Pierluigi Paganini
May 10, 2025
Authorities dismantled a 20-year-old botnet tied to Anyproxy and 5socks as part of an international operation codenamed “Operation Moonlander”; four men, including three Russians, were indicted for running the illegal proxy networks.
The U.S. Justice Department charged Russian nationals, Alexey Viktorovich Chertkov, 37, Kirill Vladimirovich Morozov, 41, Aleksandr Aleksandrovich Shishkin, 36, and Dmitriy Rubtsov, 38, a Kazakhstani national, with Conspiracy and Damage to Protected Computers for conspiring with others to maintain, operate, and profit from Anyproxy and 5socks services.
U.S. authorities worked with Dutch National Police, the Netherlands Public Prosecution Service (Openbaar Ministerie), the Royal Thai Police, and cybersecurity firm Lumen Technologies’ Black Lotus Labs.
“The Indictment alleges that a botnet was created by infecting older-model wireless internet routers worldwide, including in the United States, using malware without their owners’ knowledge.” reads the press release published by DoJ. “The installed malware allowed the routers to be reconfigured, granting unauthorized access to third parties and making the routers available for sale as proxy servers on the Anyproxy.net and 5socks.net websites. Both website domains were managed by a company headquartered in Virginia and hosted on computer servers worldwide.”
Court documents reveal 5socks.net sold over 7,000 proxies globally, charging $9.95–$110/month, and earning $46M by exploiting infected routers via the Anyproxy botnet.
Operating since 2004, the site falsely claimed identities to register domains. Chertkov and Rubtsov face charges for false domain registration. FBI agents in Oklahoma found malware on residential and business routers without users’ knowledge.
Black Lotus Labs Lumen researchers found an average of 1,000 unique bots weekly contacting C2 servers in Turkey, with most victims in the U.S., followed by Canada and Ecuador.
The botnet operators allowed cryptocurrency payments, the bot targets IOT and SOHO devices.
“Given the source range, only around 10% are detected as malicious in popular tools such as VirusTotal, meaning they consistently avoid network monitoring tools with a high degree of success.” reads the report published by Black Lotus Labs. “Proxies such as this are designed to help conceal a range of illicit pursuits including ad fraud, DDoS attacks, brute forcing, or exploiting victim’s data.”
According to the report, newly infected devices contact a Turkish C2 network composed of 5 servers, mostly using port 80. The researchers noticed that one server uses UDP on port 1443, likely for victim data storage. The botnet offers a “Rent-a-Proxy” service, where users buy access to IP:port combos for 24 hours, with no authentication required. The system checks deny-lists to avoid detection, but open access allows customers to carry out a broad range of malicious activities like ad fraud, DDoS, brute force attacks, and data exploitation.
“Proxy services have and will continue to present a direct threat to internet security as they allow malicious actors to hide behind unsuspecting residential IPs, complicating detection by network monitoring tools.” concludes the report. “As a vast number of end-of-life devices remain in circulation, and the world continues to adopt devices in the “Internet of Things,” there will continue to be a massive pool of targets for malicious actors. In our research on similar botnets like NSOCKS and Faceless, we noted how several well-known criminal groups manipulate open access policies as they are often marketed on criminal forums. “
This week, the FBI released a FLASH alert warning about 5Socks and Anyproxy malicious services targeting end-of-life (EOL) routers. Attackers target EoL devices to deploy malware by exploiting vulnerabilities and create botnets for attacks or proxy services. The alert urges replacing compromised routers or preventing infection by disabling remote admin and rebooting.
End-of-life (EOL) routers lack security updates and are vulnerable to cyber attacks. The lack of security updates makes them easy targets for threat actors who exploit known vulnerabilities, often via exposed remote management.
“The threat actors use the device’s known vulnerabilities to upload the malware, which ultimately allows the threat actor to gain root access to the device and make configuration changes.” reads the alert. “Chinese cyber actors are also among those who have taken advantage of known vulnerabilities in end of life routers and other edge devices to establish botnets used to conceal hacking into US critical infrastructures.”
Infected routers form botnets used in coordinated attacks or sold as proxies on 5Socks and Anyproxy.
Once installed, the malware allows threat actors to achieve persistent access, allowing regular communication with the device every 60 seconds to five minutes to maintain control and availability for customers.
Malware spreads through internet-connected devices with remote access enabled, and attackers can gain shell access even with password protection.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, botnet)
