Malware

SocksEscort

SocksEscort is a residential proxy service associated with the compromise of hundreds of thousands of routers worldwide. Reporting cited in the source material states that the FBI, together with law enforcement partners from eight other countries, disrupted the service in a global takedown. The service was used to facilitate digital fraud and reportedly caused businesses and consumers millions of dollars in losses. Supporting content describes SocksEscort as having impacted hundreds of thousands of residential routers and places it among malicious networks disrupted during broader law-enforcement actions against cybercrime infrastructure. No additional high-confidence technical details on malware family behavior, specific infection vectors, or indicators of compromise are provided in the supplied content.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

3 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique

T1584.005BotnetEvidence1

For example, China's Integrity Technology Group controlled and managed the so-called Raptor Train network, which in 2024 infected more than 200,000 devices worldwide, including small office home office (SOHO) routers, internet-connected web cameras and video recorders, plus firewalls and network-attached storage (NAS) devices.

Command and Control

2 techniques

T1090ProxyEvidence1

A majority of China-linked threat actors are using compromised routers and IoT devices worldwide, turning this gear into proxy networks to carry out further intrusions, steal sensitive data, and disrupt victim organizations’ operations.

T1090.003Multi-hop ProxyEvidence2

Such a development follows the successful global takedown of the SocksEscort proxy service, which had impacted hundreds of thousands of residential routers.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

scworldNews

Apr 24, 2026

US, allies warn of industrialized Chinese botnets | brief | SC Media

A proxy service leveraging compromised residential routers at scale.

Apr 23, 2026

China-linked crews turn routers into covert attack proxies • The Register

A residential proxy service leveraging compromised routers worldwide to mask criminal activity and facilitate digital fraud.

cyberscoopNews

Mar 20, 2026

Justice Department disrupts botnet networks that hijacked 3 million devices | CyberScoop

Mentioned as a named malicious network or cybercrime tool disrupted during recent law enforcement operations, with no additional detail in the content.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping3

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.