SocksEscort criminal proxy-service ecosystem monetizing residential routers
Threat Actor Meta
Summary
Hide ▲
Show ▼
The SocksEscort proxy-service ecosystem turned compromised residential routers into a rentable abuse platform, letting criminal customers hide behind 369,000 IP addresses across 163 countries. That model mattered because it converted botnet access into a subscription service for fraud, ransomware, DDoS, and other abuse. By February 2026, the service was still listing nearly 8,000 infected routers, showing a durable underground market rather than a one-off botnet.
Related Happenings
FBI seizes NetNut and Popa botnet domains
Law Enforcement
H score34
First: 02.07.2026 22:27
Last: 02.07.2026 22:27
Sources 1
About this happening:
The **FBI** seized **hundreds of domains** tied to **NetNut** and the **Popa botnet**, disrupting infrastructure used for **abusive traffic** and **account-takeover activity**. Th...
FBI seizes NetNut and Popa botnet domains
Law EnforcementAbout this happening: The **FBI** seized **hundreds of domains** tied to **NetNut** and the **Popa botnet**, disrupting infrastructure used for **abusive traffic** and **account-takeover activity**. Th...
RustDuck DDoS botnet activity targeting routers and servers
Malware Activity
H score27
First: 30.06.2026 20:45
Last: 30.06.2026 20:45
Sources 1
About this happening:
The **RustDuck** malware family is **hijacking routers, cameras, Android boxes, and servers** to assemble a **DDoS botnet** that can flood targets and knock websites and online se...
RustDuck DDoS botnet activity targeting routers and servers
Malware ActivityAbout this happening: The **RustDuck** malware family is **hijacking routers, cameras, Android boxes, and servers** to assemble a **DDoS botnet** that can flood targets and knock websites and online se...
AryStinger legacy-router and QNAP NAS reconnaissance campaign
Campaign
H score72
First: 22.06.2026 09:57
Last: 22.06.2026 09:57
Sources 1
About this happening:
The **AryStinger** campaign is turning **legacy routers** and **QNAP NAS boxes** into a **distributed reconnaissance and proxy network**, creating a stealth relay layer for intrus...
AryStinger legacy-router and QNAP NAS reconnaissance campaign
CampaignAbout this happening: The **AryStinger** campaign is turning **legacy routers** and **QNAP NAS boxes** into a **distributed reconnaissance and proxy network**, creating a stealth relay layer for intrus...
Popa botnet forcing consumer TV boxes to relay traffic
Malware Activity
H score76
First: 18.06.2026 20:37
Last: 18.06.2026 20:37
Sources 1
About this happening:
**Popa** is an **Android-based botnet** that turns **consumer TV boxes** and related devices into relay infrastructure, maintaining encrypted connectivity and opening tunnels on d...
Popa botnet forcing consumer TV boxes to relay traffic
Malware ActivityAbout this happening: **Popa** is an **Android-based botnet** that turns **consumer TV boxes** and related devices into relay infrastructure, maintaining encrypted connectivity and opening tunnels on d...
Latest development: 03.07.2026 12:35
Google disabled NetNut accounts used for malware command-and-control, updated Google Play Protect to warn Android users, and disabled apps containing compromised SDKs while FBI legal actions and domain seizures targeted NetNut infrastructure. The coordinated disruption was described as degrading NetNut’s proxy network and shrinking the pool of devices available to the operator.
JDY botnet reconnaissance expansion to 1,500+ SOHO/IoT devices
Malware Activity
H score33
First: 10.06.2026 19:08
Last: 10.06.2026 19:08
Sources 1
About this happening:
The **JDY botnet** has expanded to **more than 1,500 compromised SOHO/IoT devices**, making it a larger-scale **reconnaissance scanner** for exposed infrastructure and follow-on t...
JDY botnet reconnaissance expansion to 1,500+ SOHO/IoT devices
Malware ActivityAbout this happening: The **JDY botnet** has expanded to **more than 1,500 compromised SOHO/IoT devices**, making it a larger-scale **reconnaissance scanner** for exposed infrastructure and follow-on t...
Timeline
-
13.03.2026 07:26 2 articles · 3mo ago
Operation Lightning dismantles SocksEscort proxy service
Initial DisclosureCourt-authorized international law enforcement acting under Operation Lightning dismantled SocksEscort, a criminal proxy service that used AVrecon to infect residential and small-business routers and resell traffic relay access for fraud and other abuse; authorities said the disruption took down 34 domains and 23 servers, froze $3.5 million in cryptocurrency, and targeted infrastructure spanning multiple countries.
Show sources
- Authorities Disrupt SocksEscort Proxy Botnet Exploiting 369,000 IPs Across 163 Countries — thehackernews.com — 13.03.2026 07:26
- Authorities Disrupt SocksEscort Proxy Botnet Exploiting 369,000 IPs Across 163 Countries — thehackernews.com — 13.03.2026 07:26