Connect with us

Hi, what are you looking for?


IoT Security

Researchers Discover 40,000-Strong EOL Router, IoT Botnet 

Malware hunters sound an alarm after discovering a 40,000-strong botnet packed with end-of-life routers and IoT devices being used in cybercriminal activities.

Malware hunters at Lumen Technologies on Tuesday sounded an alarm after discovering a 40,000-strong botnet packed with end-of-life routers and IoT devices being used in cybercriminal activities.

According to new documentation from Lumen’s Black Lotus Labs, a notorious cybercriminal group has been running a multi-year campaign targeting end-of-life small home/small office (SOHO) routers and IoT devices around the world.

The router botnet, first seen in 2014, has been operating quietly while growing to more than 40,000 bots from 88 countries in January and February  of 2024, the researchers warned.

“The majority of these bots are used as the foundation of a notorious,  cybercriminal-focused proxy service, known as Faceless. Our latest tracking has shown [the botnet] has enabled Faceless’ growth at a rate of nearly 7,000 new users per week.”

The Black Lotus Labs researchers said they identified the logical map of the group’s proxy service, including a campaign that began in the first week of March 2024 that targeted over 6,000 ASUS routers in less than 72 hours.

The researchers noted that the SOHO/IoT based activity cluster was observed communicating with tens of thousands of distinct IP addresses per week. “Our analysis indicates  that the operators behind this botnet were enrolling the compromised end of life (EoL) devices  into an established residential proxy service called Faceless,” the Black Lotus Labs team said, warning that it has become “a formidable proxy service that rose from the ashes of the “iSocks” anonymity service and has  become an integral tool for cybercriminals in obfuscating their activity.”

The researchers believe the targeting of end-of-life IoT devices around the globe is deliberate, as they are no longer supported by the manufacturer and known security vulnerabilities go unpatched.

“There is also the potential that  devices such as these may sometimes be forgotten or abandoned,” the researchers warned 

Advertisement. Scroll to continue reading.

The Black Lotus Labs researchers are recommending that corporate network defenders  look for attacks on weak credentials and suspicious login attempts, even when they originate from residential IP addresses which bypass geofencing and ASN based blocking. 

Security practitioners should also protect cloud assets from communicating with bots that are attempting to perform password spraying attacks and begin blocking IoCs with Web Application Firewalls.  

Related: FBI Disrupts Ubiquiti Router Botnet Controlled by Russian Hackers

Related: US Gov Disrupts SOHO Router Botnet Used by China’s Volt Typhoon

Related: Chinese APT Volt Typhoon Linked to Unkillable SOHO Router Botnet 

Related: AWS Using MadPot Decoy System to Disrupt APTs, Botnets

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

Shaun Khalfan has joined payments giant PayPal as SVP, CISO.

More People On The Move

Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.

IoT Security

An innocent-looking portable speaker can hide a hacking device that launches CAN injection attacks, which have been used to steal cars.


An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...