HomeCII/OTWater Barghest Sells Hijacked IoT Devices for Proxy Botnet Misuse

Water Barghest Sells Hijacked IoT Devices for Proxy Botnet Misuse

Published on

spot_img

A cybercriminal group known as “Water Barghest” has been targeting Internet of Things (IoT) devices and then selling them on a residential proxy marketplace, where they can be used by state-sponsored advance persistent threats (APTs) and other malicious actors to create proxy botnets. According to research from Trend Micro, the group has already compromised over 20,000 IoT devices, including small office and home office (SOHO) routers used by businesses.

The cybercriminals behind Water Barghest have been operating for more than five years, largely under the radar due to their sophisticated automation strategy. They use automated scripts to identify and compromise vulnerable IoT devices, which they find from public Internet-scanning databases like Shodan. Once they compromise a device, they deploy proprietary malware called Ngioweb to register the device as a proxy and then list it for sale on a residential proxy marketplace.

The entire process of enslaving a target takes as little as 10 minutes, highlighting the high efficiency and automation of Water Barghest’s operation. The group’s activities allow them to profit from selling compromised IoT devices to other threat actors who can then use them for malicious purposes.

Selling compromised devices as proxy botnets is a lucrative business model for cybercriminals, as it provides both espionage-motivated and financially motivated actors with a way to hide the origin of their malicious activities. Proxy botnets can be used to scrape website content, access stolen online assets, and launch cyberattacks. For example, Russia’s Sandworm group recently used the VPNFilter botnet in activities against Ukraine before being disrupted by law enforcement.

Threat actors like Water Barghest exploit IoT devices that accept incoming connections on the open Internet, making it easy to compromise devices with known vulnerabilities or zero-days. The cybercriminal group automates each step of their operation, from finding vulnerable devices to listing them for sale on a Dark Web marketplace. They have multiple identities on virtual private servers to continuously scan for vulnerabilities and upload malware to compromised devices.

To protect against the growing threat of proxy botnets, organizations need to address the security of IoT devices, which are notoriously hackable. Limiting the exposure of these devices to incoming connections from the open Internet when not business-essential can help mitigate the risk of them being used in malicious activities. While law enforcement has been effective in disrupting proxy botnets, addressing the security of IoT devices at the source is essential.

Source link

Latest articles

AWS Billing Bug Shows Trillion-Dollar Cost Estimates to Cloud Customers

Amazon Web Services Faces Major Billing Anomaly in Cost Explorer Tool Amazon Web Services (AWS)...

Scammers Exploit FaceTime for Social Engineering Tactics

Apple Warns Users About Social Engineering Scams Targeting FaceTime Apple Inc. has made a significant...

Hackers Compromise IIS Server and Launch Ransomware Attack Within 24 Hours

--- In June 2026, cybersecurity experts uncovered a coordinated and sophisticated cyber intrusion that began...

Women’s Care and Pulmonary Sleep Breaches

In a concerning trend for healthcare security, two healthcare providers have publicly revealed data...

More like this

AWS Billing Bug Shows Trillion-Dollar Cost Estimates to Cloud Customers

Amazon Web Services Faces Major Billing Anomaly in Cost Explorer Tool Amazon Web Services (AWS)...

Scammers Exploit FaceTime for Social Engineering Tactics

Apple Warns Users About Social Engineering Scams Targeting FaceTime Apple Inc. has made a significant...

Hackers Compromise IIS Server and Launch Ransomware Attack Within 24 Hours

--- In June 2026, cybersecurity experts uncovered a coordinated and sophisticated cyber intrusion that began...