-
The FBI has issued a FLASH alert warning that AVrecon malware is silently compromising small office and home routers across the globe, turning infected devices into residential proxy infrastructure for cybercriminals.
-
The SocksEscort network deploys AVrecon to target approximately 1,200 device models from major brands including Cisco, D-Link, Hikvision, Netgear, TP-Link, and Zyxel.
-
Many of the targeted devices are end-of-life, meaning manufacturers no longer push security updates, leaving millions of users dangerously exposed with no automatic fix coming.
Your home router may already be working against you. The FBI has released an urgent FLASH alert revealing that AVrecon malware is actively hijacking small office and home office routers and IoT devices at scale.
The SocksEscort operation drives the campaign, using infected devices to build a sprawling residential proxy network that cybercriminals use to mask their activity and launch further attacks.
AVrecon Hits Nearly 1,200 Device Models Across Major Brands
SocksEscort uses AVrecon to target roughly 1,200 device models crafted by a few of the most prominent names in networking, D-Link, Cisco, MikroTik, Hikvision, TP-Link, Zyxel, and Netgear.
The malware, written in the C programming language, primarily targets MIPS and ARM-based devices, which cover the vast majority of consumer-grade routers and IP cameras in use today.
The FBI’s document highlights specific models appearing most frequently among infected devices. D-Link’s DIR-818LW, DIR-850L, and DIR-860L wireless routers made the list.
So did Hikvision’s DS-2CD2020F-I and DS-2CD2420F-IW IP cameras, the kind commonly used in homes and small businesses for security monitoring.
Netgear’s DGN2200v4 and AC1900 R7000 featured heavily, alongside several TP-Link models including the Archer C20, TL-WR840N, TL-WR849N, and WR841N. Zyxel carried the longest list of affected devices, with models spanning its EMG6726-B10A, PMG5617GA Home Gateway Unit, and multiple VMG-series routers.
AVrecon exploits critical vulnerabilities to break in, primarily Remote Code Execution flaws and command injection weaknesses. Once inside, it does far more than just recruit the device into a proxy network.
The malware can update its own stored configuration, open a remote shell directly to an attacker-controlled server, and function as a loader, downloading and executing additional malicious payloads on command. Attackers essentially gain full remote control of the device without the owner ever knowing.
End-of-Life Devices Leave Millions With No Defense
A significant portion of the targeted devices carry end-of-life status, meaning their manufacturers have stopped releasing security patches entirely.
These devices will never receive a fix, no matter how critical the vulnerability. Owners who still rely on these routers have no manufacturer-backed path to protection.
The situation for non-EOL devices is only marginally better. Manufacturers may have released patches for some of the vulnerabilities AVrecon exploits, but those patches rarely apply automatically.
Users must manually install them, and most never do. Worse still, even a fully patched device remains compromised if AVrecon has already taken hold. Patching closes the door, but it does not evict an intruder already inside the house.
This gap between available fixes and actual application is exactly what SocksEscort exploits. The operation banks on the reality that most home and small office users never update their router firmware, never check for compromise indicators, and often keep the same device running for years past its supported lifespan.
What Affected Users and Organizations Must Do Now
The FBI’s alert carries an urgent call to action for both individuals and organizations. Anyone using a router or IP camera from the listed brands should immediately check whether their specific model appears on the affected list and verify its support status with the manufacturer. For devices still receiving updates, users should apply all available firmware patches without delay.
For end-of-life devices, the safest move is full replacement, no patch is coming, and continued use carries real risk. Organizations should audit their networks for exposed devices, monitor for unusual outbound traffic, and watch specifically for signs of command injection or remote code execution attempts.
When replacing these devices, consumers should be aware of the FCC’s recent ruling banning foreign-made routers, a measure designed to limit the entry of potentially compromised hardware into the US market and ensure that new devices meet stricter security standards.
AVrecon is not a distant threat. It is already inside hundreds of thousands of devices worldwide, running quietly in the background, feeding criminal infrastructure, and most of its victims have no idea.
