The botnet, tracked by Black Lotus Labs for over a year, infected thousands of Internet of Things (IoT) and end-of-life (EoL) devices, creating a veil of anonymity for malicious actors engaging in activities such as ad fraud, DDoS attacks, brute-forcing, and data exploitation. In a coordinated effort, Lumen Technologies’ Black Lotus Labs, the U.S. Department of Justice (DOJ), the Federal Bureau of Investigation (FBI), and the Dutch National Police have dismantled a sophisticated criminal proxy network that has operated since 2004. The botnet, powered by malware targeting unpatched IoT and small office/home office (SOHO) devices in residential IP spaces, maintained an average of 1,000 unique bots weekly, communicating with command-and-control (C2) servers located in Turkey. The botnet’s operators claimed a daily pool of 7,000 proxies, though Black Lotus Labs’ telemetry suggests a smaller but highly effective network. The botnet’s longevity and low detection rate only 10% of its proxies were flagged by tools like VirusTotal stemmed from its focus on EoL devices, which lack vendor support and cannot be patched. Black Lotus Labs highlighted the challenge of detecting such traffic, which blends seamlessly with legitimate residential activity. By exploiting known vulnerabilities rather than zero-day flaws, the operators maintained bot lifecycles averaging over a week, ensuring stability and anonymity for users.
This Cyber News was published on cybersecuritynews.com. Publication date: Sat, 10 May 2025 08:20:03 +0000