Vercara’s Open-Source Intelligence (OSINT) Report – May 9 – May 15, 2025

Police Dismantles Botnet Selling Hacked Routers as Residential Proxies

(TLP: CLEAR) Law enforcement agencies have dismantled a long-running botnet responsible for creating two major residential proxy services, Anyproxy and 5socks, which operated by compromising thousands of routers globally since at least 2004. The botnet, powered by the TheMoon malware, infected end-of-life routers—mainly older Linksys and Cisco models—transforming them into proxies rented out to users via monthly subscriptions ranging from $9.95 to $110. Four individuals—three Russian nationals and one Kazakhstani—have been indicted by the U.S. Department of Justice for conspiracy, computer damage, and domain registration fraud. They allegedly generated over $46 million by selling access to these hijacked routers, which were marketed as residential proxies to obscure a wide range of cybercriminal activity including DDoS attacks, ad fraud, credential brute-forcing, and cryptocurrency theft. This operation, dubbed “Operation Moonlander,” involved coordination between the FBI, Dutch and Thai authorities, and cybersecurity analysts at Lumen Technologies’ Black Lotus Labs. The seized proxies provided near-anonymous access due to their use of residential IP addresses, which are typically trusted by security systems. The FBI issued a flash alert warning that the botnet continues to target end-of-life routers with remote administration enabled. Authorities stressed the importance of securing and replacing outdated network hardware, noting that these residential proxy services enabled malicious actors to avoid detection, posing significant risks to cybersecurity ecosystems worldwide.

(TLP: CLEAR) Comments: The dismantling of the Anyproxy and 5socks residential proxy services reveals critical insights into the evolving infrastructure of cybercrime and its ties to broader threats like DDoS attacks. By leveraging malware such as TheMoon to compromise end-of-life (EoL) routers, the operators built a durable, stealthy botnet spanning two decades. These compromised devices were sold as residential proxies, which are highly valued by malicious actors for their ability to obfuscate the origin of attacks and bypass traditional security filters. The use of residential IP addresses, as opposed to commercial or data center addresses, provided the botnet’s users—ranging from fraudsters to DDoS-for-hire customers—with a high level of trust and low detection risk. Notably, these proxies facilitated a range of illicit activities including ad fraud, brute-force attacks, exploitation campaigns, and DDoS operations. The fact that only around 10% of the IPs were flagged as malicious on services like VirusTotal illustrates the botnet’s evasive capabilities and the limitations of signature-based threat detection. Financially, the botnet was highly profitable, with over $46 million allegedly earned through subscription services ranging from $9.95 to $110 per month. This highlights the lucrative nature of cybercrime-as-a-service (CaaS) ecosystems and the growing market for anonymized infrastructure. Strategically, the case underscores the need for law enforcement to target not only threat actors but also the underlying infrastructure enabling cybercrime. It also emphasizes the urgency of decommissioning insecure EoL hardware, which continues to serve as fertile ground for DDoS botnet expansion and persistent cyber threats.

(TLP: CLEAR) Recommended best practices/regulations: NIST SP 800-53 Rev5 SC-5: “DENIAL-OF-SERVICE PROTECTION

Control:

• [Selection: Protect against; Limit] the effects of the following types of denial-of-service events: [Assignment: organization-defined types of denial-of-service events]
• Employ the following controls to achieve the denial-of-service objective: [Assignment: organization-defined controls by type of denial-of-service event].

SC-5 requires that organizations perform risk management concerning the availability of IT systems and to implement controls that are apropos for the level of risk.

(TLP: CLEAR) Vercara: Vercara UltraDDoS Protect is operated by our dedicated, 24/7 Security Operations Center that works to mitigate attacks against infrastructure, applications, and supporting services. Their work is backed by industry-leading Service Level Agreements (SLAs) for mitigation timeliness and effectiveness.
Source: https://www.bleepingcomputer.com/news/security/police-dismantles-botnet-selling-hacked-routers-as-residential-proxies/

FBI: End-of-Life Routers Hacked for Cybercrime Proxy Networks

(TLP: CLEAR) The FBI has issued a warning about cybercriminals exploiting end-of-life (EoL) routers to build proxy networks, specifically through the 5Socks and Anyproxy platforms. These outdated devices, which no longer receive vendor security updates, are being targeted using known exploits to install persistent malware, such as variants of the “TheMoon” botnet.

Once compromised, these routers are converted into residential proxies, allowing threat actors to route malicious traffic anonymously. These proxies are sold to customers, who may use them for cybercrime-for-hire operations, cryptocurrency theft, and espionage. The FBI highlighted that some of these operations have been linked to Chinese state-sponsored actors targeting U.S. critical infrastructure. The advisory lists several vulnerable Linksys and Cisco models, including Linksys E1200, E2500, and WRT320N, as well as Cisco E1000 and M10. These devices, when infected, connect to command and control (C2) servers to receive further instructions, such as scanning the internet for more vulnerable systems. Users of infected routers may experience network issues, overheating, degraded performance, unexpected configuration changes, rogue admin accounts, and unusual traffic patterns. To mitigate risks, the FBI advises replacing EoL routers with newer, supported models. If replacement is not feasible, users should update firmware from official sources, disable remote administration, and change default login credentials. The FBI has also released indicators of compromise to help identify affected devices and urges heightened vigilance to prevent the continued use of obsolete, vulnerable hardware in botnet infrastructures.

(TLP: CLEAR) Comments: The FBI’s recent warning underscores the growing threat posed by end-of-life (EoL) routers exploited to build proxy botnets such as 5Socks and Anyproxy. These outdated devices, which lack security updates, are easily compromised using known exploits and infected with persistent malware like TheMoon. Once hijacked, they function as residential proxies—enabling malicious actors to anonymize cybercrime operations, including cryptocurrency theft, cybercrime-for-hire, and increasingly, large-scale DDoS attacks. The misuse of residential IPs provides attackers with a layer of legitimacy that allows malicious traffic to evade detection and filtering mechanisms. This infrastructure not only facilitates stealth but also enables the rapid scaling of distributed denial-of-service attacks, particularly when thousands of compromised routers are coordinated for volumetric or application-layer targeting. As such, the presence of these vulnerable devices significantly expands the threat surface for DDoS campaigns. Mitigation requires immediate decommissioning of EoL routers, applying firmware updates, and disabling remote access to prevent their weaponization.

(TLP: CLEAR) Recommended best practices/regulations: NIST Special Publication 800-189: “Distributed denial-of-service (DDoS) is a form attack where the attack traffic is generated from many distributed sources to achieve a high-volume attack and directed towards an intended victim (i.e., system or server). To conduct a direct DDoS attack, the attacker typically makes use of a few powerful computers or a vast number of unsuspecting, compromised third-party devices (e.g., laptops, tablets, cell phones, Internet of Things (IoT) devices, etc.). The latter scenario is often implemented through botnets. In many DDoS attacks, the IP source addresses in the attack messages are “spoofed” to avoid traceability.”

(TLP: CLEAR) Vercara: Vercara UltraDDoS Protect delivers DDoS mitigation and protection with competitive pricing tailored to your budget. Secure and reliable, it defends your online assets against DDoS threats, offering a flexible range of solutions for any organizational need.
Source: https://www.bleepingcomputer.com/news/security/fbi-end-of-life-routers-hacked-for-cybercrime-proxy-networks/

Hackers Leverage JPG Images to Execute Fully Undetectable Ransomware

(TLP: CLEAR) The article highlights a sophisticated cyberattack campaign utilizing steganography to deliver fully undetectable (FUD) ransomware. Malicious actors embed obfuscated PowerShell code within the EXIF metadata of JPEG images, allowing the code to bypass traditional security solutions. This technique, known as stegomalware, enables the dynamic extraction and execution of hidden code, often initiated through Office document macros. Once triggered, the code downloads another image containing a Base64-encoded .NET assembly, which delivers the final ransomware payload, encrypting files without detection. The attack chain often starts via spam emails with innocent-looking image attachments. Researchers documented its use in distributing Remote Access Trojans (RATs) such as LimeRAT, AgentTesla, and Remcos before ransomware deployment. The FUD approach employs cryptors to obfuscate malware code, making it unrecognizable to signature-based antivirus systems.

(TLP: CLEAR) Comments: The use of steganographic techniques to deliver ransomware, as detailed in the article, demonstrates a notable evolution in threat actors’ tactics, particularly in their ability to bypass conventional detection mechanisms. By embedding obfuscated PowerShell code within JPEG image metadata or pixel data, malicious actors are exploiting a non-traditional attack vector that security solutions often overlook. This enables the distribution of fully undetectable (FUD) ransomware payloads, which are difficult to identify using signature-based antivirus tools. The multi-stage nature of the attack—beginning with image delivery, followed by the use of macro-enabled Office documents, and ending in payload execution—illustrates a high level of operational sophistication. The combination of remote access trojans (RATs) and ransomware in a single campaign suggests that attackers are aiming for both long-term persistence and immediate disruption or financial gain. From a strategic standpoint, this trend emphasizes the growing importance of behavioral detection, email filtering with deep content inspection, and strict macro policies in enterprise environments. The use of common file formats like JPEGs as a delivery mechanism also highlights the need for greater awareness and caution among users, as well as a reassessment of what constitutes a “safe” file. Overall, this technique represents a significant threat not only to individual systems but also to larger organizational infrastructures, especially when combined with social engineering tactics. It underscores the need for a proactive, layered defense model and regular user education to mitigate increasingly covert and adaptive ransomware threats.

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events”. One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport.

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 4 distinct detection engines to provide Defense in Depth against malware and phishing, and other abuses:

• The Lists Engine allows UltraDDR customers the ability to bring their own block lists and allow lists for FQDNs, domains, IP addresses, CIDR blocks, and registrars.
• The Categories Engine uses Vercara-provided Cyber Threat Intelligence feeds in 17 categories. Administrators can enable blocking on a category with just one button click.
• The Decision Engine uses a multi-petabyte adversarial infrastructure data lake and artificial intelligence techniques to determine if a previously unseen or recently changed domain is malicious in nature.
• The Ruleset Engine allows administrators the ability to build custom rules to augment and extend the other engines of UltraDDR.

Source: https://cybersecuritynews.com/hackers-leverage-jpg-images/

Criminal Proxy Network Infects Thousands of IoT Devices

(TLP: CLEAR) The article reports that U.S. retailers are now being targeted by hackers employing Scattered Spider tactics, previously used in recent cyberattacks against major retail chains in the United Kingdom. The threat group, also known by aliases such as UNC3944, 0ktapus, and Octo Tempest, is known for its sophisticated social engineering, phishing, SIM swapping, and multi-factor authentication (MFA) fatigue techniques. Recent attacks in the UK include breaches at Marks & Spencer, Co-op, and Harrods, with attackers deploying DragonForce ransomware on VMware ESXi systems. DragonForce, which emerged in late 2023, has been linked to Scattered Spider and is now offering white-label ransomware services to other cybercriminals.

The UK’s National Cyber Security Centre (NCSC) has issued guidance in response but has not formally attributed the attacks to a single group, though the tactics suggest strong links to Scattered Spider. This collective comprises mainly young, English-speaking hackers, who operate via Telegram, Discord, and hacker forums. Their decentralized structure and evolving affiliations with ransomware groups such as BlackCat, RansomHub, and Qilin make them difficult to track and disrupt. Google Threat Intelligence warns that this group will likely continue to focus on the retail sector in the near term. Organizations are urged to harden their defenses against these adaptive, socially engineered intrusions, especially as Scattered Spider actors are noted for breaching even well-defended systems.

(TLP: CLEAR) Comments: The article highlights the expansion of Scattered Spider’s ransomware operations from the UK to the US retail sector, underlining their increasing sophistication. Scattered Spider, also known as UNC3944, is a loosely connected collective of cybercriminals known for highly effective social engineering attacks, including phishing, SIM swapping, and multi-factor authentication (MFA) fatigue campaigns. Their tactics focus on exploiting human factors and third-party relationships, which traditional defenses often overlook. Since their rise in late 2023, with notable breaches such as MGM Resorts, they have acted as affiliates for multiple ransomware groups, including DragonForce and BlackCat, employing ransomware to encrypt VMware ESXi hypervisors. Their use of white-label ransomware services further amplifies their reach. The group’s young, English-speaking actors operate via Telegram and Discord, complicating attribution. Their aggressive, creative approach to circumventing mature security programs demonstrates the importance of integrating advanced threat intelligence, robust user awareness training, and technical controls to mitigate these evolving threats effectively.

(TLP: CLEAR) Recommended best practices/regulations: IST SP 800-53 Rev5 SI-3: “MALICIOUS CODE PROTECTION

Control:

• Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code.
• Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures.
• Configure malicious code protection mechanisms to: 1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more): endpoint; network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization defined personnel or roles] in response to malicious code detection.
• Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.

NIST requires malware detection and prevention solutions. This can be on the device, as with anti-virus agents, but also can be augmented by Protective DNS provided by the network that the device is on or across the Internet. This provides defense-in-depth and support for devices such as Internet of Things (IoT) or some servers that cannot run an endpoint client.

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.
Source: https://www.infosecurity-magazine.com/news/proxy-network-infects-iot-devices/

Node.js Vulnerability Allows Attackers to Crash the Process & Halt Services

(TLP: CLEAR) The Node.js project has released urgent security updates to address a high-severity vulnerability (CVE-2025-23166) that allows remote attackers to crash Node.js processes by exploiting improper error handling in asynchronous cryptographic operations. The flaw, found in the C++ method SignTraits::DeriveBits(), can be triggered via untrusted inputs, potentially causing widespread denial of service and disrupting critical services that rely on Node.js. This vulnerability affects all active Node.js versions, including 20.x through 24.x, and end-of-life versions remain at risk if not upgraded. Additional medium- and low-severity issues were also fixed, but CVE-2025-23166 poses the greatest immediate risk. Node.js developers and organizations are strongly urged to update to the latest patched versions to prevent remote crashes and ensure service reliability. The Node.js team recommends subscribing to official security advisories for ongoing protection.

(TLP: CLEAR) Comments: The disclosed Node.js vulnerability (CVE-2025-23166) underscores the critical risks posed by flaws in fundamental cryptographic processes within widely used development platforms. Given Node.js’s extensive adoption in web applications and backend services, the potential for remote denial-of-service attacks could lead to significant operational disruptions across diverse sectors. The vulnerability’s exploitation via asynchronous cryptographic error handling highlights the complexity of securing multithreaded environments, where traditional error management may fail under adversarial conditions. Furthermore, the inclusion of multiple active release lines in the affected scope demonstrates the challenges in maintaining long-term security for rapidly evolving software ecosystems. The urgency of patch deployment is paramount, as delayed updates increase exposure to exploitation by threat actors seeking to destabilize services or gain footholds for more intrusive attacks. This incident reinforces the necessity for continuous vulnerability monitoring and prompt remediation in software supply chains, particularly for components underpinning authentication and secure communications. It also calls for enhanced developer awareness around asynchronous programming pitfalls and cryptographic implementation security.

(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 6.4.2: “For public-facing web applications, an automated technical solution is deployed that continually detects and prevents web-based attacks, with at least the following:

• Is installed in front of public-facing web applications and is configured to detect and prevent web-based attacks.
• Actively running and up to date as applicable.
• Generating audit logs.
• Configured to either block web-based attacks or generate an alert that is immediately investigated.

(TLP: CLEAR) Vercara: Vercara’s Web Application Firewall, UltraWAF, equips your company with adaptable security features to counteract the most significant network and application-layer threats, including SQL injection, XSS, and DDoS attacks. Its always-on security posture, combined with cloud-based scalability, ensures comprehensive protection against the OWASP top 10, advanced bot management, and vulnerability scanning, allowing you to effectively shield your critical and customer-facing applications from emerging threats.
Source: https://cybersecuritynews.com/node-js-vulnerability-allows-attackers/

New HTTPBot Botnet Expanding Aggressively to Attack Windows Machines

(TLP: CLEAR) The newly identified HTTPBot botnet poses a significant threat to Windows systems, primarily targeting sectors like gaming, technology, and education with sophisticated HTTP-based DDoS attacks. First detected in August 2024, its activity intensified in April 2025, using modular, GoLang-based malware that evades traditional defenses by manipulating HTTP headers, URLs, and cookies. HTTPBot employs a multistage strategy with unique attack IDs to conduct precise assaults on critical business functions such as payment gateways and login portals, focusing on exhausting application-layer resources rather than flooding bandwidth. Its techniques include dynamic protocol switching, adaptive request rates, and browser-based attacks via headless Chrome, allowing it to mimic legitimate traffic and evade detection. Persistence is maintained through stealthy execution and registry autorun mechanisms on infected Windows machines. Researchers recommend moving beyond signature-based detection by employing behavioral analysis, dynamic cookie injection, and AI-driven rate limiting. HTTPBot’s evolving tactics underline the need for advanced, layered security measures and infrastructure adaptability to mitigate such targeted, low-traffic, high-impact attacks.

(TLP: CLEAR) Comments: The emergence of HTTPBot reflects an alarming evolution in botnet tactics, shifting from traditional volumetric DDoS attacks to more sophisticated, application-layer assaults designed to exhaust critical resources selectively. This strategic targeting of transactional systems such as payment gateways and login portals indicates an increased focus on disrupting business operations with precision rather than relying solely on traffic volume. The use of GoLang and modular design enhances the botnet’s ability to evade signature-based defenses, highlighting significant challenges for conventional security solutions. HTTPBot’s adaptive behavior—such as dynamic protocol switching and mimicking legitimate traffic—demonstrates a high level of operational sophistication, requiring defenders to adopt equally advanced mitigation strategies. Its persistence mechanisms, including registry manipulation and stealthy execution, further complicate detection and remediation efforts. This threat underscores the necessity for organizations, particularly in sectors reliant on real-time user interactions, to implement layered security approaches combining behavioral analysis, AI-driven anomaly detection, and scalable infrastructure defenses. HTTPBot exemplifies how modern cyber threats increasingly blend technical complexity with tactical subtlety to maximize impact while minimizing exposure.

(TLP: CLEAR) Recommended best practices/regulations: Request for Comments (RFC) 2827/Best Common Practice (BC) 38: “Ingress traffic filtering at the periphery of Internet connected networks will reduce the effectiveness of source address spoofing denial of service attacks. Network service providers and administrators have already begun implementing this type of filtering on periphery routers, and it is recommended that all service providers do so as soon as possible. In addition to aiding the Internet community as a whole to defeat this attack method, it can also assist service providers in locating the source of the attack if service providers can categorically demonstrate that their network already has ingress filtering in place on customer links.”

(TLP: CLEAR) Vercara: Vercara UltraDDoS Protect is overseen by a 24/7 Security Operations Center (SOC) staffed by senior-level DDoS mitigation professionals who have the expertise, skills, and tools to thwart even the most sophisticated DDoS attacks.
Source: https://cybersecuritynews.com/new-httpbot-botnet-expanding-aggressively/

Samsung Patches CVE-2025-4632 Used to Deploy Mirai Botnet via MagicINFO 9 Exploit

(TLP: CLEAR) Samsung has issued critical security updates for MagicINFO 9 Server to address a high-severity path traversal vulnerability, CVE-2025-4632, with a CVSS score of 9.8. This flaw allows attackers to write arbitrary files with system privileges, posing a significant security risk. Notably, CVE-2025-4632 is a patch bypass for an earlier similar vulnerability, CVE-2024-7399, which Samsung patched in August 2024. Exploitation of CVE-2025-4632 has been observed in the wild shortly after a proof-of-concept release in April 2025, including attempts to deploy the Mirai botnet. Huntress cybersecurity researchers discovered active attacks targeting even recently updated MagicINFO 9 Server instances. Their investigations revealed multiple incidents involving the execution of reconnaissance commands and downloading malicious payloads. Users are strongly advised to upgrade to MagicINFO version 21.1052.0, which effectively mitigates the vulnerability, though the upgrade path requires a two-step process. Prompt patching is crucial to prevent further exploitation.

(TLP: CLEAR) Comments: The discovery and exploitation of CVE-2025-4632 in Samsung’s MagicINFO 9 Server highlight persistent challenges in software patch management and vulnerability mitigation. This path traversal flaw, effectively bypassing a previous patch (CVE-2024-7399), underscores the risk of incomplete fixes and the importance of rigorous security validation after updates are released. The rapid weaponization of this vulnerability, including deployment attempts of the Mirai botnet, illustrates how threat actors swiftly leverage newly disclosed weaknesses to compromise systems. The multi-stage exploitation tactics observed by Huntress, involving reconnaissance and payload delivery, reflect sophisticated attacker behavior focused on maintaining persistence and lateral movement. Furthermore, the complexity in upgrading between versions of MagicINFO reveals potential operational barriers that may delay timely patch adoption, thereby prolonging exposure. This case emphasizes the critical need for organizations to enforce comprehensive patch management policies, conduct thorough testing of applied fixes, and implement layered defenses that detect and mitigate post-exploitation activities. It also serves as a reminder that threat actors continuously adapt, requiring proactive and dynamic cybersecurity strategies.

(TLP: CLEAR) Recommended best practices/regulations: Critical Infrastructure and Security Agency (CISA) publication “VOLUMETRIC DDOS AGAINST WEB SERVICES TECHNICAL GUIDANCE”: “Agencies should select a provider that has the capacity to scale and withstand large volumetric DDoS attacks. Agencies should also understand their role and the role of the provider if targeted by a DDoS attack. Note the two consumption models previously identified for DDoS mitigation services – always-on and on-call/on-demand. In an always-on model, all traffic always passes through the mitigation provider’s service (which may add latency if the distance between the customer internet circuit and mitigation service are high). Always-on can provide instant protection, but agencies should always validate time-to-mitigation of any proposed solution. The on-demand consumption model only sends traffic to scrubbing centers when directed to do so via human intervention during an attack. Agencies must communicate with their provider to understand which protections are available, the protections that are included in the existing contracts, and those offered à la carte. For services that require manual activation, agencies must understand each organization and individual’s roles, as well as develop, maintain, and test the activation procedures for best response.”

(TLP: CLEAR) Vercara: Vercara UltraDDoS Protect is a purpose-built DDoS mitigation solution that offers comprehensive protection through on-premises hardware, cloud-based DDoS mitigation, or hybrid approaches. Tailored to meet any organizational need, Vercara’s array of DDoS Protection services include blocking DDoS attacks, redirecting DDoS attacks, and cloud DDoS prevention, ensuring the broadest and most adaptable DDoS defense services available.
Source: https://thehackernews.com/2025/05/samsung-patches-cve-2025-4632-used-to.html