Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

911 S5

911 S5 is a residential proxy botnet/service that distributed deceptive or malicious free VPN services to victims and hijacked their IP addresses through a backdoor. It provided criminals with access to compromised IP addresses and the associated devices of both individuals and companies, enabling abuse of those systems as residential proxies. The botnet was shut down in May 2024. Content states that thousands of hijacked devices with IP addresses located in Finland were part of the botnet, and that infections occurred through malicious VPN services. It has been described as a botnet that sold or provided access to compromised residential IP space for criminal use. The content also notes that on May 29, 2024, OFAC sanctioned individuals and entities involved with the 911 S5 residential proxy botnet, and the U.S. Department of Justice announced the arrest of Chinese national Yunhe Wang, who allegedly controlled the botnet. Known high-confidence behavioral details in the provided content are limited to distribution via deceptive free VPN services, backdoor-enabled hijacking of victim IP addresses, and use of compromised devices as part of a residential proxy network.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

4 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

2 techniques
T1584.005BotnetEvidence1

Toukokuussa 2014 toimintansa aloittaneeseen 911 S5-nimiseen bottiverkkoon kuului yli 19 miljoonaa vaarantunutta IP-osoitetta yli 190 maassa...

T1587.001MalwareEvidence1

Laitteita kaapattiin osaksi 911 S5-bottiverkkoa jakamalla VPN-sovelluksiin sisäänrakennettuja, haitallisia välityspalvelinten takaovia. Ilmaiset, laittomat VPN-palvelut oli pakattu piraattivideopeleihin ja ohjelmistoihin, joita uhrit latasivat laitteilleen.

Execution

1 technique
T1204User ExecutionEvidence1

Ilmaiset, laittomat VPN-palvelut oli pakattu piraattivideopeleihin ja ohjelmistoihin, joita uhrit latasivat laitteilleen. Kun lataus oli valmis, VPN-sovellus ja välityspalvelimen takaovi asentuivat uhrien tietämättä heidän laitteisiinsa...

Command and Control

1 technique
T1090ProxyEvidence2

Toukokuussa 2024 suljettu 911 S5 -bottiverkko tarjosi rikollisille pääsyn vaarantuneisiin IP-osoitteisiin ja niihin liittyviin yksityishenkilöiden ja yritysten omistamiin laitteisiin.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
the record mediaNews
Mar 20, 2026
US seizes domains and infrastructure used in sprawling botnet campaigns | The Record from Recorded Future News

Named as a botnet that has faced law enforcement scrutiny since 2021.

Read more
the record mediaNews
Mar 12, 2026
US, Europol disrupt SocksEscort network that exploited thousands of residential routers | The Record from Recorded Future News

Referenced as a botnet/proxy network that has faced law enforcement scrutiny/takedown activity since 2021.

Read more
chainalysis blogNews
Jan 14, 2026
OFAC Sanctions Tracker: How Sanctions Impact Crypto Crime - Chainalysis

Botnet/residential proxy service that spread deceptive free VPNs and used a backdoor to hijack victim IP addresses for downstream cybercrime.

Read more
traficomNews
Aug 15, 2025
Kyberturvallisuuskeskuksen viikkokatsaus - 33/2025

911 S5 is a malware known for turning infected devices into proxies, allowing threat actors to route malicious traffic through victims' systems. It is often used to facilitate anonymity for cybercriminal activities and can be part of larger botnet operations.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping4

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.