FBI Warns of Malware Targeting End-of-Life Routers to Create Proxy Networks

The Federal Bureau of Investigation (FBI) has issued a warning about cybercriminals deploying malware on end-of-life (EoL) routers to turn them into proxy servers. These compromised devices are being used to support illegal online activities, including cyberattacks and covert operations.

According to the FBI’s Flash advisory, the attackers are using vulnerable routers to build residential proxy botnets connected to networks like 5Socks and Anyproxy. These networks sell access to the compromised routers, allowing buyers to mask their identity and location online.

“Criminals are selling access to compromised routers as proxies for customers to purchase and use,” the FBI stated. “The proxies can be used by threat actors to obfuscate their identity or location.”

Devices at Risk

The FBI identified several commonly targeted EoL models, including:

• Linksys: E1200, E2500, E1000, E4200, E1500, E300, E3200, E1550, WRT320N, WRT310N, WRT610N

• Cradlepoint: E100

• Cisco: M10

These routers no longer receive security updates from manufacturers, making them highly vulnerable to malware infections.

TheMoon Malware Variant Detected

The FBI confirmed that many of these devices have been infected with a new variant of the TheMoon malware. This malware turns the routers into proxies and connects them to command-and-control (C2) servers to receive and execute malicious commands.

Chinese state-sponsored hackers have also used known vulnerabilities in these routers to carry out espionage operations and target critical U.S. infrastructure, the agency warned.

Signs of Compromise

Home and business users may notice signs of infection such as:

• Slower internet speeds

• Frequent disconnections

• Router overheating

• Unexpected configuration changes

• Unknown administrator accounts

• Unusual network traffic patterns

FBI Recommendations

The FBI strongly recommends replacing end-of-life routers with newer models that still receive security updates. If replacement is not possible, users should:

• Install the latest firmware from the official vendor website

• Change default admin usernames and passwords

• Disable remote administration features

The agency has also released indicators of compromise to help users and IT professionals identify if their devices are affected.

For more information and security tips, users are advised to consult the FBI’s full advisory and take immediate action to secure their network devices.