The Federal Bureau of Investigation (FBI) has issued a critical Flash advisory warning that threat actors are compromising outdated, end-of-life (EoL) routers to transform them into nodes in residential proxy botnets. These hijacked routers are being sold as proxy endpoints on underground platforms like 5Socks and Anyproxy, providing cybercriminals with tools to conceal their identities, launch attacks, and conduct espionage.
The agency emphasized that these vulnerable routers—no longer supported with security updates—are being exploited using publicly available vulnerabilities, allowing hackers to install persistent malware and remotely control the devices.
How the Attack Works: From Exploit to Proxy Network
Once an EoL router is compromised, attackers inject it with a variant of “TheMoon” malware, a known botnet malware strain that allows the infected device to communicate with command-and-control (C2) servers. These servers issue instructions to:
-
Configure the router as a residential proxy,
-
Route malicious traffic,
-
Conduct scans and attack other vulnerable internet-connected devices.
These infected routers then become invisible infrastructure for cybercriminals, used to bypass security tools, disguise attack origins, and enable illegal activities such as cryptocurrency theft, cybercrime-as-a-service operations, and covert espionage.
“Criminals are selling access to compromised routers as proxies for customers to purchase and use,” the FBI stated. “These proxies can be used to obfuscate the identity or location of threat actors.”
Devices at Risk: Linksys, Cisco, and Cradlepoint Routers in the Crosshairs
According to the advisory, specific EoL router models are being actively targeted due to their outdated firmware and lack of support:
Targeted Router Models Include:
-
Linksys: E1200, E2500, E1000, E4200, E1500, E300, E3200, E1550
-
Linksys WRT Series: WRT320N, WRT310N, WRT610N
-
Cradlepoint: E100
-
Cisco: M10
Remote administration features enabled on these devices further increase the risk of compromise.
The FBI also stated that Chinese state-sponsored threat actors have exploited known vulnerabilities in these models to conduct espionage campaigns targeting critical U.S. infrastructure, highlighting the national security implications of leaving such devices unsecured.
Indicators of Compromise and Mitigation Measures
Signs that a router has been infected and co-opted into a botnet may include:
-
Unusual network connectivity issues
-
Overheating or excessive CPU usage
-
Unexplained performance slowdowns
-
Configuration changes without user action
-
Appearance of unknown admin accounts
-
Suspicious or high-volume outbound traffic
To mitigate the risk of botnet infections, the FBI recommends the following:
Recommended Actions:
-
Replace EoL routers with actively supported models where possible.
-
If replacement is not feasible:
-
Apply the latest firmware update from the vendor’s official site
-
Disable remote administration features
-
Change default admin credentials
-
Monitor for unusual activity regularly
-
The FBI has also shared a list of Indicators of Compromise (IOCs) with industry partners and encourages organizations and individuals to review their networks and report any signs of infection.
Botnets for Hire: The Rise of Malware-Driven Proxy Markets
The growing popularity of malware-enabled proxy services like 5Socks and Anyproxy underscores a larger trend: the industrialization of cybercrime. These services offer cybercriminals a way to purchase anonymous access to residential IP addresses—usually unaware victims’ routers—allowing them to evade detection, conduct illicit transactions, and launch cyberattacks with reduced traceability.
With botnets increasingly leveraging AI for targeting, PhaaS (Phishing-as-a-Service) models, and exploit automation, the FBI’s warning serves as a timely reminder of the critical need to retire or harden aging hardware—especially in home and small office environments where security hygiene may be lacking.
As home and small office routers become targets of choice for global threat actors, cybersecurity experts stress that defending the digital perimeter begins with securing network infrastructure. By identifying and replacing outdated devices, applying updates, and disabling unnecessary remote access features, users can significantly reduce their exposure to sophisticated malware campaigns like TheMoon.
The FBI continues to collaborate with public and private partners to trace infected proxies, track malware infrastructure, and disrupt the criminal ecosystems behind these growing threats.