There is a big incentive for both espionage motivated actors and financially motivated actors to set up proxy botnets. These can serve as an anonymization layer, which can provide plausibly geolocated IP addresses to scrape contents of websites, access stolen or compromised online assets, and launch cyber-attacks.
Examples of proxy botnets set up by advanced persistent threat (APT) actors are the VPNFilter botnet and Cyclops Blink, both deployed by Sandworm and disrupted by the Federal Bureau of Investigation (FBI) in 2018 and 2022, respectively. Another example is the SOHO botnet alleged to be operated by a Chinese company called the Beijing Integrity Technology Group; this botnet was disrupted in September 2024 by the FBI.
Read more…
Source: Trend Micro
Related:
- The Golden Scale: Notable Threat Updates and Looking Ahead
October 20, 2025
Palo Alto Unit 42 recently published an Insights piece “The Golden Scale: Bling Libra and the Evolving Extortion Economy,” which primarily focused on the Salesforce data theft extortion activity. This was associated with the cybercriminal syndicate known as Scattered LAPSUS$ Hunters. Since early October 2025, the researchers have observed several notable developments within a Telegram channel ...
- China accuses US of cyber breaches at national time centre
October 20, 2025
China has accused the U.S. of stealing secrets and infiltrating the country’s national time centre, warning that serious breaches could have disrupted communication networks, financial systems, the power supply and the international standard time. The U.S. National Security Agency has been carrying out a cyberattack operation on the National Time Service Center over an extended period ...
- UK MoD investigating claims Russian hackers stole files on RAF and Navy bases
October 19, 2025
The Ministry of Defence is investigating claims that Russian hackers have stolen hundreds of sensitive military documents and published them on the dark web. The files hold details of eight RAF and Royal Navy bases as well as Ministry of Defence staff names and emails, The Mail On Sunday reported. Cybercriminals accessed the cache of files ...
- Post-exploitation framework now also delivered via npm
October 17, 2025
The first version of the AdaptixC2 post-exploitation framework, which can be considered an alternative to the well-known Cobalt Strike, was made publicly available in early 2025. In spring of 2025, the framework was first observed being used for malicious means. In October 2025, Kaspersky experts found that the npm ecosystem contained a malicious package with a ...
- Mango shopper data stolen in cyber-attack
October 16, 2025
Mango has become the latest retailer to face a cyber-attack, where “limited” shopper data was stolen from one of its external marketing services. The fashion chain, which recently reported a sales boost, told customers that data “accessed” by hackers was limited to personal contact details used in its marketing campaigns. This included email addresses, country, first ...
- Shifts in the Underground: The Impact of Water Kurita’s (Lumma Stealer) Doxxing
October 16, 2025
In September 2025, Trend Micro researchers noted a striking decline in new command and control infrastructure activity associated with Lummastealer (which Trend Micro tracks as Water Kurita), as well as a significant reduction in the number of endpoints targeted by this notorious malware. This sudden drop appears to align with a targeted underground exposure campaign that has ...