The FBI warns that threat actors are using malware on end-of-life (EoL) routers, turning them into proxies sold on the 5Socks and Anyproxy networks.
Outdated routers, which no longer receive security updates from their manufacturers, are susceptible to external attacks leveraging publicly available exploits to inject persistent malware.
Once compromised, these devices become part of residential proxy botnets that route malicious traffic. Cybercriminals often use these proxies to carry out illegal activities and cyberattacks.
“Through the 5Socks and Anyproxy network, criminals sell access to compromised routers as proxies for customers to purchase and utilize,” states the FBI Flash advisory.
“The proxies can be leveraged by threat actors to conceal their identity or location.”
The advisory identifies the following EoL Linksys and Cisco models as frequent targets:
- Linksys E1200, E2500, E1000, E4200, E1500, E300, E3200, E1550
- Linksys WRT320N, WRT310N, WRT610N
- Cradlepoint E100
- Cisco M10
The FBI reports that Chinese state-sponsored actors have exploited known vulnerabilities in these routers to execute covert espionage campaigns, particularly targeting critical U.S. infrastructure.
In a related bulletin, the agency confirms many of these routers are infected with a variant of “TheMoon” malware, which allows threat actors to configure them as proxies.
“End-of-life routers have been breached by cyber actors utilizing variants of TheMoon malware,” notes the FBI bulletin.
“Recently, compromised routers at the end of life—with remote administration enabled—were identified as infected by a new variant of TheMoon malware. This malware allows cyber criminals to install proxies on unsuspecting victim routers to conduct cyber crimes anonymously.”
Once compromised, routers connect to command-and-control (C2) servers to receive commands, including scanning for and compromising additional vulnerable devices on the Internet.
The FBI indicates that these proxies are used to evade detection during cryptocurrency theft, cybercrime-for-hire endeavors, and other illegal activities.
Common indicators of botnet compromise include disruptions in network connectivity, overheating, performance degradation, unexpected configuration changes, the presence of rogue admin users, and unusual network traffic patterns.
The best strategy to mitigate the risk of botnet infections is to replace end-of-life routers with newer, actively supported models.
If replacement isn’t feasible, ensure you apply the latest firmware updates sourced from the vendor’s official download portal, change default admin credentials, and disable remote management features.
The FBI has provided indicators of compromise linked to the malware found on EoL devices.