Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

AVRecon malware for Linux powering SocksEscort proxy network

Malware Activity
First reported
Last updated
Happening score
H score 28
2 unique sources, 2 articles

Summary

Hide ▲

The AVRecon malware for Linux powered the SocksEscort proxy network, turning compromised Linux-based SOHO routers into traffic-routing nodes at scale. It was believed active since May 2021 and had infected 70,000+ routers by mid-2023. The malware’s persistence and reach helped sustain a long-running criminal proxy service.

Related Happenings

Glassworm botnet command-and-control disruption

Malware Activity
First: 27.05.2026 17:00 Last: 27.05.2026 17:00 Sources 1

About this happening: The **Glassworm** botnet had all **four command-and-control channels** disrupted, cutting operators off from infected machines and blocking new payload delivery. The infrastructur...

Open Happening

Xlabs_v1 Mirai-derived ADB DDoS botnet

Malware Activity
First: 06.05.2026 23:21 Last: 06.05.2026 23:21 Sources 1

About this happening: The **xlabs_v1** Mirai-derived botnet has been exposed as a **DDoS** tool that abuses **Android Debug Bridge (ADB)** on internet-facing devices, expanding risk to **Android**, rou...

Open Happening

China-nexus hijacked-device proxy network campaign

Campaign
First: 23.04.2026 15:28 Last: 23.04.2026 15:28 Sources 1

About this happening: China-nexus hackers are **increasingly using** large-scale proxy networks of hijacked consumer devices to **evade detection**, making malicious traffic harder to trace and block....

Open Happening

NCSC-UK joint advisory on covert botnets and proxy networks

Public Sector Action
First: 23.04.2026 15:28 Last: 23.04.2026 15:28 Sources 1

About this happening: **NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...

Open Happening

Nexcorium Mirai botnet activity on TBK DVR devices

Malware Activity
First: 18.04.2026 09:01 Last: 18.04.2026 09:01 Sources 1

About this happening: **Nexcorium**, a **Mirai variant**, is now being deployed against **TBK DVR-4104** and **DVR-4216** devices by exploiting **CVE-2024-3721**, turning compromised IoT hardware into...

Open Happening

Timeline

  1. 12.03.2026 18:19 2 articles · 2mo ago

    US and European disruption of SocksEscort proxy network

    Initial Disclosure

    U.S. and European law enforcement, working with private partners, disrupted the SocksEscort cybercrime proxy network that used AVRecon malware for Linux to compromise edge devices and route criminal traffic through residential and small business routers. The network had offered access to about 369,000 IP addresses since summer 2020, listed approximately 8,000 infected routers as of February 2026, and was tied to cryptocurrency theft and fraud losses against victims in New York, Pennsylvania, and the U.S. military card program.

    Show sources
    Open in new tab