{ "id": "4bd46e23-e467-41d9-bc75-608c2cb0dcf1", "created_at": "2026-04-06T00:22:34.351417Z", "updated_at": "2026-04-10T13:12:16.010532Z", "deleted_at": null, "sha1_hash": "10714e198e804bd31daeb1af3f8c6e388d4ef654", "title": "Ngioweb Remains Active 7 Years Later", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1050443, "plain_text": "Ngioweb Remains Active 7 Years Later\r\nBy Fernando Martinez\r\nPublished: 2024-11-01 · Archived: 2026-04-05 21:09:39 UTC\r\nNovember 01, 2024 10 Minute Read by Fernando Martinez\r\nExecutive Summary\r\nSeven years after its first appearance, the proxy server botnet Ngioweb continues its impactful presence on the\r\ninternet with barely any relevant changes in its original code. Threat actors have continued to actively use\r\nNbioweb extensively to scan for vulnerable devices (including a new arsenal of exploits) which can be turned into\r\nnew proxies. All infected systems are then sold in the black market for pennies as residential proxies via Nsocks.\r\nKey Takeaways:\r\nNsocks offers 30,000 IPs globally and sells them for prices under $1.50 for 24hours of access.\r\nThe main targets are residential ISP users, representing more than 75% of the infected users.\r\nThe threat actors behind Ngioweb are using dedicated scanners per vulnerability/device to avoid exposing\r\ntheir whole arsenal.\r\nLinear eMerge, Zyxel routers, and Neato vacuums are some of the most targeted devices, but there are\r\nmany other routers, cameras, and access control systems being targeted.\r\nNgioweb Background\r\nIn August 2018, Check Point published a report and deep analysis on a new multifunctional proxy server botnet\r\nnamed Ngioweb. The proxy service was being loaded by the banking malware family Ramnit. In their report,\r\nCheck Point reported that the first sample was observed in the second half of 2017.\r\nAfter the publication of that initial report, additional articles were released.  Netlab wrote two blogs that took a\r\ndeep-dive into the available Ngioweb samples, describing the domain generating algorithm (DGA),\r\ncommunication protocols, command and control (C\u0026C) infrastructure, exploited CVEs for D-Link and Netgear\r\ndevices, its updated features, and more. For details on the nature of Ngioweb, read Netlab’s blog which includes\r\ncoverage that remains valid today.\r\nMost recently, in 2024 TrendMicro reported how cybercriminals and nation states are leveraging residential proxy\r\nproviders to perform malicious actions. For example, one of these nation-state actors, Pawn Storm, had been using\r\na network of hundreds of small office and home office (SOHO) routers through January 2024, when the FBI\r\nneutralized part of the botnet. During TrendMicro’s investigation of several EdgeOS infected systems, they\r\nidentified that in addition to Pawn Storm, the Canadian Pharmacy gang and a threat actor using Ngioweb malware\r\nwere also abusing the infected device.\r\nhttps://levelblue.com/blogs/labs-research/ngioweb-remains-active-7-years-later\r\nPage 1 of 12\n\nMalware Analysis\r\nThis last spring 2024, LevelBlue Labs identified scanning activity on vulnerable devices and those devices were\r\ncarrying Ngioweb as the delivered payload. Depending on the targeted system, the exploit used a downloader for\r\nseveral CPU architectures or directly contained the specific payload for the targeted system.\r\nOne of the samples obtained during 2024\r\n(be285b77211d1a33b7ae1665623a9526f58219e20a685b6548bc2d8e857b6b44) allowed LevelBlue Labs to\r\ndetermine that the Ngioweb trojan our researchers identified works very similarly to how Ngioweb worked in\r\n2019, with only a few, slight modifications to Ngioweb’s original code added to elude detections or nosy security\r\nresearchers.\r\nDGA domains\r\nDomain generation algorithms (DGA) aren’t new to Ngioweb (they have been identified as present in previous\r\nreports, specifically when Netlab sinkholed several domains). The Ngioweb sample LevelBlue Labs analyzed uses\r\na very similar algorithm to those that have been identified in the past. The DGA selects domains from a pool of\r\nthousands, depending on the malware configurations, and it will then start trying to connect to all of them until it\r\nfinds a resolving domain. However, in an attempt to avoid the first stage C\u0026C being sinkholed by researchers, the\r\nthreat actors using the sample LevelBlue Labs analyzed have included a sanity check. All active C\u0026C\r\ncommunications carry a unique and encrypted TXT response that acts as a signature of its authenticity. This\r\nresponse carries two TXT results, a ‘p’ and a ‘v’ parameter, followed by 173 characters encoded in base64, which\r\ncorrespond to 127 bytes of encoded data (shown in figure 1). Responses are not deciphered, however that does not\r\nmatter as this peculiar characteristic’s purpose is to identify any malicious domains associated with Ngioweb.\r\nFigure 1. TXT results of C\u0026C domain.\r\nC\u0026C Responses\r\nAfter the malware identifies an active C\u0026C and checks the TXT response, it reports the successful infection and\r\nhttps://levelblue.com/blogs/labs-research/ngioweb-remains-active-7-years-later\r\nPage 2 of 12\n\nthe characteristics of the machine. This communication remains unchanged and reports the data encoded with\r\nbase64 as the value of parameter h (shown in figure 2 below).\r\nFigure 2: C\u0026C Beacon\r\nThe exfiltrated data in the example decodes to:\r\nid=a39eb3ed78b7401f (corresponding to the first 15 characters of the machine-id)\r\n\u0026v=x86_64 (architecture)\r\n\u0026sv=271a (the malware version number)\r\n\u0026lodmhafqlgzmlmrk (16 random values)\r\nIn the past, threat actors have relied on ‘metric’ and ‘min.js’ as the destination paths for this request. However, in\r\nthe samples LevelBlue Labs analyzed, the have added additional variations to the filename, such as: ‘request.js’,\r\n‘piwik.js’, or ‘pendo.js’.  This is potentially added to elude detections that only look for previously known\r\nfilenames. However, this slight change in the communication isn’t enough to deter the Suricata signature created\r\nby LevelBlue Labs in 2021 (available in USM Anywhere Detection Methods).\r\nAfter the above communications take place, the C\u0026C typically responds with a WAIT command until it has a\r\nconnection to establish. When a connection is established, the system begins working as a residential proxy\r\nwithout the victim’s awareness.\r\nBlack Market\r\nLevelBlue Labs has identified systems infected with the Ngioweb trojan being sold as residential proxy servers in\r\nthe Nsock webpage. We are unaware if this is the only page selling Ngioweb infected systems. Nsocks was\r\ncreated in July of 2022, shortly after other main competitors in the black market residential proxy business were\r\ntaken down (e.g. 911, vip72, and LuxSocks).\r\nNsocks sells access to SOCKS5 proxies all over the world, allowing buyers to choose them by location (state, city,\r\nor zip code), ISP, speed, type of infected device and newness. The prices vary between $0.20 to $1.50 for 24-hour\r\naccess and depends on the device type and time since infection. Nsocks offers discounts if the IP can be found in\r\npublic blacklists. As an anonymity measure for the threat actors behind this service and their users, it only allows\r\npayments in Bitcoin or Litecoin.\r\nhttps://levelblue.com/blogs/labs-research/ngioweb-remains-active-7-years-later\r\nPage 3 of 12\n\nFigure 3: Nsocks portal\r\nNgioweb’s size has grown exponentially over the years. According to the same Netlabs 2020 blog mentioned\r\nearlier in this article, the Ngioweb botnet that year had a size of around 3,000 daily IPs. Two years later, the\r\nNsocks published its first advertisement in black hat forums (2022), in which they advertised the size of their\r\nbotnet as 14,000 systems. Since 2022, the number has more than doubled, with the current pool size of almost\r\n30,000 different IPs. This means Ngioweb has grown 10 times its size in just four years.\r\nSome of the most popular countries for proxies include:\r\nU.S.: 13,056 available proxies\r\nU.K.: 4,236 available proxies\r\nCanada: 2,286 available proxies\r\nJapan: 605 available proxies\r\nhttps://levelblue.com/blogs/labs-research/ngioweb-remains-active-7-years-later\r\nPage 4 of 12\n\nFigure 4: Nsocks heat map in August 2024\r\nAmong the infected systems, Nsocks categorizes their victims based on the type of organization or the purpose of\r\nthe infected IP:\r\nOrganization (ORG)\r\nGovernment (GOV)\r\nContent Delivery Network (CDN)\r\nEducational (EDU)\r\nCommercial (COM)\r\nData Center/Web Hosting/Transit (DCH)\r\nFixed Line ISP (ISP): Individual users with an Internet connection in their houses.\r\nMobile ISP (MOB): A mobile phone acting as a proxy or a SIM card acting as a router and providing\r\nInternet to other systems.\r\nISP/MOB: This category combines ISPs and MOBs when the developers behind Nsocks can’t differentiate\r\nbetween either of them.\r\nThe table 1 below shows the distribution of proxies by their category. Despite the variety of types, over 75% of the\r\ninfected systems correspond to ISPs or ISP/MOB. Following ISP and ISP/MOB, DCH is the third most common\r\nproxy type found among infected devices. The number of DCH in Europe, Australia/Oceania, and Asia is\r\nsignificantly higher compared to other proxy types. There is a small amount of ORG, GOV, CDN and EDU\r\nservers, but they don’t seem to be a priority target for the threat actors based on the numbers below. Rather, they\r\nare likely an accidental encounter.\r\nThe high difference in the percentages between ISPs and ISP/MOB categories versus the others is potentially due\r\nto the combination of two things: 1) the threat actors are finding it easier to infect individuals in their houses in\r\nmass and/or 2) there is a higher interest by their customers to acquire those residential proxy IPs.\r\nhttps://levelblue.com/blogs/labs-research/ngioweb-remains-active-7-years-later\r\nPage 5 of 12\n\nProxy Type USA America Europe AU, Oceania Asia Africa\r\nORG 0,12% 0,04% 0% 0% 0,03% 0,27%\r\nGOV 0,02% 0,04% 0% 0% 0,03% 0%\r\nCDN 0,33% 0% 0,06% 0% 0,03% 0%\r\nEDU 0,13% 0,25% 0,10% 0% 0,54% 0,27%\r\nCOM 2,63% 1,07% 1,78% 0,79% 1,78% 5,22%\r\nDCH 8,42% 7,01% 13,31% 14,62% 12,66% 0,82%\r\nISP 75,55% 74,13% 27,81% 25,30% 44,16% 39,29%\r\nMOB 2,65% 1,11% 2,21% 3,16% 6,78% 19,78%\r\nISP/MOB 7,60% 15,67% 53,43% 50,20% 33,06% 33,52%\r\nTable 1. Distribution of proxies by category.\r\nInfection Process\r\nUnsurprisingly, the biggest upgrade in the Ngioweb malware during the last few years has been the arsenal of\r\nvulnerabilities and zero days it uses to infect victims. The main target continues to be routers and household IoT\r\ndevices like cameras, vacuums, access controls, etc.\r\nLinear (also referred to as Nice/Linear)\r\nLinear is a US-based company that sells access control and surveillance systems for doors, garages, gates, and\r\nmore. The company’s eMerge E3-Series product line is strongly targeted by the threat actors behind Ngioweb.\r\nThey have been observed having two dedicated IPs scanning only for exploitable devices and hosting the\r\nsubsequent payloads: 154.7.253[.]113 and 216.107.139[.]52. The fact that these two IPs are exclusively dedicated\r\nto exploiting Linear eMerge devices reflects a scanning infrastructure where each scanner has their dedicated\r\nvulnerability, in order to avoid sharing its arsenal of exploits all together.\r\nThe identified scanning activity from these two IPs attempts to exploit CVE-2019-7256 in ports 3306, 5172, 5984,\r\n9306 and 50000. This exploit allows OS command injection of any content in between the grave accents (%60). In\r\nthe example shown in figure 5, the attackers use curl to download a payload from of the mentioned IPs.\r\nFigure 5: Exploit attempt for CVE-2019-7256\r\nThe filepath used by the attackers may look like a random set of characters, but they conceal two messages. The\r\nfirst message is used to identify which command and shell worked with the vulnerable system, in order to return\r\nhttps://levelblue.com/blogs/labs-research/ngioweb-remains-active-7-years-later\r\nPage 6 of 12\n\nand execute the payload. The scans include a wide-range of commands to attempt to download the Ngioweb\r\npayload from the default Linux shell or a Busybox one. The first two characters in the file path correspond to the\r\nshell and commands used to download the payload (in order to return to the vulnerable device and execute the\r\npayload). For example, the scan shown in the previous figure 5 uses the default Linux Shell together with a Curl\r\ncommand. Therefore, the file path starts with SC. LevelBlue Labs observed additional shell and commands as\r\nshow in figure 6.\r\nShell Command Letter2\r\nLinux Curl C\r\n  Wget W\r\nBusyBox Ftp F\r\n  Tfpt T\r\nFigure 6: Additional shell and commands identified by LevelBlue Labs\r\nThe second message in the file path shown figure 5 blocks security researchers from accessing their payloads. The\r\nfirst half indicates the time when the scan occurred, while the second half is a unique identifier for the system that\r\nwas scanned. If the download attempt is not coming from the expected system, the server will respond closing the\r\nconnection.\r\nThe scanners are executed periodically, sampling several commands per device and delivering new payloads\r\nperiodically — this includes systems that are already infected. This scanning activity observed by LevelBlue Labs\r\nthrough honeypots is considerably large, considering that it comes from just two source IPs.\r\nhttps://levelblue.com/blogs/labs-research/ngioweb-remains-active-7-years-later\r\nPage 7 of 12\n\nFigure 6: scanning activity histogram for the past 2 months (EU date format)\r\nLinear is one of the most targeted systems, however it is not the most exposed software  observed by LevelBlue\r\nLabs. The Labs research team has identified around 1,500 Linear systems exposed to the Internet. Neato, a\r\ncompany that made robotic vacuums and shut down in 2023, has approximately 35,000 devices exposed in the\r\nUS.\r\nZyxel Routers\r\nZyxel routers, in particular the version vmg8623-t50b, seems to be a commonly targeted by Ngioweb to obtain IPs\r\nlocated in the UK. Released on October 2019 and mainly dedicated for ISP purposes, Zyxel routers have been\r\nimpacted historically by severe vulnerabilities leveraged by other botnets which allowed command injection\r\n(CVE-2023-28769, CVE-2023-28770, CVE-2022-45440) https://www.zyxel.com/service-provider/emea/en/zyxel-security-advisory-multiple-vulnerabilities.\r\nLevelBlue Labs has observed that infected systems are vulnerable to the known proof of concepts (PoCs) exploits\r\nfor vulnerabilities published to date. This means either the attacker is leveraging unpublished PoCs for the same\r\nvulnerabilities or they have identified a zero day. Either way, LevelBlue has not identified scanning activity\r\ncarrying Ngioweb.\r\nIdentifying the total number of vulnerable Zyxel routers is challenging, since many of the Zyxel versions have\r\nvery similar characteristics. However, many are also vulnerable to the same vulnerabilities. LevelBlue Labs\r\nestimates  there could be 10,000 vulnerable Zyxel devices open to the Internet, mostly located in the U.K. For that\r\nreason, it is commonly seen as a Nsocks resource in this region.\r\nNeato Vacuum Cleaners\r\nNeato vacuums ceased selling operations in May 2023, but despite the close to end of life support, there are still\r\nhttps://levelblue.com/blogs/labs-research/ngioweb-remains-active-7-years-later\r\nPage 8 of 12\n\n128,000 Neato devices connected to the internet. Approximately 35,000 are in the U.S. and 15,000 are in India.\r\nHowever, the Ngioweb infected devices that have been observed are mainly among the IPs in India.\r\nIn 2020, security researchers Fabian Ullrich and Jiska Classen presented research at DEF CON 27 that showed\r\nNeato vacuums leading to remote code execution on the robots. LevelBlue Labs has not yet identified the exploit\r\nbeing used to infect these devices.\r\nOther\r\nLevelBlue Labs and other researchers have identified additional devices that are being infected with Ngioweb\r\n(REOlink, Comtrend Routers, NUUO Network Video Recorder, and Hikvision). Additionally, a seller of CCTV\r\nhardware with presence in dozens of countries operating with different company names is reselling their products\r\nand services. However, these devices seem to be far less impacted than the devices mentioned earlier in this\r\narticle.\r\nConclusion\r\nTwenty-four hour proxy access to the infected systems is being sold for pennies today, making it very affordable\r\nfor attackers and threat actors to anonymize their malicious activities. NSOCKS is yet another reseller of\r\nresidential proxy services, adding to the proliferation of this threat that individuals or families with internet service\r\nat home are being used as victims, completely unaware of this activity.\r\nDetection Methods\r\nThe following associated detection methods are in use by LevelBlue Labs. They can be used by readers to tune or\r\ndeploy detections in their own environments or for aiding additional research.\r\nhttps://levelblue.com/blogs/labs-research/ngioweb-remains-active-7-years-later\r\nPage 9 of 12\n\nSURICATA IDS SIGNATURES\r\nalert dns $HOME_NET any -\u003e any 53 (msg.\"AV TROJAN NSOCKS Query TXT\"; flowbits:noalert;\r\nflowbits:set,nsocks; content:\"|01 00 00 01 00 00 00 00 00\"; depth: 10; off set:2; content:\"|00 00 10 00 01|\";\r\nclasstype:trojan-activity; sid:4002778; rev:1; metadata:created_at 2024_08_20, updated_at 2024_08_20;)\r\nalert dns any 53 -\u003e $HOME_NET any (msg:\"AV TROJAN NSOCKS Malicious Domain DNS response\";\r\nflowbits:isset,nsocks; content:\"p=\"; content:\"v=\"; pcre:/(p|v)=[a-z-A-Z0-9\\/\\+]{100,}=?=?\\xc0\\x0c/;\r\npcre:/(p|v)=[a-z-A-Z0-9\\/\\+]{100,}=?=?\\x00\\x00/R; isdataat:!10,relative; classtype:trojan-activity;\r\nsid:4002779; rev:1; metadata:created_at 2024_08_20, updated_at 2024_08_20;)\r\nalert http $HOME_NET any -\u003e $EXTERNAL_NET any (msg:\"AV TROJAN Linux.Ngioweb Stage CnC\r\nActivity (set)\"; flow:established,to_server; flowbits:set,g; flowbits:noalert; content:\"GET\"; http_method;\r\ncontent:\".js?h=aWQ9\"; http_uri; depth:30; fast_pattern; pcre:/\\.js\\?h=aWQ9[a-zA-Z0-9%\\/+]+={0,2}$/U;\r\ncontent:\"Mozilla/5.0|20 28|Windows NT 10.0|3b 20|Win64|3b 20|x64|3b 20|rv:59.0|29| Gecko/20100101\r\nFirefox/59.0\"; http_user_agent; endswith; threshold:type both, count 1, seconds 3600, track by_src;\r\nreference:md5,53009eb13c9beacd2d3437d61a4ab262; classtype:trojan-activity; sid:4002457; rev:1;\r\nmetadata:created_at 2021_01_12, updated_at 2021_01_12;)\r\nalert http $EXTERNAL_NET any -\u003e $HOME_NET any (msg:\"ET EXPLOIT Linear eMerge E3\r\nUnauthenticated Command Injection Inbound (CVE-2019-7256)\"; flow:established,to_server; http.uri;\r\ncontent:\"/card_scan_decoder.php?No=\"; depth:26; reference:cve,2019-7256;\r\nreference:url,packetstormsecurity.com/files/155256/Linear-eMerge-E3-1.00-06-card_scan_decoder.php-Command-Injection.html; classtype:attempted-admin; sid:2029207; rev:2; metadata:affected_product Linux,\r\nattack_target IoT, created_at 2019_12_30, cve CVE_2019_7256, deployment Perimeter, signature_severity\r\nMinor, updated_at 2020_10_27, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement,\r\nmitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)\r\nalert http $HOME_NET any -\u003e $EXTERNAL_NET any (msg:\"ET EXPLOIT Linear eMerge E3\r\nUnauthenticated Command Injection Outbound (CVE-2019-7256)\"; flow:established,to_server; http.uri;\r\ncontent:\"/card_scan_decoder.php?No=\"; depth:26; reference:cve,2019-7256;\r\nreference:url,packetstormsecurity.com/files/155256/Linear-eMerge-E3-1.00-06-card_scan_decoder.php-Command-Injection.html; classtype:attempted-admin; sid:2029213; rev:2; metadata:affected_product Linux,\r\nattack_target IoT, created_at 2019_12_31, cve CVE_2019_7256, deployment Perimeter, signature_severity\r\nMajor, updated_at 2020_10_27, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement,\r\nmitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)\r\nAssociated Indicators (IOCs)\r\nThe following technical indicators are associated with the reported intelligence. A list of indicators is also\r\navailable in the OTX Pulse. Please note, the pulse may include other activities related but out of the scope of the\r\nreport.\r\nhttps://levelblue.com/blogs/labs-research/ngioweb-remains-active-7-years-later\r\nPage 10 of 12\n\nTYPE INDICATOR DESCRIPTION\r\nSHA256 be285b77211d1a33b7ae1665623a9526f58219e20a685b6548bc2d8e857b6b44 Ngioweb sample\r\nDOMAIN misukumotist[.]info C\u0026C domain \r\nDOMAIN exagenafy[.]com C\u0026C domain \r\nDOMAIN prenurevaty[.]info C\u0026C domain \r\nDOMAIN monobimefist[.]com C\u0026C domain \r\nDOMAIN Remalexation[.]name C\u0026C domain \r\nIP 141.98.82[.]229 C\u0026C IP\r\nIP 91.227.77[.]217 C\u0026C IP\r\nIP 154.7.253[.]113\r\nLinear Emerge\r\ndedicated\r\nscanner\r\nIP 216.107.139[.]52\r\nLinear Emerge\r\ndedicated\r\nscanner\r\nMapped to MITRE ATT\u0026CK\r\nThe findings of this report are mapped to the following MITRE ATT\u0026CK Matrix techniques:\r\nTA0001: Initial Access\r\nT1189: Drive-by Compromise\r\nT1190: Exploit Public-Facing Application\r\nTA0003: Persistence\r\nT1543: Create or Modify System Process\r\nT1543.001: Launch Agent\r\nTA0005: Defense Evasion\r\nT1140: Deobfuscate/Decode Files or Information\r\nT1497: Virtualization/Sandbox Evasion\r\nT1497.001: System Checks\r\nT1222: File and Directory Permissions Modification\r\nT1222.002: Linux and Mac File and Directory Permissions Modification\r\nT1562: Impair Defenses\r\nT1562.001: Disable or Modify Tools\r\nTA0007: Discovery\r\nT1082: System Information Discovery\r\nTA0011: Command and Control\r\nhttps://levelblue.com/blogs/labs-research/ngioweb-remains-active-7-years-later\r\nPage 11 of 12\n\nT1090: Proxy\r\nTA0040: Impact\r\nT1496: Resource Hijacking\r\nReferences\r\n2018 Check Point report: https://research.checkpoint.com/2018/ramnits-network-proxy-servers\r\n2019 Netlab report: https://blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en\r\n2020 Netlab report: https://blog.netlab.360.com/linux-ngioweb-v2-going-after-iot-devices-en\r\n2024 Pawn storm FBI disruption: https://www.justice.gov/opa/pr/justice-department-conducts-court-authorized-disruption-botnet-controlled-russian\r\n2024 TrendMicro report: https://www.trendmicro.com/en_us/research/24/e/router-roulette.html\r\nSource: https://levelblue.com/blogs/labs-research/ngioweb-remains-active-7-years-later\r\nhttps://levelblue.com/blogs/labs-research/ngioweb-remains-active-7-years-later\r\nPage 12 of 12\n\nProxy Type USA https://levelblue.com/blogs/labs-research/ngioweb-remains-active-7-years-later America Europe AU, Oceania Asia Africa\nORG 0,12% 0,04% 0% 0% 0,03% 0,27%\nGOV 0,02% 0,04% 0% 0% 0,03% 0%\nCDN 0,33% 0% 0,06% 0% 0,03% 0%\nEDU 0,13% 0,25% 0,10% 0% 0,54% 0,27%\nCOM 2,63% 1,07% 1,78% 0,79% 1,78% 5,22%\nDCH 8,42% 7,01% 13,31% 14,62% 12,66% 0,82%\nISP 75,55% 74,13% 27,81% 25,30% 44,16% 39,29%\nMOB 2,65% 1,11% 2,21% 3,16% 6,78% 19,78%\nISP/MOB 7,60% 15,67% 53,43% 50,20% 33,06% 33,52%\nTable 1. Distribution of proxies by category. \nInfection Process \nUnsurprisingly, the biggest upgrade in the Ngioweb malware during the last few years has been the arsenal of\nvulnerabilities and zero days it uses to infect victims. The main target continues to be routers and household IoT\ndevices like cameras, vacuums, access controls, etc. \nLinear (also referred to as Nice/Linear) \nLinear is a US-based company that sells access control and surveillance systems for doors, garages, gates, and\nmore. The company’s eMerge E3-Series product line is strongly targeted by the threat actors behind Ngioweb.\nThey have been observed having two dedicated IPs scanning only for exploitable devices and hosting the\nsubsequent payloads: 154.7.253[.]113 and 216.107.139[.]52. The fact that these two IPs are exclusively dedicated\nto exploiting Linear eMerge devices reflects a scanning infrastructure where each scanner has their dedicated\nvulnerability, in order to avoid sharing its arsenal of exploits all together. \nThe identified scanning activity from these two IPs attempts to exploit CVe-2019-7256 in ports 3306, 5172, 5984,\n9306 and 50000. This exploit allows OS command injection of any content in between the grave accents (%60). In\nthe example shown in figure 5, the attackers use curl to download a payload from of the mentioned IPs.\nFigure 5: Exploit attempt for CVe-2019-7256 \nThe filepath used by the attackers may look like a random set of characters, but they conceal two messages. The\nfirst message is used to identify which command and shell worked with the vulnerable system, in order to return\n Page 6 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://levelblue.com/blogs/labs-research/ngioweb-remains-active-7-years-later" ], "report_names": [ "ngioweb-remains-active-7-years-later" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434954, "ts_updated_at": 1775826736, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/10714e198e804bd31daeb1af3f8c6e388d4ef654.pdf", "text": "https://archive.orkl.eu/10714e198e804bd31daeb1af3f8c6e388d4ef654.txt", "img": "https://archive.orkl.eu/10714e198e804bd31daeb1af3f8c6e388d4ef654.jpg" } }