Security firms are dismantling the Ngioweb botnet, a major supplier to the NSOCKS proxy service, responsible for over 35,000 proxies used by cybercriminals and nation-state actors. This effort follows over a year of investigation into the botnet's architecture and operations.
First identified in 2017, Ngioweb has been providing residential proxies to both financially motivated groups and advanced persistent threats (APTs) since late 2022. Key actors using the service include Muddled Libra, tied to the Scattered Spider cybercrime gang, and Pawn Storm (APT28), a Russian GRU-linked group. A Chinese-affiliated group, Water Barghest, was also found exploiting the botnet.
According to Lumen’s Black Lotus Labs, Ngioweb powers at least 80% of the proxies on NSOCKS[.]net, spanning 180 countries. The botnet leverages a ‘loader’ network to redirect infected devices to command-and-control (C2) servers, which fetch and execute Ngioweb malware.
An initial infection stage involves the threat actor employing approximately 15 exploits targeting known vulnerabilities (n-day vulnerabilities). Initial access mechanisms remain unclear.
Compromised devices use a domain generation algorithm (DGA) to connect with management C2 domains. These servers assess the devices’ capabilities, connecting them to NSOCKS' backconnect infrastructure.
Ngioweb targets outdated or vulnerable web application libraries in devices from vendors like Zyxel, Reolink, and Alpha Technologies.
The researchers noted that Ngioweb’s operators failed to secure their botnet effectively. Black Lotus Labs found that the NSOCKS[.]net service lacks authentication mechanisms, allowing non-paying actors to exploit its proxies.