Find notable cyber news and cases, enriched with sources, timelines, and signals.

SocksEscort criminal proxy-service ecosystem monetizing residential routers

Threat Actor Meta
First reported
Last updated
Happening score
H score 36
1 unique sources, 1 articles

Summary

Hide ▲

The SocksEscort proxy-service ecosystem turned compromised residential routers into a rentable abuse platform, letting criminal customers hide behind 369,000 IP addresses across 163 countries. That model mattered because it converted botnet access into a subscription service for fraud, ransomware, DDoS, and other abuse. By February 2026, the service was still listing nearly 8,000 infected routers, showing a durable underground market rather than a one-off botnet.

Related Happenings

FBI seizes NetNut and Popa botnet domains

Law Enforcement
H score34 First: 02.07.2026 22:27 Last: 02.07.2026 22:27 Sources 1

About this happening: The **FBI** seized **hundreds of domains** tied to **NetNut** and the **Popa botnet**, disrupting infrastructure used for **abusive traffic** and **account-takeover activity**. Th...

RustDuck DDoS botnet activity targeting routers and servers

Malware Activity
H score27 First: 30.06.2026 20:45 Last: 30.06.2026 20:45 Sources 1

About this happening: The **RustDuck** malware family is **hijacking routers, cameras, Android boxes, and servers** to assemble a **DDoS botnet** that can flood targets and knock websites and online se...

AryStinger legacy-router and QNAP NAS reconnaissance campaign

Campaign
H score72 First: 22.06.2026 09:57 Last: 22.06.2026 09:57 Sources 1

About this happening: The **AryStinger** campaign is turning **legacy routers** and **QNAP NAS boxes** into a **distributed reconnaissance and proxy network**, creating a stealth relay layer for intrus...

Popa botnet forcing consumer TV boxes to relay traffic

Malware Activity
H score76 First: 18.06.2026 20:37 Last: 18.06.2026 20:37 Sources 1

About this happening: **Popa** is an **Android-based botnet** that turns **consumer TV boxes** and related devices into relay infrastructure, maintaining encrypted connectivity and opening tunnels on d...

Latest development: 03.07.2026 12:35

Google disabled NetNut accounts used for malware command-and-control, updated Google Play Protect to warn Android users, and disabled apps containing compromised SDKs while FBI legal actions and domain seizures targeted NetNut infrastructure. The coordinated disruption was described as degrading NetNut’s proxy network and shrinking the pool of devices available to the operator.

JDY botnet reconnaissance expansion to 1,500+ SOHO/IoT devices

Malware Activity
H score33 First: 10.06.2026 19:08 Last: 10.06.2026 19:08 Sources 1

About this happening: The **JDY botnet** has expanded to **more than 1,500 compromised SOHO/IoT devices**, making it a larger-scale **reconnaissance scanner** for exposed infrastructure and follow-on t...

Timeline

  1. 13.03.2026 07:26 2 articles · 3mo ago

    Operation Lightning dismantles SocksEscort proxy service

    Initial Disclosure

    Court-authorized international law enforcement acting under Operation Lightning dismantled SocksEscort, a criminal proxy service that used AVrecon to infect residential and small-business routers and resell traffic relay access for fraud and other abuse; authorities said the disruption took down 34 domains and 23 servers, froze $3.5 million in cryptocurrency, and targeted infrastructure spanning multiple countries.

    Show sources