US disrupts SocksEscort proxy network powered by Linux malware

Source: BleepingComputer

Author: Bill Toulas

URL: https://www.bleepingcomputer.com/news/security/us-disrupts-socksescort-proxy-network-powered-by-linux-malware/

ONE SENTENCE SUMMARY:

International law enforcement and Lumen dismantled SocksEscort, a decade-old proxy botnet abusing AVRecon-infected Linux routers, seizing domains, servers, and crypto.

MAIN POINTS:

1. Black Lotus Labs reported ~20,000 infected edge devices active weekly for years.
2. First publicly documented in 2023, the service operated over a decade selling proxy routing.
3. Advertisements promised “clean” ISP IPs able to evade common blocklists.
4. DOJ stated access was sold to roughly 369,000 distinct IP addresses since summer 2020.
5. By February 2026, customers could choose from ~8,000 infected routers, 2,500 in the U.S.
6. Investigators linked the proxy service to cryptocurrency theft and multiple large fraud losses.
7. Europol-coordinated actions seized 34 domains and 23 servers across seven countries.
8. U.S. authorities froze $3.5 million in cryptocurrency tied to the operation.
9. AVRecon, active since at least May 2021, infected over 70,000 Linux SOHO routers.
10. After Lumen’s 2023 C2 null-routing, operators resumed using about 15 C2 nodes.

TAKEAWAYS:

1. Edge routers remain high-value infrastructure for criminal proxy services and anonymity.
2. One-time C2 disruption can be temporary without persistent takedowns and ecosystem coordination.
3. Proxy networks monetizing “residential” IPs materially enable fraud and crypto theft.
4. Replace end-of-life routers and apply firmware updates to reduce AVRecon-style compromise.
5. Harden administration by changing defaults and disabling unnecessary remote management interfaces.