FBI Alerts: Cybercriminals Exploiting End-of-Life Routers for Malware and Proxy Services

TL;DR

The FBI issued a warning about cybercriminals targeting end-of-life (EOL) routers to deploy malware and create botnets. These compromised devices are sold as proxies on networks like 5Socks and Anyproxy. Users are advised to replace vulnerable routers or disable remote administration to prevent infection.

FBI Warns of Cybercriminal Activities Targeting End-of-Life Routers

The FBI has released a FLASH alert warning about malicious services, notably 5Socks and Anyproxy, targeting end-of-life (EOL) routers. Cybercriminals exploit vulnerabilities in these outdated devices to deploy malware and establish botnets for subsequent attacks or proxy services. The alert emphasizes the necessity of replacing compromised routers or taking preventive measures by disabling remote administration and rebooting the devices.

Understanding the Risks of End-of-Life Routers

End-of-life routers lack critical security updates, making them highly susceptible to cyber attacks. These devices are prime targets for threat actors who exploit known vulnerabilities, often through exposed remote management features.

“The threat actors use the device’s known vulnerabilities to upload the malware, which ultimately allows the threat actor to gain root access to the device and make configuration changes.” ¹

Chinese cyber actors have also taken advantage of these vulnerabilities to create botnets, which are then used to conceal hacking activities targeting US critical infrastructures.

Malware Deployment and Persistent Access

Once infected, routers are integrated into botnets used for coordinated attacks or sold as proxies on platforms like 5Socks and Anyproxy. The malware enables threat actors to maintain persistent access, communicating with the device every 60 seconds to five minutes to ensure control and availability for customers.

The malware spreads through internet-connected devices with remote access enabled. Even with password protection, attackers can gain shell access. The malware uses a two-way handshake with a command and control (C2) server for regular check-ins and opens ports on the router to function as a proxy server.

Vulnerable Router Models

Several router models are particularly vulnerable to these attacks, including:

• E1200
• E2500
• E1000
• E4200
• E1500
• E300
• E3200
• WRT320N
• E1550
• WRT610N
• E100
• M10
• WRT310N

FBI Recommendations and Mitigation Strategies

The FBI has published indicators of compromise (IoCs) related to these attacks and provided mitigation strategies:

“The FBI recommends users identify if any of the devices vulnerable to compromise are part of their networking infrastructure. If so, these devices should be replaced with newer models that remain in their vendor support plans to prevent further infection. Alternatively, a user can prevent infection by disabling remote administration and rebooting the device. Please refer to the specific instructions for your router for information on how to disable remote management.” ¹

Conclusion

The increasing threat of cybercriminals exploiting end-of-life routers underscores the importance of maintaining up-to-date network infrastructure. Users and organizations must be proactive in identifying and replacing vulnerable devices to safeguard against potential attacks. Staying informed about the latest security threats and following best practices can significantly enhance cybersecurity defenses.

Additional Resources

For further insights, check:

• FBI Cyber Crime Alerts
• Security Affairs

References

1. Internet Crime Complaint Center (IC3) (2025). “CSA: Cyber Actors Exploit Vulnerabilities in End-of-Life Routers for Malware Deployment”. FBI. Retrieved 2025-05-09. ↩︎ ↩︎²