"AVRecon Botnet Leveraging Compromised Routers to Fuel Illegal Proxy Service"

TheAVRecon botnet has been observed using compromised small office/home office (SOHO) routers since at least May 2021 as part of a multi-year campaign. Lumen Black Lotus Labs disclosed AVRecon earlier this month as malware capable of executing additional commands and stealing a victim's bandwidth for an illegal proxy service offered to other malicious actors. It has also surpassed QakBot in scale, having infiltrated more than 41,000 nodes in 20 countries. The malware has been used to establish residential proxy services to hide malicious activity, including password spraying, web-traffic proxying, and ad fraud. According to new research, AVRecon is the malware engine behind SocksEscort, a 12-year-old service that rents compromised residential and small business devices to cybercriminals seeking to cover their true location online. The connection is based on direct correlations between SocksEscort and the command-and-control (C2) servers of AVRecon. This article continues to discuss new findings regarding the AVRecon botnet. 

THN reports "AVRecon Botnet Leveraging Compromised Routers to Fuel Illegal Proxy Service"