Dismantling a Dangerous Global Botnet Feeding Residential Proxies.

Security researchers from Black Lotus, a division of Lumen, have conducted an investigation into the ngioweb botnet for over a year, resulting in a significant disruption of this malicious infrastructure. After identifying both the infrastructure and the related traffic, the company began blocking the data flow associated with the botnet.

First detected in mid-2023, the ngioweb botnet made use of over 35,000 compromised devices daily, spread across 180 countries. These devices were primarily used to operate the NSOCKS proxy service. According to Black Lotus, this proxy service, described as "notorious" in its criminal nature, is linked to a threat actor known as Muddled Libra. Additionally, there are indications that it has been utilized by state actors, such as APT28 (also known as FancyBear), a recognized threat group from Russia.

According to the researchers, approximately 80% of the NSOCKS bots in their telemetry come from the ngioweb botnet, which often exploits small office routers and IoT devices. Two-thirds of these proxies are located in the United States.

The function of a proxy service allows malicious actors to carry out various campaigns while concealing their true identity and location by using a “proxy” as an intermediary. In addition to this function, the ngioweb botnet also had the capability to perform Distributed Denial of Service (DDoS) attacks.

Lumen dedicated a year to analyzing the botnet and its operations. While there was no precise determination of how the hardware was compromised, it is speculated that it may have occurred through various known vulnerabilities.

As a result, at the time of publication, both the NSOCKS proxy service and the ngioweb botnet are being seriously impacted by the actions of Lumen and its allies, having uncovered both the architecture and traffic of the botnet.