The FBI has issued a FLASH alert warning of widespread exploitation of outdated home and small business routers by cybercriminal groups using the 5Socks and Anyproxy services.
Threat actors are hijacking end-of-life (EOL) devices to launch attacks and sell anonymized access to compromised routers, allowing other criminals to mask their identities.
This campaign targets unsupported routers from Cisco and Linksys — brands often found in homes and small offices — with models like the Linksys E1200, WRT610N, and E4200 among the vulnerable devices. Because these devices no longer receive security updates, attackers are easily exploiting known vulnerabilities, bypassing remote administration protections, and installing malware that grants root access. This gives threat actors the ability to control the routers persistently and repurpose them as proxies or nodes in larger botnets.
The actors behind these campaigns are tied to the 5Socks and Anyproxy services, which monetize hijacked routers by offering them as proxy servers for obfuscation purposes. Such services are often used to facilitate additional cybercriminal activity, including evading law enforcement tracking, launching coordinated cyberattacks, or engaging in fraudulent activities without revealing the actor’s true IP address or location.
The infected routers continuously communicate with a command-and-control (C2) infrastructure via scheduled check-ins every 60 seconds to five minutes. This C2 connection enables persistent access, allows configuration changes, and ensures the devices remain available for criminal use. Notably, this type of router malware is difficult for users to detect because traditional antivirus software does not scan router firmware, and the infection resides outside the scope of typical endpoint protections.
The FBI identified a number of suspicious file hashes associated with the malware campaign, including malicious binaries disguised as harmless GIF image files — such as banana.gif and message.gif — which are converted into ELF executables. These payloads are likely part of the initial infection process or facilitate the proxy functionality on compromised hardware.
The agency urges network administrators and consumers to identify and replace any vulnerable EOL routers in their infrastructure. At a minimum, users should disable remote administration features and reboot affected devices to mitigate ongoing threats. Full device replacement is preferred, especially for routers that are no longer supported by the manufacturer, as these are expected to remain unpatched and easily exploitable.
Leave a Reply