Do Son 
Obsolete routers are once again under siege — cybercriminals are transforming outdated devices into covert proxy nodes, which are then rented out on underground platforms such as 5Socks and Anyproxy. The FBI has issued a warning regarding a fresh wave of attacks targeting legacy router models that no longer receive security updates or vendor support.
The primary objective of the attackers is to convert these devices into “residential proxies” and integrate them into expansive botnets. In this scheme, infected routers act as intermediaries for routing internet traffic, effectively concealing the true location of malicious actors and disguising their activity as legitimate network behavior. These proxies are widely exploited for hacking, phishing, cryptocurrency theft, and carrying out targeted attacks on demand.
Particularly at risk are older router models from Linksys and Cisco, including the Linksys E1200, E2500, E1000, E4200, E1500, E300, E3200, E1550, as well as outdated WRT series devices such as the WRT320N, WRT310N, and WRT610N. Vulnerable devices also include the Cradlepoint E100 and Cisco M10 — all of which have long been deemed obsolete and no longer receive firmware updates.
The FBI emphasizes that attackers are leveraging publicly available exploits to implant persistent malware into these devices. In the latest wave of attacks, threat actors are deploying an updated version of TheMoon — a well-known botnet specifically targeting routers. Once infiltrated, TheMoon links the device to a command-and-control (C2) server, from which it receives directives to propagate further, scan for vulnerable systems, and establish new proxy nodes.
Of particular concern is the involvement of state-sponsored actors — including Chinese cyber operatives — who have already adopted this method to conduct espionage and launch attacks against critical infrastructure within the United States. This exacerbates the risk, as neglected devices become entry points into strategically sensitive environments.
Indicators that a router has been compromised and absorbed into a botnet include erratic connectivity, overheating, sluggish performance, unauthorized configuration changes, the appearance of unknown administrative accounts, and abnormal network traffic. Devices with remote administration enabled are especially vulnerable.
The most effective safeguard is to replace outdated hardware with modern models that receive ongoing support. If replacement is not feasible, users should download the latest available firmware from the manufacturer’s official website, disable remote administration, and change default administrative credentials.
Security professionals strongly urge network administrators to audit their equipment and promptly decommission any devices that fall within the high-risk category.
Donate