{ "id": "46dffdb1-cad6-4186-bfd0-c7db7194faa4", "created_at": "2026-04-06T00:06:40.991034Z", "updated_at": "2026-04-10T13:12:13.941361Z", "deleted_at": null, "sha1_hash": "045ea59cb7421ecca85659347ae9d0b33aef75c9", "title": "One sock fits all: The use and abuse of the NSOCKS botnet", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 78562, "plain_text": "One sock fits all: The use and abuse of the NSOCKS botnet\r\nBy By Black Lotus Labs\r\nArchived: 2026-04-05 16:41:19 UTC\r\nPublished on Nov 19, 2024 | 7 minute read\r\nExecutive summary\r\nThe Black Lotus Labs team at Lumen has expanded the known architecture of the “ngioweb” botnet, its use as a\r\ncornerstone of the notorious criminal proxy service known as NSOCKS, and appropriation by others such as\r\nVN5Socks and Shopsocks5. One of the most widely used criminal proxies, NSOCKS maintains a daily average of\r\nover 35,000 bots in 180 countries, and has been tied to notorious groups such as Muddled Libra. At least 80% of\r\nNSOCKS bots in our telemetry originate from the ngioweb botnet, mainly utilizing small office/home office\r\n(SOHO) routers and IoT devices. Two-thirds of these proxies are based in the U.S.\r\nThrough Lumen’s global internet visibility, we have traced the active and historical command–and–control (C2)\r\nnodes used by these networks, some of which were previously undiscovered and have been in use since mid-2022.\r\nNSOCKS users route their traffic through over 180 “backconnect” C2 nodes that serve as entry/exit points used to\r\nobscure, or proxy, their true identity. The actors behind this service have not only provided a means for their\r\ncustomers to proxy malicious traffic, but the infrastructure has also been engineered to enable various threat actors\r\nto create their own services. Among the disruptive activities these networks are used for, NSOCKS has also\r\nprovided an avenue for various actors to launch powerful DDoS attacks.\r\nLumen has blocked all traffic across our global network, to or from the dedicated infrastructure associated with\r\nthe ngioweb botnet. We are releasing indicators of compromise (IoCs) to help others identify and take defensive\r\nmeasures, disrupt this operation, and impact the larger cybercrime ecosystem.\r\nLumen Technologies would like to thank our partners at Shadowserver, Spur, and throughout the industry for their\r\ncontribution to our efforts to track and mitigate this threat.\r\nIntroduction\r\nMaintaining anonymity and disguising online activity is a critical part of the criminal business model. Although\r\nthe concept of proxy botnets is not new, we have observed an increase in their prevalence and reach such as with\r\nSocks5Sytemz and Cloudrouter.\r\nThe tracking and inventory of this global network is the culmination of over a year’s research, though the ngioweb\r\nbotnet has been well-documented in the past, dating back to 2018 and 2019 as well as more recent publications by\r\nLevelBlue Labs. Black Lotus Labs has connected the critical elements of this intricate web with previous research\r\nto illustrate its use as the engine driving the NSOCKS service and a random assortment of villainous interests.\r\nThough this enterprise was built to offer criminals an avenue to proxy their traffic, users have abused and altered\r\nhttps://blog.lumen.com/one-sock-fits-all-the-use-and-abuse-of-the-nsocks-botnet/\r\nPage 1 of 6\n\nthe network into its present state – one which directly supports many other forms of malicious activity such as\r\nobfuscating malware traffic, credential stuffing, and phishing. Botnets such as these present a concerning and\r\npersistent threat to legitimate organizations across the internet.\r\nngioweb infrastructure\r\nThe ngioweb botnet is composed of two distinct elements. The first is the “loader” network, which directs the bot\r\nto a loader-C2 node for retrieval and execution of the ngioweb malware. Black Lotus Labs was not able to see the\r\ninitial access vector, however, it likely stems from a variety of exploits the operators have access to (as noted by\r\nNetlab360). These exploits will download a shell script that directs an infected user to an IP address holding the\r\nlatest version:\r\nThe hosted files have four letter names that seem to change over time, in this case the “AIDY” name was used.\r\nRenaming provides some obfuscation in the event that a researcher tries to gather a file from an older sample, as it\r\nmay no longer exist. This shell script provides a second defensive measure by quickly removing the file after it\r\nbegins running on the victim machine.\r\nBlack Lotus Labs generally tracks between 15-20 loader nodes at any given time, several of which do not appear\r\nin public databases or reporting. Given the recent research by LevelBlue Labs showing that each of these loader\r\nC2s is likely searching for at least one specific exploit, we suspect that the ngioweb actor likely has access to at\r\nleast 10-15 exploits at present. These loader C2s are primarily characterized by their traffic with bots, over port 80\r\nand port 21 (FTP). This entire arm of the botnet is likely monitored and controlled by a node at 103.172.92[.]148,\r\nwhich on average communicates solely with about half of the loaders we track.\r\nOnce infected, a victim will reach out to a second stage of C2 domains for management, addresses for these are\r\ncreated by a domain generation algorithm (DGA). This group of C2s appear to determine if a bot is worth adding\r\nto the proxy network. We generally see close to 15 domains active at any one time; these gatekeepers form a nexus\r\nof control by not only monitoring and checking in on the bots’ capacity for traffic, but they also connect useful\r\nbots with a “backconnect” C2 which will make them available in the NSOCKS proxy service for anyone to use.\r\nBelow is an overview of a victim’s interaction with this botnet:\r\nMalware analysis\r\nWe analyzed a recent sample of ngioweb’s malware and there did not appear to be much change in the malware\r\nsince Net360 analyzed it in 2019. The new sample did not contain any hardcoded C2 URLs in the configuration,\r\nwe surmise the malware will only use the DGA-created domains.\r\nThe C2 communications between the ngioweb sample and the DGA-generated C2 did not seem to be any different\r\nfrom initial reporting, however we did see some additional traffic between the bot and the backconnect C2s\r\nAs a defensive measure, the malware uses DNS TXT records as a method to prevent the sinkholing or takeover of\r\nthe DGA domains. The malware expects two TXT records with keys “p” and “v,” these values are concatenated\r\nand Base64 decoded. The result is an Md5WithRSA encrypted blob that is decrypted using the 0x100 byte array\r\nstored in the encrypted config (colored blue in the configuration image). Once the blob is decrypted it contains the\r\nMD5 hash for the string “DOMAINNAME\\xAA\\xBB\\xCC\\xDD,” where “\\xAA\\xBB\\xCC\\xDD” is the IP\r\nhttps://blog.lumen.com/one-sock-fits-all-the-use-and-abuse-of-the-nsocks-botnet/\r\nPage 2 of 6\n\naddress that the domain resolves to. So “remalaxation[.]name\\x2e\\xf6\\x60\\x28” is hashed with MD5, resulting in\r\n9998be16901e7f80aad8d931305e057e.\r\nAfter receiving the CONNECT command, the bot will reach out to the backconnect C2 supplied in the command\r\n(66.29.128[.]243:443 in this case). The bot will then check-in with the C2 which will direct it to “start proxy”\r\n(0x1011). The bot will act on the instruction and send command 0x14 (TCP server started), to which the C2 will\r\nrespond with a GET request to proxy through the bot to a random looking URL – in this case, the same C2. The\r\nbot then requests the URL, and the response contains “It works!” along with the infected machine’s external IP.\r\nAfter proxying the “random” URL, the C2 will then send a request for the bot to proxy a connection to another\r\narbitrary-looking subdomain of nslookups[.].com. Below is a decrypted payload and the request from bot to\r\nresolve the nslookups domain:\r\nAfter the initial proxy request, the bot will stay connected to the C2 while waiting for additional commands and\r\nmay receive additional proxy commands during this time. Below is a decrypted request to a proxy checking\r\nservice:\r\nOccasionally, after a command 0x14 is sent to a C2, it will respond with a request to download a “test.zip” file.\r\nThis is likely to evaluate the speed of the proxied connection for suitability and later, to possibly factor into the\r\ncost per daily use.\r\nGlobal telemetry analysis\r\nThe ngioweb botnet employs a variety of exploits, with 15% of observed devices running vulnerable or\r\ndiscontinued web application libraries such as YUI. Zyxel devices, Alpha Technology devices, and Reolink\r\nsecurity cameras each contribute to another 5% of the botnet.\r\nBased on available telemetry, it appears that the ngioweb botnet is not leveraging zero-day exploits. Instead, it is\r\nexploiting a significant number of n-day vulnerabilities across various router models. Though many of the victim\r\ndevices are older, they prove to be valuable for malicious activities as they often evade detection by common\r\nnetwork security solutions.\r\n80% of the bots communicating with ngioweb are also NSOCKS bots, indicating ngioweb is the only provider of\r\nproxies to NSOCKS. The network maintains a daily average of roughly 35,000 working bots, with 40% remaining\r\nactive for a month or longer.\r\nOne concerning aspect is that serious criminal groups, such as the APT group Pawn Storm, have been found co-habiting the same devices as ngioweb. This means that many devices infected with ngioweb malware are likely\r\nbeing abused by multiple groups simultaneously.\r\nThe ngioweb botnet reaches beyond just NSOCKS, however. There are indicators that multiple other services are\r\ndependent on the NSOCKS ecosystem, which also implies they are dependent on the ngioweb botnet. About 45%\r\nof bots that are part of the ngioweb botnet are also a part of Shopsocks5, with some C2s having as much as a 65%\r\noverlap.\r\nhttps://blog.lumen.com/one-sock-fits-all-the-use-and-abuse-of-the-nsocks-botnet/\r\nPage 3 of 6\n\nAll bots that Black Lotus Labs could discover in the Shopsocks5 network are also in use by NSOCKS. We will\r\ndiscuss this connection further below.\r\nThe NSOCKS proxy network first appeared in the fall of 2022, although according to Spur, likely operated under\r\nthe name of LuxSocks prior to that. Based on old ngioweb domains and files dating back several years, we suspect\r\nthat LuxSocks was mostly powered by the ngioweb botnet as well. NSOCKS is notoriously advertised and highly\r\nrecommended by users on criminal forums such as Blackhatworld. It has seen extensive use by Muddled Libra\r\nalong with the now recently defunct Truesocks proxy service. Entities based in the US are especially targeted as\r\n60% of NSOCKS available proxies are based in this country. End users can purchase available IPs with\r\ncryptocurrency for 24 hours to use however they would like which based on our analysis is generally for fraud,\r\nreconnaissance, spam and phishing related activity. NSOCKS has two interesting features in the UI that they allow\r\nusers to see how many others are currently using a proxy, and lets users filter by domain such as .gov and .edu,\r\nwhich can allow for very targeted use cases, as shown in the image below:\r\nNSOCKS infrastructure\r\nOur analysis reveals that NSOCKS employs a large layer of backconnect C2s, which serve a dual purpose. Not\r\nonly do these C2s signal to the bots that they are available within the NSOCKS proxy service, but they also act as\r\nthe point of connection for users who have purchased a proxy. Essentially, whenever a user buys a proxy in this\r\nservice, they connect to these backconnect C2s.\r\nWe assess with high confidence that there exists a group of over 180 backconnect C2s dedicated to the NSOCKS\r\nproxy service. These C2s are specifically used to route and proxy traffic, playing a critical role in the operational\r\ninfrastructure of NSOCKS.\r\nBlack Lotus Labs assesses the user interactions with the NSOCKS proxy service is as follows:\r\nThere are 3 IPs that share an SSH key with this backconnect C2 layer, but do not share the same characteristics.\r\nThey resolve to the respective names dnslookips[.]com, ipscoredns[.]com and nslookups[.]com. We believe based\r\non our malware analysis and understanding of how the UI works, they are gathering all relevant information on\r\nthe bot’s DNS server so prospective buyers can see what an infected victim is using\r\nNSOCKS – The multi-armed bandit\r\nWhen Black Lotus Labs began to focus on the backconnect C2s, we discovered that they were more than just\r\nalternate communication routes. According to public reporting, most of these IPs appear on free proxy lists. These\r\nlists are routinely abused by threat actors, and the proxies therein are often used in various malware samples, such\r\nas Agent Tesla, to proxy traffic.\r\nWhen users purchase a proxy, they receive an IP and port combination for connection. Unfortunately, beyond this\r\naddress and port, these proxies often lack any additional authentication once activated. This inadequate security\r\nmeasure allows not only “normal” NSOCKS users access to the network, but also permits any other malicious\r\nactors who discover the same IP and port combinations to exploit them for nefarious purposes.\r\nOur telemetry has revealed that DDoS actors have been leveraging these open proxies to amplify their attack\r\ncapabilities. Specifically, we have observed backconnect C2s, as well as numerous NSOCKS proxies, being used\r\nhttps://blog.lumen.com/one-sock-fits-all-the-use-and-abuse-of-the-nsocks-botnet/\r\nPage 4 of 6\n\nin several large-scale DDoS attacks recently. The proxies are notably robust, with around 40% remaining active\r\nfor over 30 days on average. This prolonged availability provides a significant window for malicious actors to\r\ncontinually exploit the proxies and discover additional ones within the service. Our data indicates there are nearly\r\n15,000 IPs contacting these backconnect C2s each week.\r\nFurthermore, our study of the backconnect layer unveiled a multi-layer architecture that led us directly to a\r\nbackend database connected to the Shopsocks5 and VN5Socks proxy services. Due to the open access policies of\r\nthe NSOCKS botnet operators, it appears this architecture is used either to siphon proxies from the NSOCKS\r\nproxy service, or as part of a partnership where NSOCKS willingly permits other proxy services to utilize some of\r\nits proxies.\r\nConclusion\r\nProxy botnets are becoming increasingly popular and, consequently, more dangerous. These networks are often\r\nleveraged by criminals who find exploits or steal credentials, providing them with a seamless method to deploy\r\nmalicious tools without revealing their location or identities. What is particularly alarming is the way a service\r\nlike NSOCKS can be used. With NSOCKS, users have the option to choose from 180 different countries for their\r\nendpoint. This capability not only allows malicious actors to spread their activities across the globe but also\r\nenables them to target specific entities by domain, such as .gov or .edu, which could lead to more focused and\r\npotentially more damaging attacks.\r\nMoreover, the architecture setup of NSOCKS is facilitating further malicious activities, such as distributed denial\r\nof service (DDoS) attacks. This setup makes it easier for attackers to coordinate and execute these attacks,\r\nincreasing the threat level significantly.\r\nAs part of a coordinated effort to limit the danger of NSOCKS and increase awareness, the Shadowserver\r\nFoundation are sinkholing some of the known Ngioweb botnet DGA domains. Statistics about the daily\r\ndistribution of those victims are available on their public Dashboard. Detailed remediation data about\r\ncompromised devices infected with ngioweb are available via Shadowserver’s Sinkhole HTTP Reports.\r\nWe encourage the community to monitor for and alert on these and any similar IoCs. We also advise the\r\nfollowing:\r\nCorporate Network Defenders:\r\nContinue to look for attacks on weak credentials and suspicious login attempts, even when they originate\r\nfrom residential IP addresses which bypass geofencing and ASN-based blocking.\r\nProtect cloud assets from communicating with bots that are attempting to perform password spraying\r\nattacks and begin blocking IoCs with web application firewalls.\r\nUpdating and blocking IP addresses belonging to known open proxies.\r\nConsumers with SOHO routers:\r\nUsers should follow best practices of regularly rebooting routers and installing security updates and\r\npatches. For guidance on how to perform these actions, please see the “best practices” document prepared\r\nby Canadian Centre for Cybersecurity.\r\nhttps://blog.lumen.com/one-sock-fits-all-the-use-and-abuse-of-the-nsocks-botnet/\r\nPage 5 of 6\n\nFor Organizations that manage SOHO routers: make sure devices do not rely upon common default\r\npasswords. They should also ensure that the management interfaces are properly secured and not accessible\r\nvia the internet. For more information on securing management interfaces, please see DHS’ CISA BoD 23-\r\n02 on securing networking equipment.\r\nWe also recommend replacing devices once they reach their manufacturer end of life and are no longer\r\nsupported.\r\nAnalysis of NSOCKS and the ngioweb malware was performed by Chris Formosa and Steve Rudd. Technical\r\nediting by Ryan English.\r\nFor additional IoCs associated with this campaign, please visit our GitHub page.\r\nIf you would like to collaborate on similar research, please contact us on Twitter @BlackLotusLabs.\r\nThis information is provided “as is” without any warranty or condition of any kind, either express or implied. Use\r\nof this information is at the end user’s own risk.\r\nAuthor\r\nBlack Lotus Labs\r\nThe mission of Black Lotus Labs is to leverage our network visibility to help protect customers and keep the\r\ninternet clean.\r\nSource: https://blog.lumen.com/one-sock-fits-all-the-use-and-abuse-of-the-nsocks-botnet/\r\nhttps://blog.lumen.com/one-sock-fits-all-the-use-and-abuse-of-the-nsocks-botnet/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.lumen.com/one-sock-fits-all-the-use-and-abuse-of-the-nsocks-botnet/" ], "report_names": [ "one-sock-fits-all-the-use-and-abuse-of-the-nsocks-botnet" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434000, "ts_updated_at": 1775826733, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/045ea59cb7421ecca85659347ae9d0b33aef75c9.pdf", "text": "https://archive.orkl.eu/045ea59cb7421ecca85659347ae9d0b33aef75c9.txt", "img": "https://archive.orkl.eu/045ea59cb7421ecca85659347ae9d0b33aef75c9.jpg" } }