Pierluigi Paganini May 09, 2025

The FBI warns that attackers are using end-of-life routers to deploy malware and turn them into proxies sold on 5Socks and Anyproxy networks.

The FBI released a FLASH alert warning about 5Socks and Anyproxy malicious services targeting end-of-life (EOL) routers. Attackers target EoL devices to deploy malware by exploiting vulnerabilities and create botnets for attacks or proxy services. The alert urges replacing compromised routers or preventing infection by disabling remote admin and rebooting.

End-of-life (EOL) routers lack security updates and are vulnerable to cyber attacks. The lack of security updates makes them easy targets for threat actors who exploit known vulnerabilities, often via exposed remote management.

“The threat actors use the device’s known vulnerabilities to upload the malware, which ultimately allows the threat actor to gain root access to the device and make configuration changes.” reads the alert. “Chinese cyber actors are also among those who have taken advantage of known vulnerabilities in end of life routers and other edge devices to establish botnets used to conceal hacking into US critical infrastructures.”

Infected routers form botnets used in coordinated attacks or sold as proxies on 5Socks and Anyproxy.

Once installed, the malware allows threat actors to achieve persistent access, allowing regular communication with the device every 60 seconds to five minutes to maintain control and availability for customers.

Malware spreads through internet-connected devices with remote access enabled, and attackers can gain shell access even with password protection.

The malware uses a two-way handshake with a C2 server for regular check-ins and opens ports on the router to enable its use as a proxy server.

Vulnerable models include:

• E1200
• E2500
• E1000
• E4200
• E1500
• E300
• E3200
• WRT320N
• E1550
• WRT610N
• E100
• M10
• WRT310N

The FBI published indicators of compromise (IoCs) associated with attacks targeting end-of-life routers and mitigations:

“The FBI recommends users identify if any of the devices vulnerable to compromise are part of their networking infrastructure. If so, these devices should be replaced with newer models that remain in their vendor support plans to prevent further infection.” concludes the alert .”Alternatively, a user can prevent infection by disabling remote administration and rebooting the device. Please refer to the specific instructions for your router for information on how to disable remote management.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, end-of-life routers)