FBI Warns of AVrecon Malware Compromising Routers for Criminal Proxy Networks (March 12, 2026)

In a FLASH notice issued on March 12, 2026, the FBI detailed an ongoing investigation into cybercriminals exploiting vulnerable routers and IoT devices with AVrecon malware. This malware turns infected devices into residential proxies sold through the SocksEscort service, allowing hackers to mask their identities and locations while conducting crimes such as ad fraud, password spraying, banking fraud, and other malicious activities.

The compromised routers act as unwitting entry points, routing criminal traffic through victims’ home or small business IP addresses. This exposes the owner’s network to potential spying, data interception, or further attacks, as hackers gain indirect access via the backdoored device. The FBI and partners have observed SocksEscort used in thousands of incidents, with over 369,000 proxy instances sold. Threat actors targeted roughly 1,200 device models (primarily from Cisco, D-Link, Hikvision, MikroTik, Netgear, TP-Link, and Zyxel), but focused on those with unpatched vulnerabilities like remote code execution and command injection flaws.

Most Frequently Compromised Models (Top 20)

The FBI highlighted these as the most represented in their findings (18 routers plus 2 Hikvision IP cameras):

• D-Link: DIR-818LW, DIR-850L, DIR-860L

• Netgear: DGN2200v4, AC1900 R7000

• TP-Link: Archer C20, TL-WR840N, TL-WR849N, WR841N

• Zyxel: EMG6726-B10A, PMG5617GA, VMG1312-B10D, VMG1312-T20B, VMG3925-B10A, VMG3925-B10C, VMG4825-B10A, VMG4927-B50A, VMG8825-T50K

• Hikvision (cameras): DS-2CD2020F-I, DS-2CD2420F-IW

Note: This builds on a prior May 2025 FBI alert about TheMoon malware targeting even older end-of-life (EOL) routers, such as various Linksys E-series and Cisco models that no longer receive security updates.

Replace any affected router or device immediately with a newer model from a reputable manufacturer that still receives regular firmware updates. Do not attempt to “clean” or factory-reset these devices, as AVrecon can persist via custom firmware.

In addition:

• Check your router’s model number on the device or admin login page (usually 192.168.1.1 or similar).

• Disable remote management/admin access.

• Keep all firmware and IoT devices updated.

• Use strong, unique passwords and enable automatic updates where available.

• Monitor network traffic for unusual activity.

Home and small business users are urged to treat outdated routers as high-risk liabilities. Upgrading protects not only your network but also prevents your device from being weaponized in broader cybercrime operations. For full technical details, refer to the FBI’s official FLASH notice.