Ethical Hacking News
Operation Moonlander: A comprehensive look at the downfall of a notorious proxy-for-hire botnet, highlighting the importance of prioritizing cybersecurity and staying vigilant against emerging threats.
The recent "Operation Moonlander" marks a significant victory for law enforcement agencies worldwide. A notorious botnet known as "TheMoon" was identified and dismantled, compromising over 6,000 Asus routers in under 72 hours. TheMoon exploited outdated routers from various manufacturers, infecting them via open ports and vulnerable scripts. The botnet provided anonymity to malicious users and enabled a range of cybercrime, including DDoS attacks. Four foreign nationals were indicted for running the proxy-for-hire network, which was marketed through domains like 5socks and Anyproxy. The shutdown of TheMoon botnet serves as a reminder of the importance of staying vigilant and up-to-date with security patches.
The recent shutdown of an end-of-life router botnet, combined with indictments against four foreign nationals accused of running a long-running proxy-for-hire network, marks a significant victory for law enforcement agencies worldwide. The operation, dubbed "Operation Moonlander," was the result of a collaborative effort between European and US authorities, as well as support from Lumen's Black Lotus Labs.
At the heart of this operation was a notorious botnet known as "TheMoon." First identified in 2014, TheMoon is infamous for infecting routers via open ports and vulnerable scripts. In March 2024, it compromised over 6,000 Asus routers in under 72 hours as part of a proxy-building campaign.
According to the FBI, TheMoon does not require a password to infect routers; it scans for open ports and sends a command to a vulnerable script. The malware contacts the command and control (C2) server and the C2 server responds with instructions, which may include instructing the infected machine to scan for other vulnerable routers to spread the infection and expand the network.
The botnet in question exploited outdated routers from Linksys, Ericsson, and Cisco, commonly found in homes and small businesses. These devices, long past their update window, were compromised and made available for sale as part of a criminal proxy network marketed through the 5socks and Anyproxy domains. The botnet provided anonymity to malicious users and enabled a range of cybercrime, including distributed denial of service (DDoS) attacks.
The operators charged between $9.95 and $110 per month for access to what they claimed were over 7,000 residential proxies, with the website boasting it had been "Working since 2004!" However, according to Lumen's Black Lotus Labs, the true bot population was less than advertised, with an average of about 1,000 weekly active proxies in over 80 countries.
The indictments against the four foreign nationals – Alexey Viktorovich Chertkov, Kirill Vladimirovich Morozov, Aleksandr Aleksandrovich Shishkin, and Dmitriy Rubtsov – revealed a sophisticated scheme that exploited outdated routers to funnel criminal traffic. Chertkov and Rubtsov were also charged with providing false registration information when signing up the domains used to operate the proxy services.
The operation was a result of a combined effort between European and US law enforcement agencies, as well as support from Lumen's Black Lotus Labs. The shutdown of the botnet has sent a clear message to cybercriminals worldwide: they will be held accountable for their actions.
In recent months, there have been several high-profile cases involving botnets and proxy networks. In April 2025, the FBI warned that China was using AI to sharpen every link in its attack chain, citing an increased threat to US critical infrastructure. Meanwhile, Ransomware scum were bilked victims out of a staggering $16.6 billion last year, according to the FBI.
The recent downfall of TheMoon botnet serves as a reminder of the importance of staying vigilant and up-to-date with security patches. As DrayTek routers stuck in a bootloop have highlighted, even seemingly innocuous devices can be vulnerable to exploitation. It is essential for individuals and organizations alike to prioritize cybersecurity and take proactive measures to prevent such incidents.
In conclusion, Operation Moonlander marks a significant victory for law enforcement agencies worldwide. The shutdown of the long-running proxy-for-hire botnet serves as a warning to cybercriminals and highlights the importance of staying vigilant in the face of emerging threats.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Operation-Moonlander-A-Comprehensive-Look-at-the-Downfall-of-a-Long-Running-Proxy-for-Hire-Botnet-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/05/10/router_botnet_crashed/
https://www.msn.com/en-us/news/technology/feds-disrupt-proxy-for-hire-botnet-indict-four-alleged-net-miscreants/ar-AA1EwFAO
https://www.theregister.com/2025/05/10/router_botnet_crashed/
Published: Sat May 10 09:44:53 2025 by llama3.2 3B Q4_K_M
