.png?width=1816&height=566&name=brandmark-design%20(83).png "brandmark-design (83)")
Proxy services have become a powerful tool in the cybercriminal arsenal—profitable, elusive, and deeply destructive. These services enable everything from concealing the origins of espionage campaigns to executing financially driven schemes such as malware distribution and DDoS attacks. The business model is straightforward yet insidious: cybercriminals create proxy networks through botnets and sell access as a subscription service on the dark web. This fuels a shadow economy of anonymity and exploitation.
Despite their sophistication, these networks are not impervious to disruption. Recently, Lumen Technologies’ Black Lotus Labs, Spur, and the ShadowServer Foundation struck a significant blow against cybercrime by dismantling the long-standing “ngioweb” botnet.
“Through Lumen’s global internet visibility, we have traced the active and historical command-and-control (C2) nodes used by these networks, some of which were previously undiscovered and operational since mid-2022. NSOCKS users route their traffic through over 180 ‘backconnect’ C2 nodes that serve as entry and exit points to obscure or proxy their true identities. The actors behind this service not only enable their customers to proxy malicious traffic but also provide infrastructure that allows various threat actors to build their own services. Among other disruptive activities, NSOCKS has facilitated the launch of powerful DDoS attacks.”
A cornerstone of malicious proxy services, ngioweb had evolved into a hub for obfuscating traffic and enabling cybercrime at scale. Its takedown represents a significant victory in the fight against proxy-driven attacks.
Since its emergence in 2017, the ngioweb botnet has exploited vulnerabilities in small office/home office (SOHO) routers and Internet of Things (IoT) devices, amassing a network of over 35,000 compromised machines spanning 180 countries. The botnet’s reach was vast, but its strategy was even more concerning. Black Lotus Labs researchers discovered that 80% of the bots fueling the NSOCKS proxy service originated from ngioweb.
NSOCKS is alarmingly accessible. A simple online search and a cryptocurrency payment grant attackers access, enabling them to mask activities and target high-value domains, including government (.gov) and educational (.edu) websites. Its infrastructure is also tailored for orchestrating coordinated DDoS attacks, amplifying its potential for widespread disruption.
Ngioweb’s influence extends beyond individual cybercriminals, becoming a shared resource for both financially motivated attackers and nation-state actors. Researchers have linked NSOCKS usage to Muddled Libra, a group associated with Scattered Spider, as well as Pawn Storm (APT28), a cyber-espionage operation tied to Russia’s GRU.
Proxy botnets like ngioweb highlight the evolving nature of cybercrime—a convergence of advanced technology, strategic planning, and massive scale. Yet they also underscore an essential point: defenders are equally innovative.
While the takedown of ngioweb is a milestone, it’s far from the end of the fight. Botnets are designed to be resilient, capable of adapting and reemerging to exploit new vulnerabilities. Maintaining vigilance is critical.
The silver lining? Both corporate security teams and individuals can take proactive steps to defend against these threats. By staying informed and implementing robust security measures, the fight against cybercrime can continue—and victories like this one can serve as a foundation for more progress.
