The router sitting in your home office or small business did not need to be hacked by a skilled operator to end up serving as infrastructure for banking fraud, password attacks, and digital marketplace scams. All it needed was an unpatched vulnerability and a malware dubbed “AVrecon” to infect and sell access to it within minutes.
Last month, FBI alongside several international law enforcement agencies took down SocksEscort residential proxy service. In a follow-up of that investigation, the agency has found a malware called AVrecon, that was used in the targeting of scores of network devices worldwide.
How AVrecon Works
AVrecon spreads by scanning the internet for devices with exposed vulnerable services. The SocksEscort operators exploited Remote Code Execution vulnerabilities and command injection flaws, as well as weaknesses in exposed SOAP interfaces — a web services protocol found in many consumer router management panels.
The malware’s command-and-control framework is modular by design, meaning new exploit modules can be added as new vulnerabilities are discovered, continuously expanding the range of vulnerable device models it can infect. The FBI identified approximately 1,200 targeted device models from Cisco, D-Link, Hikvision, MikroTik, Netgear, TP-Link, and Zyxel.
Beyond converting infected devices into proxy nodes, AVrecon can also update its own stored configuration, establish a remote shell directly to an attacker-controlled server, and act as a loader that downloads and executes entirely separate payloads onto the device.
Once inside a router, the malware beacons to its command-and-control server every 60 seconds using a PING/PONG communication loop. When the C2 has a command ready, it interrupts that loop to direct the infected router to open a traffic tunnel to a SocksEscort relay server.
Also read: The FCC Just Blocked Every New Foreign-Made Router from the U.S. Market
The Persistence Problem
The persistence mechanism AVrecon uses on some device models makes remediation particularly difficult. On vulnerable targets, the attackers use the device’s own built-in firmware update feature to flash a custom firmware image that contains a hardcoded copy of AVrecon and silently disables the device’s future update and re-flashing functionality.
The FBI notes these devices are essentially permanently infected — a factory reset cannot help if the reset itself has been disabled, and an end-of-life device has no manufacturer patches to address the underlying vulnerability regardless.
On devices where firmware modification is not used, a simple power cycle can clear the infection. However, in at least one documented case, AVrecon C2 servers detected the loss of an infected device and automatically re-infected it using the same vulnerabilities used in the original compromise. Meaning, rebooting alone does not guarantee lasting protection if the underlying vulnerability remains unpatched.
What SocksEscort Built and Sold
SocksEscort operated a commercial criminal service that sold paying customers the ability to tunnel their internet traffic through compromised home and small-office routers in 163 countries, including the United States. The tunneling protocol used — SOCKS — is a legitimate networking standard that proxies traffic through an intermediate host. In criminal use, it makes the attacker’s activity appear to originate from the victim’s home IP address rather than from any infrastructure that could be blocked or attributed.
The FBI estimates SocksEscort compromised and sold access to approximately 369,000 devices since 2020. The malware enabling all of this is was AVrecon — written in the C programming language and designed to target devices running on MIPS and ARM architectures, the processor types that dominate the consumer router market.
What the Proxy Network Enabled
The FBI and partners observed SocksEscort’s infrastructure used to conduct ad fraud, attempt website vulnerability exploitation, password spraying, digital marketplace fraud, banking fraud, and romance fraud, among other malicious activity. By routing attacks through residential IP addresses, SocksEscort customers dramatically increased their chances of bypassing corporate security filters and block lists that flag traffic from known commercial or cloud hosting providers.
The FBI’s advisory specifically notes that while lateral movement into internal networks was not directly observed in the AVrecon case, malware targeting edge devices like routers is frequently used as a staging point for exactly that — moving from the compromised device into the broader corporate or home network it protects, potentially enabling data exfiltration or ransomware deployment.
Remediation for Network Defenders
The FBI recommends applying firmware updates to all SOHO routers and IoT devices immediately, as many do not apply patches automatically and require manual interaction with the device administration panel. Devices classified as End-of-Life that no longer receive security updates should be replaced entirely.
Remote administration features should be disabled or access-restricted via firewall rules, and all default passwords should be changed.
Network defenders should monitor for traffic to the C2 domains and IP addresses published in the advisory and watch for the malware filenames “x” (loader) and “dnssmasq” (malware) on network-connected devices.
