{
	"id": "4dffd0a7-dba3-4488-87d4-f47768de1ee6",
	"created_at": "2026-04-06T00:11:12.668569Z",
	"updated_at": "2026-04-10T03:20:04.193941Z",
	"deleted_at": null,
	"sha1_hash": "2dba37f9891ab392d0b77b39ecf1c70051a1761f",
	"title": "Internet Crime Complaint Center (IC3)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 41353,
	"plain_text": "Internet Crime Complaint Center (IC3)\r\nPublished: 2025-05-07 · Archived: 2026-04-05 13:40:31 UTC\r\nThe Federal Bureau of Investigation (FBI) is issuing this announcement to inform individuals and businesses\r\nabout proxy services taking advantage of end of life routers that are susceptible to vulnerabilities. When a\r\nhardware device is end of life, the manufacturer no longer sells the product and is not actively supporting the\r\nhardware, which also means they are no longer releasing software updates or security patches for the device.\r\nRouters dated 2010 or earlier likely no longer receive software updates issued by the manufacturer and could be\r\ncompromised by cyber actors exploiting known vulnerabilities.\r\nEnd of life routers were breached by cyber actors using variants of TheMoon malware botnet. Recently, some\r\nrouters at end of life, with remote administration turned on, were identified as compromised by a new variant of\r\nTheMoon malware. This malware allows cyber actors to install proxies on unsuspecting victim routers and\r\nconduct cyber crimes anonymously.\r\nProxies and Router Vulnerabilities\r\nA proxy server is a system or router that provides a gateway between users and the Internet. It is an intermediary\r\nbetween end-users and the web pages they visit online. A proxy is a service that relays users' Internet traffic while\r\nhiding the link between users and their activity.\r\nCyber actors use proxy services to hide their identities and location. When actors use a proxy service to visit a\r\nwebsite to conduct criminal activity, like stealing cryptocurrency or contracting illegal services, the website does\r\nnot register their real IP address and instead registers the proxy IP.\r\nTheMoon Malware\r\nTheMoon malware was first discovered on compromised routers in 2014 and has since gone through several\r\ncampaigns. TheMoon does not require a password to infect routers; it scans for open ports and sends a command\r\nto a vulnerable script. The malware contacts the command and control (C2) server and the C2 server responds\r\nwith instructions, which may include instructing the infected machine to scan for other vulnerable routers to\r\nspread the infection and expand the network.\r\nTips to Protect Yourself\r\nCommonly identified signs of malware infections on routers include overheating devices, problems with\r\nconnectivity, and changes to settings the administrator does not recognize.\r\nThe FBI recommends individuals and companies take the following precautions:\r\nIf the router is at end of life, replace the device with an updated model if possible.\r\nImmediately apply any available security patches and/or firmware updates for your devices.\r\nhttps://www.ic3.gov/PSA/2025/PSA250507\r\nPage 1 of 2\n\nLogin online to the router settings and disable remote management/remote administration, save the change,\r\nand reboot the router.\r\nUse strong passwords that are unique and random and contain at least 16 but no more than 64 characters.\r\nAvoid reusing passwords and disable password hints.\r\nIf you believe there is suspicious activity on any device, apply any necessary security and firmware\r\nupdates, change your password, and reboot the router.\r\nVictim Reporting and Additional Information\r\nIf you suspect you are a victim of a proxy service or your personal information has been compromised:\r\nFile a complaint with the FBI Internet Crime Complaint Center (IC3), www.ic3.gov. When available,\r\nplease include the following information regarding the incident: date, time, and location of the incident;\r\ntype of activity; number of people affected; type of equipment used for the activity; the name of the\r\nsubmitting organization; designated point of contact.\r\nContact your account provider immediately to regain control of your accounts, change passwords, and\r\nplace alerts on your accounts for suspicious login attempts and/or transactions.\r\nSource: https://www.ic3.gov/PSA/2025/PSA250507\r\nhttps://www.ic3.gov/PSA/2025/PSA250507\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.ic3.gov/PSA/2025/PSA250507"
	],
	"report_names": [
		"PSA250507"
	],
	"threat_actors": [],
	"ts_created_at": 1775434272,
	"ts_updated_at": 1775791204,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2dba37f9891ab392d0b77b39ecf1c70051a1761f.pdf",
		"text": "https://archive.orkl.eu/2dba37f9891ab392d0b77b39ecf1c70051a1761f.txt",
		"img": "https://archive.orkl.eu/2dba37f9891ab392d0b77b39ecf1c70051a1761f.jpg"
	}
}