In a coordinated effort, Lumen Technologies’ Black Lotus Labs, the U.S. Department of Justice (DOJ), the Federal Bureau of Investigation (FBI), and the Dutch National Police have dismantled a sophisticated criminal proxy network that has operated since 2004.
The botnet, tracked by Black Lotus Labs for over a year, infected thousands of Internet of Things (IoT) and end-of-life (EoL) devices, creating a veil of anonymity for malicious actors engaging in activities such as ad fraud, DDoS attacks, brute-forcing, and data exploitation.
Botnet Operations and Infrastructure
The botnet, powered by malware targeting unpatched IoT and small office/home office (SOHO) devices in residential IP spaces, maintained an average of 1,000 unique bots weekly, communicating with command-and-control (C2) servers located in Turkey.
.png
)
Over 50% of the infected devices were in the United States, with Canada and Ecuador following as significant infection hubs. The botnet’s operators claimed a daily pool of 7,000 proxies, though Black Lotus Labs’ telemetry suggests a smaller but highly effective network.
The C2 infrastructure comprised five servers, four of which used HTTP port 80 for victim communication, while one leveraged UDP port 1443 for data collection.
The botnet’s longevity and low detection rate only 10% of its proxies were flagged by tools like VirusTotal stemmed from its focus on EoL devices, which lack vendor support and cannot be patched.
By exploiting known vulnerabilities rather than zero-day flaws, the operators maintained bot lifecycles averaging over a week, ensuring stability and anonymity for users.
According to the Lumen report, “a wide variety of infected IoT device types, indicating this botnet is likely using several exploits to obtain new victims, though we do not assess the operators are using zero or one-day vulnerabilities at this time.”
Proxy-as-a-Service Model
The proxy service operated on a “rent-a-proxy” model, accepting cryptocurrency payments and providing users with IP addresses and ports valid for 24 hours.
Notably, the service required no authentication, allowing unrestricted access to proxies once discovered, a tactic reminiscent of other botnets like NSOCKS and Faceless.
This open-access policy amplified the botnet’s threat, enabling a wide range of malicious actors to exploit it for free. The operators also performed deny-list checks, ensuring proxies evaded common monitoring tools, further complicating detection.
Lumen disrupted the botnet by null-routing all traffic to and from its C2 servers across its global backbone, effectively dismantling the known infrastructure.
The operation was supported by intelligence from Spur and built on earlier findings from CERT Orange Polska’s 2023 report. Black Lotus Labs has published indicators of compromise (IoCs) and C2 details on its GitHub page to aid defenders.
Proxy botnets exploiting residential IPs remain a persistent threat, particularly as EoL devices and IoT adoption grow.
Black Lotus Labs highlighted the challenge of detecting such traffic, which blends seamlessly with legitimate residential activity. The firm recommends that corporate defenders monitor for suspicious login attempts, block known proxy IPs, and deploy advanced countermeasures.
For consumers, best practices include rebooting routers, applying security updates, replacing EoL devices, and securing management interfaces.
Are you from the SOC and DFIR Teams? – Analyse Real time Malware Incidents with ANY.RUN -> Start Now for Free.
Lumen commended the FBI and Dutch National Police for their roles in the takedown and emphasized ongoing collaboration with law enforcement to target similar networks.
