Thousands of Linux routers

Thousands of Linux routers fortified against AVrecon malware, thwarting botnet formation

Thousands of Linux routers fortified against AVrecon malware, thwarting botnet formation

In a disconcerting revelation, cybersecurity researchers at Lumen Black Lotus Labs have uncovered a Linux-based Remote Access Trojan known as AVrecon. This insidious malware has surreptitiously infected a multitude of small-office/home-office (SOHO) routers over a span of more than two years, successfully building a botnet with significant potential for malicious activities. AVrecon operates by establishing residential proxy services through the compromised routers, concealing its nefarious operations, including password spraying, web-traffic proxying, and ad fraud. This article delves into the intricate details of this concerning malware and its implications for cybersecurity.

Thousands of Linux routers

Unveiling AVrecon: The Linux Router Malware Establishing a Stealthy Botnet

The ominous presence of the AVrecon malware has cast a shadow over the realm of small-office/home-office (SOHO) routers. Over the course of more than two years, this malicious software has insidiously infected thousands of Linux-based routers, evading detection and amassing a formidable botnet. The scale and persistence of this multi-year campaign underscore the severe cybersecurity threat it poses.

The Scope of the AVrecon Malware Campaign

The AVrecon malware has primarily targeted SOHO routers, capitalizing on their compromised state to construct a substantial botnet. The aim is to create a network of compromised devices capable of executing malicious activities without raising alarm bells. The magnitude and longevity of this campaign are clear indicators of the significant danger it poses to cybersecurity.

Characteristics of Infected Routers

Specifically designed to target ARM-embedded devices commonly found in SOHO routers, AVrecon exhibits a versatility that enables it to function seamlessly across various devices. Written in C, a portable programming language, the malware executes a self-preservation mechanism upon infection. It meticulously scans the host machine for existing instances of itself and terminates them, thereby avoiding detection and removal.

AVrecon’s Functionality and Objectives

The primary objective of AVrecon is to exploit the infected routers for fraudulent activities, such as clicking on Facebook and Google ads and engaging with Microsoft Outlook. These actions likely serve a broader advertising fraud campaign. By leveraging the compromised machines, the perpetrators establish a residential proxy service that capitalizes on the victims’ bandwidth. Residential proxies, less conspicuous than commercially available VPN services, provide an ideal cover for executing malicious activities.

Secondary Activities: Password Spraying and Data Exfiltration

While AVrecon’s primary focus revolves around advertising fraud, evidence suggests the presence of secondary activities, including password spraying and data exfiltration. Password spraying involves systematic attempts to gain unauthorized access to user accounts by trying commonly used passwords. Data exfiltration refers to the extraction of sensitive information from compromised devices. These secondary activities highlight the extensive potential harm inflicted by AVrecon.

Laundering Malicious Activity Through Residential Proxy Services

The utilization of infected routers to establish residential proxy services allows the perpetrators to skillfully mask their malicious operations. By redirecting internet traffic through compromised devices, residential proxies make it exceedingly challenging to trace the origin of the traffic. This strategy enables the malefactors to launder their illicit actions, effectively evading detection and attribution.

Minimal Impact on End Users

Unlike resource-intensive activities such as crypto-mining, AVrecon’s operations have minimal impact on end users. By primarily utilizing victims’ bandwidth, the malware ensures that the daily internet usage of affected individuals remains largely unaffected. The inconspicuous nature of this low impact reduces the likelihood of users reporting abuse complaints commonly associated with brute-forcing and DDoS-based botnets.

Practicing Good Internet Hygiene for Prevention

Preventing AVrecon infections and similar threats necessitates the adoption of good internet hygiene practices. Regularly rebooting routers and promptly applying firmware updates are critical steps in maintaining the security of these devices. Additionally, users should adhere to recommended security measures, such as implementing strong, unique passwords and implementing network segmentation.



Q: How long has AVrecon been infecting routers?

A: AVrecon has been infecting routers for over two years, as revealed by security researchers at Lumen Black Lotus Labs.

Q: What are the primary activities performed by AVrecon-infected routers?

A: AVrecon-infected routers primarily engage in fraudulent activities, such as clicking on Facebook and Google ads and interacting with Microsoft Outlook, likely for advertising fraud purposes.

Q: Can AVrecon be detected by antivirus software?

A: AVrecon has managed to remain virtually undetected for an extended period. Its sophisticated design and functionality make it challenging to identify using traditional antivirus solutions.

Q: How can users protect their routers from AVrecon infections?

A: To prevent AVrecon infections, users should prioritize good internet hygiene practices. These include regular router reboots, timely firmware updates, and the use of strong, unique passwords.

Q: What is the purpose of creating a residential proxy service with infected routers?

A: The creators of AVrecon aim to obfuscate their malicious activities by utilizing the victims’ bandwidth to establish a residential proxy service. Residential proxies are less likely to attract attention compared to commercially available VPN services, making them an ideal cover for illicit actions.

Q: Are end users directly affected by AVrecon’s activities?

A: AVrecon’s activities have minimal impact on end users. By primarily utilizing their bandwidth, the malware ensures that their internet experience remains largely unaffected.


The discovery of AVrecon sheds light on the severe threat posed to small-office/home-office (SOHO) routers. With thousands of routers infected and the potential for large-scale malicious activities, it is paramount for users to prioritize internet hygiene. Regular router reboots, firmware updates, and the implementation of robust security measures are essential for safeguarding against AVrecon and similar threats. By staying vigilant and taking proactive measures, users can mitigate the risk posed by this stealthy Linux router malware.


Leave a Reply

Your email address will not be published. Required fields are marked *

Seraphinite AcceleratorOptimized by Seraphinite Accelerator
Turns on site high speed to be attractive for people and search engines.