Summary 

The FBI issued an alert warning of ongoing exploitation of 13 EOL Linksys/Cisco routers by cybercriminal groups operating the 5Socks and Anyproxy services.

The threat actors are using known vulnerabilities in outdated firmware to install malware, hijack routers, and leverage them as part of a botnet or proxy service used to mask malicious activities. 

The malware establishes persistent access via regular communication with a command & control (C2) server, and affected devices are being rented out to other criminals.

The FBI strongly recommends replacing EOL devices with with newer and actively supported model or at least disabling remote management features immediately. 

Technical Details 

Attack Overview 

• Entry Point: Remote administration services exposed to the Internet. 

• Authentication Bypass: Attackers bypass password protection to gain shell/root access. 

• Malware Capabilities: 

• Maintains persistent presence through C2 check-ins every 60 seconds to 5 minutes. 

• Opens ports to act as proxy relays. 

• Enables the sale of infected routers as “proxy-as-a-service” infrastructure. 

Confirmed Vulnerable Devices 

The FBI has identified the following end-of-life (EOL) routers from Cisco and Linksys as actively targeted in these campaigns: 

• E1200 

• E2500 

• E1000 

• E4200 

• E1500 

• E300 

• E3200 

• WRT320N 

• E1550 

• WRT610N 

• E100 

• M10 

• WRT310N 

Indicators of Compromise (IOCs) 

Since the malware is router-based, it is difficult for an end user to know if their device is compromised due to the inability of antivirus tools to scan these devices.

Below is a list of files associated with the malware’s router exploitation campaign: 

Name	Hash
0_forumdisplay-php_sh_gn-37-sh	661880986a026eb74397c334596a2762
1_banana.gif_to_elf_t	62204e3d5de02e40e9f2c51eb991f4e8
2_multiquote_off.gif_to_elf_gn-p_forward-  hw-data-to-exploit-server	9f0f0632b8c37746e739fe61f373f795
3_collapse_tcat_gif_sh_s3-sh	22f1f4c46ac53366582e8c023dab4771
4_message_gif_to_elf_k	cffe06b0adcc58e730e74ddf7d0b4bb8
5_viewpost_gif_to_elf_s	084802b4b893c482c94d20b55bfea47d
6_vk_gif_to_elf_b	e9eba0b62506645ebfd64becdd4f16fc
7_slack_gif_DATA	41e8ece38086156959804becaaee8985
8_share_gif_DATA	1f7b16992651632750e7e04edd00a45e
banana.gif-upx	2667a50869c816fa61d432781c731ed2
message.gif-upx	0bc534365fa55ac055365d3c31843de7

Recommended Mitigations: 

• Replace Vulnerable Devices: Immediately replace EOL routers with models still supported by vendors and receiving firmware/security updates. 

• Disable Remote Administration: Turn off any form of remote management via web, SSH, or Telnet. 

• Reboot Compromised Devices: This can temporarily disrupt malware persistence, though not permanently remove it. 

• Network Segmentation: Isolate critical devices from consumer routers or IoT networks. 

• Implement Monitoring Tools: Use firewalls or network sensors that detect unusual traffic or device behavior. 

“End of life routers were breached by cyber actors using variants of TheMoon malware botnet,” reads the FBI bulletin.

“Recently, some routers at end of life, with remote administration turned on, were identified as compromised by a new variant of TheMoon malware. This malware allows cyber actors to install proxies on unsuspecting victim routers and conduct cyber crimes anonymously.”

References: 

• https://www.usatoday.com/story/tech/2025/05/09/linksys-internet-routers-cyberattack-fbi/83537973007/  

• https://www.ic3.gov/CSA/2025/250507.pdf