routers
Small-office/home-office (SOHO) routers (approximately 1
200 device models)

Related links:

https://www.justice.gov/usao-edca/pr/authorities-dismantle-global-malicious-proxy-service-deployed-malware-and-defrauded
https://www.europol.europa.eu/media-press/newsroom/news/europol-and-international-partners-disrupt-socksescort-proxy-service
https://thehackernews.com/2023/07/avrecon-botnet-leveraging-compromised.html
https://thehackernews.com/2023/07/new-soho-router-botnet-avrecon-spreads.html
https://www.linkedin.com/pulse/escorted-out-blacklotuslabs-z5pre/
https://www.ic3.gov/CSA/2026/260312.pdf

Related CVE's:

Related threat actors:

IOC's:

socksescort[.]com, AVrecon malware, 34 domains (seized), 23 servers (seized), Command-and-control nodes (C2s) - average of 15 per week

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page