FBI Warns End-of-Life Routers Exploited in Active Botnet and Proxy Campaigns
Summary
The FBI issued an alert warning of ongoing exploitation of 13 EOL Linksys/Cisco routers by cybercriminal groups operating the 5Socks and Anyproxy services.
The threat actors are using known vulnerabilities in outdated firmware to install malware, hijack routers, and leverage them as part of a botnet or proxy service used to mask malicious activities.
The malware establishes persistent access via regular communication with a command & control (C2) server, and affected devices are being rented out to other criminals.
The FBI strongly recommends replacing EOL devices with with newer and actively supported model or at least disabling remote management features immediately.
Technical Details
Attack Overview
- Entry Point: Remote administration services exposed to the Internet.
- Authentication Bypass: Attackers bypass password protection to gain shell/root access.
- Malware Capabilities:
- Maintains persistent presence through C2 check-ins every 60 seconds to 5 minutes.
- Opens ports to act as proxy relays.
- Enables the sale of infected routers as “proxy-as-a-service” infrastructure.
Confirmed Vulnerable Devices
The FBI has identified the following end-of-life (EOL) routers from Cisco and Linksys as actively targeted in these campaigns:
- E1200
- E2500
- E1000
- E4200
- E1500
- E300
- E3200
- WRT320N
- E1550
- WRT610N
- E100
- M10
- WRT310N
Indicators of Compromise (IOCs)
Since the malware is router-based, it is difficult for an end user to know if their device is compromised due to the inability of antivirus tools to scan these devices.
Below is a list of files associated with the malware’s router exploitation campaign:
| Name | Hash |
| 0_forumdisplay-php_sh_gn-37-sh | 661880986a026eb74397c334596a2762 |
| 1_banana.gif_to_elf_t | 62204e3d5de02e40e9f2c51eb991f4e8 |
| 2_multiquote_off.gif_to_elf_gn-p_forward- hw-data-to-exploit-server | 9f0f0632b8c37746e739fe61f373f795 |
| 3_collapse_tcat_gif_sh_s3-sh | 22f1f4c46ac53366582e8c023dab4771 |
| 4_message_gif_to_elf_k | cffe06b0adcc58e730e74ddf7d0b4bb8 |
| 5_viewpost_gif_to_elf_s | 084802b4b893c482c94d20b55bfea47d |
| 6_vk_gif_to_elf_b | e9eba0b62506645ebfd64becdd4f16fc |
| 7_slack_gif_DATA | 41e8ece38086156959804becaaee8985 |
| 8_share_gif_DATA | 1f7b16992651632750e7e04edd00a45e |
| banana.gif-upx | 2667a50869c816fa61d432781c731ed2 |
| message.gif-upx | 0bc534365fa55ac055365d3c31843de7 |
Recommended Mitigations:
- Replace Vulnerable Devices: Immediately replace EOL routers with models still supported by vendors and receiving firmware/security updates.
- Disable Remote Administration: Turn off any form of remote management via web, SSH, or Telnet.
- Reboot Compromised Devices: This can temporarily disrupt malware persistence, though not permanently remove it.
- Network Segmentation: Isolate critical devices from consumer routers or IoT networks.
- Implement Monitoring Tools: Use firewalls or network sensors that detect unusual traffic or device behavior.
“End of life routers were breached by cyber actors using variants of TheMoon malware botnet,” reads the FBI bulletin.
“Recently, some routers at end of life, with remote administration turned on, were identified as compromised by a new variant of TheMoon malware. This malware allows cyber actors to install proxies on unsuspecting victim routers and conduct cyber crimes anonymously.”
References:
- https://www.usatoday.com/story/tech/2025/05/09/linksys-internet-routers-cyberattack-fbi/83537973007/
Recent Comments