HomeCII/OTWater Barghest Sells Hijacked IoT Devices for Proxy Botnet Misuse

Water Barghest Sells Hijacked IoT Devices for Proxy Botnet Misuse

Published on

spot_img

A cybercriminal group known as “Water Barghest” has been targeting Internet of Things (IoT) devices and then selling them on a residential proxy marketplace, where they can be used by state-sponsored advance persistent threats (APTs) and other malicious actors to create proxy botnets. According to research from Trend Micro, the group has already compromised over 20,000 IoT devices, including small office and home office (SOHO) routers used by businesses.

The cybercriminals behind Water Barghest have been operating for more than five years, largely under the radar due to their sophisticated automation strategy. They use automated scripts to identify and compromise vulnerable IoT devices, which they find from public Internet-scanning databases like Shodan. Once they compromise a device, they deploy proprietary malware called Ngioweb to register the device as a proxy and then list it for sale on a residential proxy marketplace.

The entire process of enslaving a target takes as little as 10 minutes, highlighting the high efficiency and automation of Water Barghest’s operation. The group’s activities allow them to profit from selling compromised IoT devices to other threat actors who can then use them for malicious purposes.

Selling compromised devices as proxy botnets is a lucrative business model for cybercriminals, as it provides both espionage-motivated and financially motivated actors with a way to hide the origin of their malicious activities. Proxy botnets can be used to scrape website content, access stolen online assets, and launch cyberattacks. For example, Russia’s Sandworm group recently used the VPNFilter botnet in activities against Ukraine before being disrupted by law enforcement.

Threat actors like Water Barghest exploit IoT devices that accept incoming connections on the open Internet, making it easy to compromise devices with known vulnerabilities or zero-days. The cybercriminal group automates each step of their operation, from finding vulnerable devices to listing them for sale on a Dark Web marketplace. They have multiple identities on virtual private servers to continuously scan for vulnerabilities and upload malware to compromised devices.

To protect against the growing threat of proxy botnets, organizations need to address the security of IoT devices, which are notoriously hackable. Limiting the exposure of these devices to incoming connections from the open Internet when not business-essential can help mitigate the risk of them being used in malicious activities. While law enforcement has been effective in disrupting proxy botnets, addressing the security of IoT devices at the source is essential.

Source link

Latest articles

Opera Introduces Paste Protect to Combat ClickFix

Opera Launches "Paste Protect" Feature to Combat ClickFix Attacks In a strategic move to bolster...

AI-Generated Browser Ransomware Exploits Chromium API on Windows, Linux, macOS, and Android

In a significant development within the realm of cybersecurity, researchers from Check Point have...

950 Oracle E-Business Suite Instances Exposed to CVE-2026-46817 Attacks Detected in the Wild

Urgent Security Alert: Nearly 950 Oracle E-Business Suite Instances Exposed Amid Active Exploitation Attempts In...

OpenAI Allows Cyber Vendors to Integrate GPT-5.5 into Their Defense Systems

Daybreak Cyber Partner Program Expands Application of GPT-5.5 for Cybersecurity Solutions June 22, 2026 |...

More like this

Opera Introduces Paste Protect to Combat ClickFix

Opera Launches "Paste Protect" Feature to Combat ClickFix Attacks In a strategic move to bolster...

AI-Generated Browser Ransomware Exploits Chromium API on Windows, Linux, macOS, and Android

In a significant development within the realm of cybersecurity, researchers from Check Point have...

950 Oracle E-Business Suite Instances Exposed to CVE-2026-46817 Attacks Detected in the Wild

Urgent Security Alert: Nearly 950 Oracle E-Business Suite Instances Exposed Amid Active Exploitation Attempts In...