Ethical Hacking News
A significant operation by law enforcement agencies in the U.S. and The Netherlands has resulted in the dismantling of a large-scale proxy botnet that compromised 7,000 devices, including IoT and EoL systems. The operation highlights the ongoing threat posed by cyber attacks and underscores the importance of proactive measures to protect against emerging threats.
Law enforcement agencies in the US and Netherlands collaborated to dismantle a large-scale proxy botnet called "Operation Moonlander". The operation disrupted services provided by two platforms, 5socks.net and anyproxy.net, which facilitated malicious activities of the botnet. Russian nationals were charged for their role in operating and maintaining the services, allegedly profiting from selling access to infected routers. The botnet consisted of approximately 7,000 devices, including IoT and EoL systems, compromised using TheMoon malware. The Moon malware scanned for open ports on vulnerable devices and sent a command to exploit the device, making it challenging for network monitoring tools to detect malicious activity. Lumen Technologies Black Lotus Labs advised users to reboot routers, install security updates, change default passwords, and upgrade to newer models to mitigate risks posed by proxy services.
In a significant development that underscores the ever-evolving nature of cyber threats, law enforcement agencies in the United States and The Netherlands have collaborated to dismantle a large-scale proxy botnet. The operation, codenamed "Operation Moonlander," has resulted in the disruption of the services provided by two platforms, 5socks.net and anyproxy.net, which were instrumental in facilitating the malicious activities of the botnet.
According to reports from Lumen Technologies Black Lotus Labs, a cybersecurity firm that was involved in the operation, the dismantling of the proxy botnet is believed to have been carried out by Russian nationals who were charged by the U.S. Department of Justice for their role in operating and maintaining the services. The accused individuals, Alexey Viktorovich Chertkov, Kirill Vladimirovich Morozov, Aleksandr Aleksandrovich Shishkin, and Dmitriy Rubtsov, are alleged to have profited from the proxy services by selling access to infected routers to threat actors.
The botnet in question is believed to have consisted of approximately 7,000 devices, including Internet of Things (IoT) and end-of-life (EoL) systems. These devices were compromised using a malware called TheMoon, which was discovered in 2014 and was initially linked to attacks targeting Linksys routers.
The Moon malware works by scanning for open ports on vulnerable devices and sending a command to a script that exploits the device. Once infected, these devices are used to conduct cyber crimes anonymously, providing threat actors with a means of hiding behind unsuspecting residential IP addresses. This makes it challenging for network monitoring tools to detect malicious activity.
In addition to its role in facilitating the activities of threat actors, The Moon malware was also found to be capable of scanning other vulnerable routers on the network, spreading the infection and expanding the botnet's reach. Furthermore, the malware allowed users to purchase proxy services, with each service providing an IP and port combination for connection.
Lumen Technologies Black Lotus Labs noted that 5socks.net had been used to conduct various forms of malicious activity, including ad fraud, DDoS attacks, and brute-force attacks, as well as exploiting victims' data. The company also highlighted the risk posed by proxy services, which allow malicious actors to hide behind unsuspecting residential IPs, complicating detection by network monitoring tools.
To mitigate these risks, Lumen advised users to regularly reboot their routers, install security updates, change default passwords, and upgrade to newer models once they reach EoL status. The company also noted that the continued adoption of IoT devices and the proliferation of end-of-life systems will continue to pose a significant threat to internet security.
In light of these findings, it is clear that the dismantling of this 7,000-device proxy botnet marks an important step in combating the evolving landscape of cyber threats. As the threat landscape continues to evolve, it is essential for users and cybersecurity professionals alike to remain vigilant and take proactive steps to protect themselves against these emerging threats.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Moon-Has-Set-A-Comprehensive-Look-at-the-Dismantling-of-a-7000-Device-Proxy-Botnet-ehn.shtml
https://thehackernews.com/2025/05/breaking-7000-device-proxy-botnet-using.html
https://www.ic3.gov/PSA/2025/PSA250507
https://blog.lumen.com/the-darkside-of-themoon/
Published: Fri May 9 13:44:18 2025 by llama3.2 3B Q4_K_M
