botnet
10 min read
FreeWhen Your Router Becomes Someone Else's Weapon: Uncovering a 800+ Proxy Network via KeeneticOS Router
Through infrastructure clustering analysis, we identified a proxy network of 832 compromised KeeneticOS routers operating across Russian ISPs. The investigation shows how consumer routers get turned into weaponized infrastructure for threat actors.
By Chawkr Reports
26/11/2025
When Your Router Becomes Someone Else's Weapon: Uncovering a 800+ Proxy Network via KeeneticOS Router
Last week, while analyzing malicious infrastructure patterns, we discovered something that demanded immediate attention: a possible coordinated botnet of 832 compromised KeeneticOS routers operating as a sophisticated proxy network across Russian ISPs. Each device bore identical fingerprints, maintained the same SSH configurations, and appeared designed for a singular purpose: providing threat actors with clean residential IP addresses to mask criminal activity. What started as routine threat hunting revealed a textbook example of how consumer devices become weaponized infrastructure in today's threat environment.
Modern threat actors increasingly use compromised consumer devices and dedicated server infrastructure to conduct multi-stage attacks. This article focuses on infrastructure patterns observed through infrastructure clustering analysis. It reveals usual malicious patterns for botnets, centered around Russian hosting providers and compromised SOHO (Small Office/Home Office) routers.
Background
In March 2023, a misconfigured server exposed the credentials and network configurations of over one million Keenetic router users, predominantly in Russia. The breach, which remained largely undetected for nearly two years, revealed a troubling reality: WiFi passwords stored in plain text, administrative credentials hashed with the deprecated MD5 algorithm, and detailed service logs that painted intimate portraits of user behavior, including flags marking users as pirates. (CyberNews)
While Keenetic quickly patched the vulnerability and assured users that the risk of fraudulent activity remained low, the incident opened a window into a broader security ecosystem that warrants closer examination. The compromised data included everything an attacker would need to gain complete network access: SSIDs, WPA pre-shared keys, VPN credentials, device serial numbers, and administrative passwords. No sophisticated cracking techniques required: just direct access to home and business networks.
Keenetic originated as a consumer-focused product line within Taiwan-based Zyxel, but in 2017 it spun off into an independent company to pursue its own hardware and cloud-centric firmware roadmap. After the separation, Keenetic continued relying heavily on software developed by Moscow-based NDM Systems, which maintained much of the KeeneticOS codebase and cloud-management infrastructure. This legacy relationship kept significant development resources in Russia even as the brand marketed itself globally.
The geopolitical shift following Russia's invasion of Ukraine in 2022 accelerated Keenetic's push to distance itself from Russian ties: Germany's BSI issued warnings about products dependent on Russian software, prompting Keenetic to publicly oppose the war and relocate its software operations to a new German entity. Despite the formal split from Zyxel and efforts to restructure its development pipeline, traces of its Russian origin persisted through NDM Systems and Netcraze, which created a complex supply-chain backdrop for today's security concerns.
Scope
This analysis covers a large-scale proxy network identified through concurrent appearance in our threat hunting procedures and subsequent pivot analysis. The investigation period spans infrastructure active as of November 2025, with profiles built from confirmed malicious hosts operating within Russian ISP infrastructure.
Methodology
-
Source: Threat hunting and cross-referenced threat intelligence feeds
-
Approach: Our threat hunting surfaced a subset of suspicious IP addresses, which we then clustered using ClusterHawk. One cluster stood out due to its distinct characteristics; ClusterHawk generated a profile for this cluster, which we used to pivot and expand our view of the underlying malicious infrastructure, leading to the findings presented in this report.
-
Validation: Cross-reference with multiple threat intelligence sources
Our threat profiling methodology began with a critical observation: multiple malicious hosts appearing simultaneously in our threat hunting dataset, exhibiting nearly identical technical characteristics. Rather than treating these as isolated incidents, we used them as seeds for cluster-based profiling, a technique where confirmed malicious infrastructure becomes the foundation for discovering related threat actor assets.
Starting with known malicious hosts, we extracted distinctive fingerprints including HTTP header hashes, favicon signatures, DOM structures, and SSH configuration fingerprints (HASSH values). ClusterHawk, our infrastructure analysis tool, then employed machine learning-driven behavioral clustering to pivot across these fingerprints and identify related infrastructure. Unlike traditional IP reputation services that rely solely on historical data, ClusterHawk analyzes patterns and relationships in IP metadata to detect threats proactively, even when specific addresses have no prior reputation indicators.
Threat Cluster Analysis
Through infrastructure clustering analysis, we identified a massive proxy network containing 832 unique possible compromised KeeneticOS routers, all exhibiting identical fingerprints. The attack surface spans multiple Russian ISPs including Net By Net Holding LLC, VladLink, and GorodSamara regional networks, with each compromised device exposing the telltale KeeneticOS web panel on port 80 alongside SSH access on port 22. The uniformity of the fingerprints (matching robots hash, title hash, DOM structure, headers, and favicon) reveals a coordinated compromise campaign rather than opportunistic exploitation.
What makes this network particularly dangerous is its versatility in supporting multiple criminal activities simultaneously. The compromised SOHO routers function as residential proxy nodes, providing threat actors with legitimate-appearing IP addresses that blend into normal internet traffic. In practice, this means a credential-stuffing attack against a major financial institution appears to originate from a home user in Samara rather than a known malicious hosting provider, bypassing rate limits, reputation filters, and geographic restrictions that would immediately flag datacenter traffic.
This infrastructure strongly aligns with known patterns of IoT botnet operations, residential proxy abuse networks, and traffic obfuscation techniques used by malware operators. The infrastructure also exhibits protocol-level indicators consistent with established IoT botnet tooling, including the use of Telnet option negotiation such as NAWS (Negotiate About Window Size) and SGA (Suppress Go Ahead), a characteristic handshake pattern frequently observed in automated scanning and exploitation frameworks targeting embedded devices.
Cybercriminals using this network can conduct credential-stuffing campaigns, account takeover attacks, web scraping operations, and various fraud schemes while hiding behind the clean reputation of residential IP addresses. The victims are exploited on two fronts: their devices are covertly weaponized, and their IP addresses are used as laundered exit points for unauthorized criminal activity. Meanwhile, the device owners may experience degraded network performance, increased bandwidth costs, and potential legal exposure if their IP address appears in abuse reports or law enforcement investigations.
The stealthy nature of compromised SOHO routers makes them particularly valuable as proxy nodes: unlike datacenter IPs or addresses from known hosting providers, these residential endpoints operate below the radar of most security vendor reputation lists and threat intelligence feeds. Their legitimate residential classification and clean IP reputation allow malicious traffic to masquerade as ordinary consumer activity, evading detection mechanisms that would immediately flag requests originating from suspicious hosting infrastructure or known proxy services.
Attack Vector Analysis
The hypothetical compromise method likely involves multiple attack vectors working in concert. While the March 2023 credential breach is one plausible entry point (particularly given the timing correlation and the availability of administrative credentials with weak MD5 hashing), the uniformity of deployment suggests additional factors may be at play. Alternative scenarios include supply-chain compromise during the manufacturing or firmware distribution process, exploitation of unpatched vulnerabilities in KeeneticOS itself, or a combination of these vectors.
The consistent SSH fingerprints and identical configurations across all 832 devices point toward automated mass exploitation, whether leveraging stolen credentials, embedded backdoors, or known security flaws in the router firmware. Given the complex relationships between Keenetic, NDM Systems, and Netcraze, supply-chain interference remains a particularly concerning possibility that warrants deeper investigation.
Each compromised router maintains both HTTP (port 80) and SSH (port 22) access, with approximately 25% also
exposing FTP services on port 21, a configuration that facilitates both remote management and potential lateral
movement. The consistent SSH fingerprint (HASSH: 12ae3bde05e041d683e7712cd144261f) across all nodes suggests a
standardized deployment toolkit, likely automating the configuration of proxy services post-compromise.
The threat actor's operational security demonstrates sophistication: by distributing the botnet across multiple regional ISPs and maintaining residential IP classifications, they've created infrastructure that appears legitimate to automated security controls. The use of standard SSH ciphers (aes128-ctr) and RSA key authentication suggests the operators prioritized compatibility and reliability over stealth at the encryption layer, a pragmatic choice when the residential IP reputation provides sufficient cover.
Infrastructure Profile
Our cluster-based profiling revealed the following technical characteristics shared across all 832 compromised devices:
| Characteristic | Details |
|---|---|
| Scale | 832 unique compromised routers |
| Active ports | HTTP/80 (100%), SSH/22 (100%), FTP/21 (25%) |
| Primary ASNs | Net By Net Holding LLC (50%), VladLink (25%), GorodSamara (25%) — entire cluster at time of analysis |
| SSH configuration | Cipher: aes128-ctr, HASSH: 12ae3bde05e041d683e7712cd144261f, Key: ssh-rsa |
| Web interface | KeeneticOS Web Panel (Title Hash: -1670795305) |
| Favicon hash | 547282364 |
| HTTP fingerprint | Robots: -1022729730, DOM: -1753752179, Headers: -1031597325 |
| Infrastructure type | 100% residential/business ISPs (consumer infrastructure) |
Threat Attribution and Public IOC Feed
We are actively tracking this infrastructure under the designation Nightfall. We have published and are maintaining a public list of IOCs related to this KeeneticOS-based proxy network.
IOC List: https://github.com/chawkr/iocs/blob/main/nightfall.txt
This list is continuously updated and includes verified IP addresses associated with the compromised routers. Security professionals and network defenders are encouraged to consult this repository for detection, blocking, and further analysis.
Recommendations for Keenetic Router Owners
- Immediately change administrative credentials: Use strong, unique passwords of at least 16 characters
- Disable external access: If remote access is necessary, implement additional security controls: restrict access to specific IP addresses or ranges; utilize VPN connections for remote administration
- Update firmware: Ensure you're running the latest official KeeneticOS firmware version
- Review connected devices: Check for unauthorized devices or unusual network activity
- Monitor router logs: Look for failed login attempts or suspicious access patterns
- Consider factory reset: If compromise is suspected, perform a factory reset and reconfigure from scratch
- Enable automatic updates: If available, enable automatic security updates
- Restrict administrative access: Only allow admin panel access from trusted local network segments
Conclusion
The discovery of this 832-node KeeneticOS proxy network is a stark reminder that the devices we trust to connect us to the internet can just as easily be turned against us. The uniformity of the compromise, the sophistication of the operational security, and the choice of residential infrastructure all point to experienced threat actors who understand both the technical and economic dimensions of botnet operations.
Security teams and threat researchers can identify potentially compromised KeeneticOS routers using the following search query across internet-facing infrastructure:
http.status:200
http.robots_hash:-1022729730
http.title_hash:-1670795305
http.title:"KeeneticOS Web Panel"
http.dom_hash:-1753752179
http.headers_hash:-1031597325
org:"Net By Net Holding LLC","VladLink nets","net GorodSamara /29"
port:80,22
ssh.hassh:12ae3bde05e041d683e7712cd144261f
ssh.type:ssh-rsa
http.favicon.hash:547282364
The original profile may no longer be effective so try to remove and change some values, since infrastructure changes. For example:
http.status:200
http.robots_hash:-1022729730
http.title_hash:-1670795305
http.title:"KeeneticOS Web Panel"
http.dom_hash:-1753752179
http.headers_hash:-1031597325
org:"Net By Net Holding LLC","VladLink nets","net GorodSamara /29"
port:80
http.favicon.hash:547282364
For Keenetic owners, the immediate action is clear: change your credentials, update your firmware, and disable unnecessary remote access features. For the broader security community, this incident shows the ongoing challenge of IoT security and the creative ways threat actors monetize compromised consumer devices.
As IoT adoption accelerates and our homes become increasingly connected, the stakes of device security grow higher. Today it's 832 routers serving as proxy nodes. Tomorrow it could be smart cameras, thermostats, or door locks, all weaponized without their owners' knowledge or consent.
The internet of things should make life easier, not endanger it. Users can do their part by patching; the deeper fix is manufacturers owning their update pipelines. Until then, defenders should keep watching for fingerprints like the ones above.
Sources
- CyberNews: Keenetic router data leak puts users at risk (2025) https://cybernews.com/security/keenetic-router-data-leak-puts-users-at-risk/
