{ "id": "d6c1f124-ce14-409c-b0f6-b78c265f5bdd", "created_at": "2026-04-06T00:09:45.701023Z", "updated_at": "2026-04-10T13:12:38.951385Z", "deleted_at": null, "sha1_hash": "566fe054c976bdfbf7531c30e6bb82b1ec95a7c4", "title": "Moose - the router worm with an appetite for social networks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 136569, "plain_text": "Moose - the router worm with an appetite for social networks\r\nBy Graham Cluley\r\nArchived: 2026-04-05 19:49:26 UTC\r\nCybercrime\r\nA new worm is infecting routers in order to commit social networking fraud, hijacking victims' internet\r\nconnections in order to \"like\" posts and pages, \"view\" videos and \"follow\" other accounts.\r\n26 May 2015  •  , 2 min. read\r\nESET researchers have issued a technical paper today, analyzing a new worm that is infecting routers in order to\r\ncommit social networking fraud, hijacking victims' internet connections in order to \"like\" posts and pages, \"view\"\r\nvideos and \"follow\" other accounts.\r\nThe malware, dubbed Linux/Moose by researchers Olivier Bilodeau and Thomas Dupuy, infects Linux-based\r\nrouters and other Linux-based devices, eradicating existing malware infections it might find competing for the\r\nrouter's limited resources, and automatically finding other routers to infect.\r\nhttp://www.welivesecurity.com/2015/05/26/moose-router-worm/\r\nPage 1 of 3\n\nHowever, the Moose worm does not rely upon any underlying vulnerability in the routers - it is simply taking\r\nadvantage of devices that have been weakly configured with poorly chosen login credentials.\r\nUnfortunately, this means that devices other than routers can be impacted by the worm in the form of accidental\r\ncollateral damage. ESET's team believes that even medical devices, such as the Hospira drug infusion pump,\r\ncould be infected by the Linux/Moose worm.\r\nBut the principal victims are likely to be routers - with devices from Actiontec, Hik Vision, Netgear, Synology,\r\nTP-Link, ZyXEL, and Zhone already identified as vulnerable.\r\nESET's detailed technical report provides an indepth analysis of the Moose worm, methods by which users can\r\ndetermine if they might have had their routers compromised, and cleaning instructions. Importantly, the technical\r\nreport provides prevention advice to avoid reinfection.\r\nPerhaps most interesting of all, however, is to try to understand the purpose of the Moose worm.\r\nIn their investigation, ESET's team observed the worm creating bogus accounts on sites such as Instagram, and\r\nautomatically following users. In many cases the rise in followers was carefully staggered over some days,\r\nseemingly to avoid raising alarms in automated systems built by the social networks to identify suspicious\r\nbehavior.\r\nhttp://www.welivesecurity.com/2015/05/26/moose-router-worm/\r\nPage 2 of 3\n\nThe sad truth is that there are many individuals and companies out there who are keen to manipulate their social\r\nmedia standing, and have no qualms about hiring third-parties who claim to have methods to bump up the number\r\nof views of a corporate video, boost the followers on a Twitter feed or get you more Facebook fans.\r\nOften these third-parties will themselves contract the work out to other companies, and the danger is that one of\r\nthese might - perhaps unwittingly - hire criminals with access to the botnet of Moose-compromised routers to\r\nconduct the social media fraud on their behalf.\r\nThe fact that these aren't *real* fans, or *real* views of the video is likely to go unnoticed or be swept under the\r\ncarpet by marketing teams keen to impress their bosses.\r\nAs well as social networking fraud, ESET's paper considers that the malware could potentially be used for other\r\nactivities - such as distributed denial-of-service attacks, targeted network exploration (where it works hard to dig\r\ndeep past firewalls) and eavesdropping and DNS hijacking (which could lead itself to phishing and further\r\nmalware attacks).\r\nOnce again, consumers are advised to be on their guard, ensure that they install the latest security patches and\r\nnever use default or easy-to-crack passwords on their internet-connected devices.\r\nFor much more information about the threat, and how to protect yourself against it, read the technical paper from\r\nESET's team of experts: \"Dissecting Linux/Moose\".\r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nSource: http://www.welivesecurity.com/2015/05/26/moose-router-worm/\r\nhttp://www.welivesecurity.com/2015/05/26/moose-router-worm/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "http://www.welivesecurity.com/2015/05/26/moose-router-worm/" ], "report_names": [ "moose-router-worm" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434185, "ts_updated_at": 1775826758, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/566fe054c976bdfbf7531c30e6bb82b1ec95a7c4.pdf", "text": "https://archive.orkl.eu/566fe054c976bdfbf7531c30e6bb82b1ec95a7c4.txt", "img": "https://archive.orkl.eu/566fe054c976bdfbf7531c30e6bb82b1ec95a7c4.jpg" } }