{
	"id": "3ba70399-3889-4775-8054-f04dd301c028",
	"created_at": "2026-04-06T00:20:14.511579Z",
	"updated_at": "2026-04-10T13:12:43.69416Z",
	"deleted_at": null,
	"sha1_hash": "86916ab651034a36053ad454a0f1c04213bc4aa7",
	"title": "“Christmas in July”: Inside a Wrapped Proxy Service | Spur Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1288376,
	"plain_text": "“Christmas in July”: Inside a Wrapped Proxy Service | Spur Labs\r\nArchived: 2026-04-05 18:10:30 UTC\r\nIt is not often that Spur has the opportunity to glean full insight into a malware proxy service. Because we track\r\nhundreds of proxy and VPN services, our focus is generally on the proxies from a network standpoint rather than\r\nany related malware or its provenance. Even rarer do we get awareness into the actor(s) operating a malware\r\nnetwork facilitating the proxy service.\r\nBut thanks to a recent article from Black Lotus Labs, and with the help of Brian Krebs's investigative reporting,\r\nChristmas has come early this year at Spur.\r\nThe Disappearance\r\nA few weeks ago, we noticed a few key metrics and details associated with SocksEscort — one of the oldest\r\nmalware proxy services we track — suddenly change. The amount of proxies we had insight into plummeted, and\r\nthe communicating infrastructure seemingly moved.\r\nAround July 11, we started noticing a significant downward trend in the number of available endpoints. The count\r\nof available endpoints for a given service tends to ebb and flow but this halving of the online proxy count merited\r\na closer look.\r\nThe proxy control servers appeared to still be online based on the indicators we use to track them. The below is a\r\nscreenshot from driftnet.io, an excellent infrastructure profiling service showing a seemingly still-active\r\nSocksEscort control server after the decrease in proxy counts.\r\nHowever, around the same time, we also saw the count of victims per server (as shown for June in the figure\r\nbelow) drop to 0.\r\nServer Victim Count\r\n155.254.23.254 7506\r\nhttps://spur.us/2023/07/christmas-in-july-a-finely-wrapped-proxy-service/\r\nPage 1 of 3\n\n139.59.231.113 6792\r\n188.138.41.157 167\r\n85.25.214.74 129\r\n85.25.217.95 129\r\n148.72.155.187 107\r\n148.72.155.189 107\r\n148.72.155.112 96\r\n50.30.36.132 96\r\n148.72.155.174 95\r\n50.30.36.27 93\r\n69.64.55.106 69\r\nIt is not uncommon for the actors operating a malware proxy service to push a code update or rotate their\r\ninfrastructure, but up until this point, SocksEscort had always been stable. We were mostly blind; nothing about\r\nthe service itself appeared to have changed. A frustrating result of focusing our efforts on tracking the proxy\r\nservice at the network level rather than the malware itself at a broader threat intelligence level is that we're\r\nfrequently left to only guess at the explanations for these kinds of events.\r\nThe Takedown\r\nPurely coincidentally while perusing LinkedIn, I came across interesting research done by Danny Adamitis and\r\nSteve Rudd of Black Lotus Labs, the threat intelligence arm of Lumen (formerly known as CenturyLink). The\r\nspecific article, posted just a few weeks ago on July 12, dives deep into a piece of SOHO-based malware they are\r\ncalling AVrecon. Instead of rehashing the article, I highly recommend reading it. It would do it an injustice to try\r\nto summarize it.\r\nWhenever I read similar research posts by other organizations, I'm curious to figure out what (if any) call-back\r\nproxy service is tied to the malware as residential proxies tend to be a popular monetization vector for malware\r\nhttps://spur.us/2023/07/christmas-in-july-a-finely-wrapped-proxy-service/\r\nPage 2 of 3\n\noperators. It only took a brief overview of the full IoCs published by Black Lotus Labs to identify SocksEscort as\r\nthe malware proxy service tied to this particular botnet based on the C2 infrastructure.\r\nThe smoking gun was in Lumen's remediation as mentioned in the conclusion of the above article: black hole-ing\r\nthe IP addresses belonging to the stage 2 C2 infrastructure for AVrecon. Assuming Lumen null-routed the control\r\nservers sometime shortly before their research team published their article on July 12, we finally had a clear\r\npicture as to the reason behind the plummeting proxy numbers for SocksEscort.\r\nThe Other Side\r\nAs previously mentioned, Spur focuses on tracking a massive breadth of proxies and tunnel services at a network\r\nlevel. We tend to stop short of identifying any potential related malware and its particularities, as it falls outside\r\nour bailiwick. Likewise, we also tend not to track the actors operating these botnets and associated services,\r\ndeferring this tall order to the likes of Brian Krebs and other investigative journalists and threat intelligence\r\nspecialists in the security space.\r\nIndeed, Krebs wrote about SocksEscort shortly after the 911.re takedown took place (SocksEscort was a front-runner for a 911 replacement). He's recently published another article examining the potential actors ultimately\r\nbehind the malware proxy service, linking it to an individual as well as a commercial VPN service. Again, instead\r\nof attempting to summarize the findings, the article merits its own read.\r\nThe Village\r\nBlack Lotus Labs and Krebs have been simultaneously investigating the same malware, just from different angles.\r\nOur unique insight into malware proxy networks was the missing link connecting their separate research.\r\nAnd so now a full picture is painted of SocksEscort, tying together the malware itself, with the service profiting\r\nfrom the infections (perhaps one of many), to the proxy operators.\r\nThe security community is filled with experts like Krebs and the smart people at Lumen's research wing.\r\nSometimes it takes a few organizations to piece together the puzzle. Spur greatly appreciates the work done by\r\ngroups like Black Lotus Labs that can better identify and track the malware associated with these services.\r\nAdditionally, their remediation efforts have put a serious strain on SocksEscort and vastly dropped their available\r\nproxy inventory.\r\nIf you or your organization have interesting research to share that may concern malware proxies, we'd love to hear\r\nfrom you!\r\nSource: https://spur.us/2023/07/christmas-in-july-a-finely-wrapped-proxy-service/\r\nhttps://spur.us/2023/07/christmas-in-july-a-finely-wrapped-proxy-service/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://spur.us/2023/07/christmas-in-july-a-finely-wrapped-proxy-service/"
	],
	"report_names": [
		"christmas-in-july-a-finely-wrapped-proxy-service"
	],
	"threat_actors": [],
	"ts_created_at": 1775434814,
	"ts_updated_at": 1775826763,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/86916ab651034a36053ad454a0f1c04213bc4aa7.pdf",
		"text": "https://archive.orkl.eu/86916ab651034a36053ad454a0f1c04213bc4aa7.txt",
		"img": "https://archive.orkl.eu/86916ab651034a36053ad454a0f1c04213bc4aa7.jpg"
	}
}