AVRecon malware for Linux powering SocksEscort proxy network
Malware Activity
Summary
Hide ▲
Show ▼
The AVRecon malware for Linux powered the SocksEscort proxy network, turning compromised Linux-based SOHO routers into traffic-routing nodes at scale. It was believed active since May 2021 and had infected 70,000+ routers by mid-2023. The malware’s persistence and reach helped sustain a long-running criminal proxy service.
Related Happenings
UAT-7810 malware toolkit expansion with LONGLEASH, DOGLEASH, and JARLEASH
Malware Activity
H score27
First: 08.07.2026 17:30
Last: 08.07.2026 17:30
Sources 1
About this happening:
**Chinese threat actor UAT-7810** is **actively refining** its bespoke malware to expand the **LapDogs ORB network** by breaking into **internet-facing networking devices**. The a...
UAT-7810 malware toolkit expansion with LONGLEASH, DOGLEASH, and JARLEASH
Malware ActivityAbout this happening: **Chinese threat actor UAT-7810** is **actively refining** its bespoke malware to expand the **LapDogs ORB network** by breaking into **internet-facing networking devices**. The a...
UAT-7810 expands LapDogs ORB network to provide covert routing infrastructure
Threat Actor Meta
H score29
First: 08.07.2026 17:30
Last: 08.07.2026 17:30
Sources 1
About this happening:
**UAT-7810** expanded its **LapDogs ORB network**, adding covert routing capacity that helps other hackers hide traffic origin and reach **high-value targets**. The infrastructure...
UAT-7810 expands LapDogs ORB network to provide covert routing infrastructure
Threat Actor MetaAbout this happening: **UAT-7810** expanded its **LapDogs ORB network**, adding covert routing capacity that helps other hackers hide traffic origin and reach **high-value targets**. The infrastructure...
StealC and Amadey infostealer infrastructure disruption
Malware Activity
H score69
First: 24.06.2026 18:25
Last: 24.06.2026 18:25
Sources 1
About this happening:
**StealC** and **Amadey** malware infrastructure was disrupted in **Operation Endgame**, cutting off the command-and-control services used to manage infected systems. Europol said...
StealC and Amadey infostealer infrastructure disruption
Malware ActivityAbout this happening: **StealC** and **Amadey** malware infrastructure was disrupted in **Operation Endgame**, cutting off the command-and-control services used to manage infected systems. Europol said...
AryStinger legacy-router and QNAP NAS reconnaissance campaign
Campaign
H score72
First: 22.06.2026 09:57
Last: 22.06.2026 09:57
Sources 1
About this happening:
The **AryStinger** campaign is turning **legacy routers** and **QNAP NAS boxes** into a **distributed reconnaissance and proxy network**, creating a stealth relay layer for intrus...
AryStinger legacy-router and QNAP NAS reconnaissance campaign
CampaignAbout this happening: The **AryStinger** campaign is turning **legacy routers** and **QNAP NAS boxes** into a **distributed reconnaissance and proxy network**, creating a stealth relay layer for intrus...
AryStinger botnet turns outdated routers into proxy executors
Malware Activity
H score60
First: 21.06.2026 17:14
Last: 21.06.2026 17:14
Sources 1
About this happening:
The **AryStinger** botnet is **compromising more than 4,000 outdated routers** and converting them into **proxy executors** for malicious traffic, expanding attacker reach and int...
AryStinger botnet turns outdated routers into proxy executors
Malware ActivityAbout this happening: The **AryStinger** botnet is **compromising more than 4,000 outdated routers** and converting them into **proxy executors** for malicious traffic, expanding attacker reach and int...
Timeline
-
12.03.2026 18:19 2 articles · 3mo ago
US and European disruption of SocksEscort proxy network
Initial DisclosureU.S. and European law enforcement, working with private partners, disrupted the SocksEscort cybercrime proxy network that used AVRecon malware for Linux to compromise edge devices and route criminal traffic through residential and small business routers. The network had offered access to about 369,000 IP addresses since summer 2020, listed approximately 8,000 infected routers as of February 2026, and was tied to cryptocurrency theft and fraud losses against victims in New York, Pennsylvania, and the U.S. military card program.
Show sources
- US disrupts SocksEscort proxy network powered by Linux malware — www.bleepingcomputer.com — 12.03.2026 18:19
- Law Enforcement Dismantles SocksEscort Proxy Network in Operation Lightning — www.infosecurity-magazine.com — 13.03.2026 12:00