Summary: The FBI published a FLASH to disseminate indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with 5Socks and Anyproxy cyber criminal services’ targeting malware that affects end-of-life (EOL) routers. Threat actors exploit known vulnerabilities to compromise EOL routers, install malware, and use the routers in a botnet they control to launch coordinated attacks or sell access to the devices as proxy services.
Analyst Note: The FLASH provides a list of vulnerable devices that 5Socks and Anyproxy targets, as well as indicators of compromise associated with the groups’ campaigns. The FBI recommends network defenders replace compromised devices with newer models or prevent infection by disabling remote administration and rebooting the router.
Members are encouraged to scan their organization’s network to see if they are utilizing these routers and whether the attached hashes are present on their network.
Original Source: https://www.ic3.gov/CSA/2025/250507.pdf
Mitigation Recommendations:
Related WaterISAC PIRs: 6, 7, 10