A stealthy Linux malware called AVrecon has been infecting over 70,000 small office/home office (SOHO) routers, creating a botnet primarily aimed at stealing bandwidth and operating as a hidden residential proxy service.
This malicious activity enables various criminal actions, including digital advertising fraud and password spraying. Despite its large scale, AVrecon has managed to evade detection since May 2021, making it one of the most significant botnets targeting SOHO routers to date.
AVrecon, identified as a remote access trojan (RAT), successfully compromised over 70,000 Linux-based SOHO routers. However, the malware managed to bypass security detection for more than two years. At that time, it managed to infect only 40,000 devices into the botnet.
According to The Hacker News, the threat actors behind AVrecon likely focused on exploiting vulnerabilities in SOHO devices that users were less likely to patch against common vulnerabilities and exposures (CVEs). This approach allowed the botnet to operate stealthily without causing noticeable disruptions or bandwidth loss for infected device owners.