AVrecon Malware-Infected Routers Exploited as Residential Proxies by SocksEscort

    Tuesday, March 24, 2026 In: Threat Research Print

    Date: 03/24/2026

    Severity: High

    Summary

    AVrecon malware has been used to compromise routers and IoT devices across more than 160 countries, enabling threat actors to convert infected systems into residential proxies. These compromised devices were sold through the SocksEscort service, which facilitated access to hundreds of thousands of infected endpoints since 2020. A coordinated international law enforcement operation has since disrupted the service, aiming to curb the large-scale abuse of compromised devices for proxy-based cybercriminal activity.

    Indicators of Compromise (IOC) List

    URLs/Domains

    advstat.cc

    meterstrack.cc

    startsun.cc

    backdump.cc

    netjunk.cc

    zeroback2.cc

    critlan.cc

    plxz.cc

    zeroback3.cc

    zeroback4.cc

    atable.cc

    cleandone.cc

    evrc.space

    lups.cc

    dzero.cc

    r0ck.online

    regul.cc

    fpride.cc

    vdem.cc

    utcp.cc

    zerophone.cc

    zeroback.cc

    zorc.cc

    lumi/config.php

    lumi/test.php

    lumi/ping.php

    lumi/track.php

    lumi/pride.php

    IP Address

    188.138.125.163

    176.120.22.67

    185.163.204.198

    62.138.0.10

    85.25.100.30

    62.138.14.209

    91.245.255.112

    62.138.0.211

    175.110.114.65

    188.116.22.153

    213.202.230.95

    38.180.91.47

    176.120.22.67

    77.246.106.198

    45.137.213.88

    91.215.85.178

    37.77.150.19

    185.162.128.133

    37.77.150.77

    5.149.254.109

    5.149.250.54

    79.141.160.92

    5.149.250.171

    212.118.38.30

    Hash

    007fe05132e429ff57393163354f4c90

    5f6f52fd4ece5918ee7979036a49bca3

    232fdd85e07f74ea232cadafdb095d31

    6e9540f68507580a3f495e9ff58dbd4e

    3f83790a150a6bf71b908289fd230014

    7fe57eca60841291cdd8ef1bb5c27de9

    4651d6a90d24cf57c83a76ab160abf85

    9f2df912212f67adcb64dbae8bfa2ca9

    53f02fdf9c375c1837a31edf68694380

    444138b1d805808a06c4b908c7b73d96

    0a4e197044ad59116f0a1c2776125065

    48374bfb610280c48086817cfb2bb310

    006cc428088ea3766c094b421bf8e77f

    48ef5c2a62d1ae95ea37d165e8a1be26

    fb9d610a2b535dde194c05c099f0b307

    4943e8c2a29ad616ec12cd7a507c612c

    5aed40bccde5a7646c6fea17f7dd2083

    4a884070ea340d89756be6575676ce85

    8fc84a03b66ceccd394c6a754bb513a6

    4d63235fdd3e0ace207d8fdbe19d63e0

    0c5e43e51d3c2a00f4ac1b517891872d

    53437d28fdf92c09821f56140c67aaca

    a3e31f70b7a6abf3de15ca6646d16bfe

    6501a2d2ed60b85b1080ac9edaf39b70

    efb8b73d59a805e1fd9ebf0d3540b0e8

    06d491b70f369b2672fce5a7b59a5c93

    bf0183b2d18341c47576ba8e0d36fdff

    126b1c224e8635d9571f9d769d7b55e2

    22c5849855878f331d7bbf07e7ec7e41

    1c8c17ef978bd4f03db672c0b2d51d00

    f74c8bd1701746cce8b4bad819cdd148

    1f970f5eb9cbef8dba11e2aed72373ba

    f774fcbf889a8a629004f31e8b962b63

    2a646682ee7f0f853605c78bb9126ed5

    ffaa0890eb9a38307477157c02f63583

    327c1ca93321705027e0bf47658b5f53

    f81b9fceea2056ba2c3f261b56f577b1

    32f1f238da09f1ebc1385317d50e94b4

    8dcaf0e2a0baf54e65f46689b2a845ef

    3bfc273e5592825443ded9c28f50cd5d

    3ed1a6d57f00c1643cc85e049c82d1b4

    6501a2d2ed60b85b1080ac9edaf39b70

    d5d63db439bb1dba080ab27555b03a2a

    667ae41f4a6201071b8cc3f88e3e02c7

    de86b12800919ce8b213b51354d28ab8

    6a389a89a6da7433210d9a52fc72589c

    ef7f3f7cb4f3f1a90a2028d44c4fe702

    6a6619b4b9a53233ca0a56606c484f9a

    f0d1852065c498c3bdaec3de8e6cd626

    6ec7063f03f95499b6c1821f90bda7e6

    f143b44d3b8d835c09bf2c346d90ec22

    70c2317f40de5b28f42d640488910140

    f3cf4a369e5fb451db250c31776ba84e

    74e5514cdd3ef6f703483700f04b5812

    c32ac3f6cba0772de7737da60f9170c0

    7d4c60c77a7d74cc3d9af4dabbecdbb8

    c53397dc47ddc38a8c6daa3a02116518

    8a978017496adb02eb368f3b28bc4ccd

    bb5e9faa666e6d96eb95e358524213b6

    8ad3f40fd8fcf2c7ee04d1219017cfe3

    bd24f43084b33f13a835f661bf48b5e2

    8fc84a03b66ceccd394c6a754bb513a6

    bd4a12d4de4e42c4d9246aa92ddb86b8

    920534d235204ced7ad2c76c1af7b3f8

    9dfba3b92850a74135925e524e7b4748

    963354b60552af16408cf4d82a827832

    b1a32a442cdb34901f1f7ffbe47749f0

    9752ac893640a027bea5a6df48ceb396

    b5ad7f7e10f5d0401a2ad6b737724ff6

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "advstat.cc" or siteurl like "advstat.cc" or url like "advstat.cc" or domainname like "startsun.cc" or siteurl like "startsun.cc" or url like "startsun.cc" or domainname like "utcp.cc" or siteurl like "utcp.cc" or url like "utcp.cc" or domainname like "zeroback4.cc" or siteurl like "zeroback4.cc" or url like "zeroback4.cc" or domainname like "zeroback2.cc" or siteurl like "zeroback2.cc" or url like "zeroback2.cc" or domainname like "atable.cc" or siteurl like "atable.cc" or url like "atable.cc" or domainname like "regul.cc" or siteurl like "regul.cc" or url like "regul.cc" or domainname like "zeroback.cc" or siteurl like "zeroback.cc" or url like "zeroback.cc" or domainname like "plxz.cc" or siteurl like "plxz.cc" or url like "plxz.cc" or domainname like "fpride.cc" or siteurl like "fpride.cc" or url like "fpride.cc" or domainname like "backdump.cc" or siteurl like "backdump.cc" or url like "backdump.cc" or domainname like "dzero.cc" or siteurl like "dzero.cc" or url like "dzero.cc" or domainname like "zorc.cc" or siteurl like "zorc.cc" or url like "zorc.cc" or domainname like "zerophone.cc" or siteurl like "zerophone.cc" or url like "zerophone.cc" or domainname like "zeroback3.cc" or siteurl like "zeroback3.cc" or url like "zeroback3.cc" or domainname like "meterstrack.cc" or siteurl like "meterstrack.cc" or url like "meterstrack.cc" or domainname like "critlan.cc" or siteurl like "critlan.cc" or url like "critlan.cc" or domainname like "vdem.cc" or siteurl like "vdem.cc" or url like "vdem.cc" or domainname like "cleandone.cc" or siteurl like "cleandone.cc" or url like "cleandone.cc" or domainname like "netjunk.cc" or siteurl like "netjunk.cc" or url like "netjunk.cc" or domainname like "lups.cc" or siteurl like "lups.cc" or url like "lups.cc" or domainname like "evrc.space" or siteurl like "evrc.space" or url like "evrc.space" or domainname like "r0ck.online" or siteurl like "r0ck.online" or url like "r0ck.online" or domainname like "lumi/config.php" or siteurl like "lumi/config.php" or url like "lumi/config.php" or domainname like "lumi/test.php" or siteurl like "lumi/test.php" or url like "lumi/test.php" or domainname like "lumi/ping.php" or siteurl like "lumi/ping.php" or url like "lumi/ping.php" or domainname like "lumi/track.php" or siteurl like "lumi/track.php" or url like "lumi/track.php" or domainname like "lumi/pride.php" or siteurl like "lumi/pride.php" or url like "lumi/pride.php"

    Detection Query 2 :

    dstipaddress IN ("176.120.22.67","188.116.22.153","37.77.150.77","185.162.128.133","37.77.150.19","45.137.213.88","79.141.160.92","62.138.0.10","5.149.254.109","188.138.125.163","175.110.114.65","5.149.250.54","85.25.100.30","213.202.230.95","5.149.250.171","62.138.14.209","185.163.204.198","91.245.255.112","38.180.91.47","77.246.106.198","62.138.0.211","212.118.38.30","91.215.85.178") or srcipaddress IN ("176.120.22.67","188.116.22.153","37.77.150.77","185.162.128.133","37.77.150.19","45.137.213.88","79.141.160.92","62.138.0.10","5.149.254.109","188.138.125.163","175.110.114.65","5.149.250.54","85.25.100.30","213.202.230.95","5.149.250.171","62.138.14.209","185.163.204.198","91.245.255.112","38.180.91.47","77.246.106.198","62.138.0.211","212.118.38.30","91.215.85.178")

    Detection Query 3 :

    md5hash IN ("f81b9fceea2056ba2c3f261b56f577b1","8dcaf0e2a0baf54e65f46689b2a845ef","3ed1a6d57f00c1643cc85e049c82d1b4","8fc84a03b66ceccd394c6a754bb513a6","0c5e43e51d3c2a00f4ac1b517891872d","006cc428088ea3766c094b421bf8e77f","007fe05132e429ff57393163354f4c90","5f6f52fd4ece5918ee7979036a49bca3","232fdd85e07f74ea232cadafdb095d31","6e9540f68507580a3f495e9ff58dbd4e","3f83790a150a6bf71b908289fd230014","7fe57eca60841291cdd8ef1bb5c27de9","4651d6a90d24cf57c83a76ab160abf85","9f2df912212f67adcb64dbae8bfa2ca9","53f02fdf9c375c1837a31edf68694380","444138b1d805808a06c4b908c7b73d96","0a4e197044ad59116f0a1c2776125065","48374bfb610280c48086817cfb2bb310","48ef5c2a62d1ae95ea37d165e8a1be26","fb9d610a2b535dde194c05c099f0b307","4943e8c2a29ad616ec12cd7a507c612c","5aed40bccde5a7646c6fea17f7dd2083","4a884070ea340d89756be6575676ce85","4d63235fdd3e0ace207d8fdbe19d63e0","53437d28fdf92c09821f56140c67aaca","a3e31f70b7a6abf3de15ca6646d16bfe","6501a2d2ed60b85b1080ac9edaf39b70","efb8b73d59a805e1fd9ebf0d3540b0e8","06d491b70f369b2672fce5a7b59a5c93","bf0183b2d18341c47576ba8e0d36fdff","126b1c224e8635d9571f9d769d7b55e2","22c5849855878f331d7bbf07e7ec7e41","1c8c17ef978bd4f03db672c0b2d51d00","f74c8bd1701746cce8b4bad819cdd148","1f970f5eb9cbef8dba11e2aed72373ba","f774fcbf889a8a629004f31e8b962b63","2a646682ee7f0f853605c78bb9126ed5","ffaa0890eb9a38307477157c02f63583","327c1ca93321705027e0bf47658b5f53","32f1f238da09f1ebc1385317d50e94b4","3bfc273e5592825443ded9c28f50cd5d","6501a2d2ed60b85b1080ac9edaf39b70","d5d63db439bb1dba080ab27555b03a2a","667ae41f4a6201071b8cc3f88e3e02c7","de86b12800919ce8b213b51354d28ab8","6a389a89a6da7433210d9a52fc72589c","ef7f3f7cb4f3f1a90a2028d44c4fe702","6a6619b4b9a53233ca0a56606c484f9a","f0d1852065c498c3bdaec3de8e6cd626","6ec7063f03f95499b6c1821f90bda7e6","f143b44d3b8d835c09bf2c346d90ec22","70c2317f40de5b28f42d640488910140","f3cf4a369e5fb451db250c31776ba84e","74e5514cdd3ef6f703483700f04b5812","c32ac3f6cba0772de7737da60f9170c0","7d4c60c77a7d74cc3d9af4dabbecdbb8","c53397dc47ddc38a8c6daa3a02116518","8a978017496adb02eb368f3b28bc4ccd","bb5e9faa666e6d96eb95e358524213b6","8ad3f40fd8fcf2c7ee04d1219017cfe3","bd24f43084b33f13a835f661bf48b5e2","bd4a12d4de4e42c4d9246aa92ddb86b8","920534d235204ced7ad2c76c1af7b3f8","9dfba3b92850a74135925e524e7b4748","963354b60552af16408cf4d82a827832","b1a32a442cdb34901f1f7ffbe47749f0","9752ac893640a027bea5a6df48ceb396","b5ad7f7e10f5d0401a2ad6b737724ff6")

    Reference:    

    https://www.ic3.gov/CSA/2026/260312.pdf  


    Tags

    MalwareRouterExploit

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.