Find notable cyber news and cases, enriched with sources, timelines, and signals.

AVRecon malware for Linux powering SocksEscort proxy network

Malware Activity
First reported
Last updated
Happening score
H score 19
2 unique sources, 2 articles

Summary

Hide ▲

The AVRecon malware for Linux powered the SocksEscort proxy network, turning compromised Linux-based SOHO routers into traffic-routing nodes at scale. It was believed active since May 2021 and had infected 70,000+ routers by mid-2023. The malware’s persistence and reach helped sustain a long-running criminal proxy service.

Related Happenings

UAT-7810 malware toolkit expansion with LONGLEASH, DOGLEASH, and JARLEASH

Malware Activity
H score27 First: 08.07.2026 17:30 Last: 08.07.2026 17:30 Sources 1

About this happening: **Chinese threat actor UAT-7810** is **actively refining** its bespoke malware to expand the **LapDogs ORB network** by breaking into **internet-facing networking devices**. The a...

UAT-7810 expands LapDogs ORB network to provide covert routing infrastructure

Threat Actor Meta
H score29 First: 08.07.2026 17:30 Last: 08.07.2026 17:30 Sources 1

About this happening: **UAT-7810** expanded its **LapDogs ORB network**, adding covert routing capacity that helps other hackers hide traffic origin and reach **high-value targets**. The infrastructure...

StealC and Amadey infostealer infrastructure disruption

Malware Activity
H score69 First: 24.06.2026 18:25 Last: 24.06.2026 18:25 Sources 1

About this happening: **StealC** and **Amadey** malware infrastructure was disrupted in **Operation Endgame**, cutting off the command-and-control services used to manage infected systems. Europol said...

AryStinger legacy-router and QNAP NAS reconnaissance campaign

Campaign
H score72 First: 22.06.2026 09:57 Last: 22.06.2026 09:57 Sources 1

About this happening: The **AryStinger** campaign is turning **legacy routers** and **QNAP NAS boxes** into a **distributed reconnaissance and proxy network**, creating a stealth relay layer for intrus...

AryStinger botnet turns outdated routers into proxy executors

Malware Activity
H score60 First: 21.06.2026 17:14 Last: 21.06.2026 17:14 Sources 1

About this happening: The **AryStinger** botnet is **compromising more than 4,000 outdated routers** and converting them into **proxy executors** for malicious traffic, expanding attacker reach and int...

Timeline

  1. 12.03.2026 18:19 2 articles · 3mo ago

    US and European disruption of SocksEscort proxy network

    Initial Disclosure

    U.S. and European law enforcement, working with private partners, disrupted the SocksEscort cybercrime proxy network that used AVRecon malware for Linux to compromise edge devices and route criminal traffic through residential and small business routers. The network had offered access to about 369,000 IP addresses since summer 2020, listed approximately 8,000 infected routers as of February 2026, and was tied to cryptocurrency theft and fraud losses against victims in New York, Pennsylvania, and the U.S. military card program.

    Show sources