Analysis Summary

Researchers have detected a sharp rise in malicious HTTP scanning operations traced back to roughly 2,200 compromised small business routers spanning multiple vendors, including Cisco Small Business RV series, Linksys LRT series, and Araknis Networks AN-300-RT-4L2W. The campaign, which began intensifying on July 30th, 2025, is attributed to a coordinated botnet operation exploiting known vulnerabilities in these devices. Compromised routers are being weaponized to carry out reconnaissance activities, scanning TCP ports 80, 443, 8080, and 8443 in search of vulnerable web services. Analysis reveals that this infrastructure demonstrates advanced command-and-control (C2) functionality, highlighting the sophistication of the threat actors behind it.

Telemetry and honeypot data from the Shadowserver Foundation confirm that the botnet conducts HTTP GET requests and port scanning against global targets, with the United States showing the highest concentration of infected devices, followed by Canada, Brazil, India, and several European countries. The geographic distribution mirrors the global adoption of the targeted router models, particularly among small and medium-sized businesses. Attack patterns indicate the use of automated scanning tools, evidenced by unique User-Agent strings and consistent HTTP header signatures, pointing to organized vulnerability discovery operations rather than opportunistic attacks.

The behavior of the compromised devices suggests that the threat actors are not only conducting reconnaissance but also preparing for potential follow-on activities such as lateral movement within corporate networks or data exfiltration. Outbound scanning patterns from Cisco RV models (RV042, RV082, RV320, RV325), Linksys LRT appliances, and Araknis devices have been flagged as highly anomalous, underscoring the risk of these routers being repurposed as attack launchpads. This activity underscores the critical challenge posed by insecure IoT and edge devices, which often remain unpatched and under-monitored despite being directly exposed to the internet.

To mitigate the risks posed by this campaign, organizations are strongly urged to update firmware on affected routers, change default administrative credentials, and implement strict network segmentation to limit the blast radius of compromised devices. Security teams should leverage Shadowserver’s IP reputation feeds, enhance intrusion detection rules to alert on suspicious outbound scanning traffic, and monitor closely for anomalies in HTTP activity patterns. The incident highlights the urgent need for proactive vulnerability management and IoT security hygiene, as neglected network appliances continue to provide attackers with a powerful foothold for large-scale, automated campaigns.

Impact

• Gain Access
• Data Exfiltration

Remediation

• Update firmware on Cisco RV, Linksys LRT, and Araknis router models to the latest available versions.
• Change default administrative credentials immediately and enforce strong, unique passwords.
• Segment networks to restrict the ability of compromised devices to access sensitive systems or move laterally.
• Monitor outbound traffic for unusual HTTP requests or scanning behavior targeting ports 80, 443, 8080, and 8443.
• Correlate internal logs with Shadowserver’s IP reputation feeds to identify potentially compromised devices.
• Deploy intrusion detection/prevention systems (IDS/IPS) with signatures tuned to detect anomalous HTTP scanning and suspicious User-Agent patterns.
• Disable unnecessary remote management services on routers to reduce the external attack surface.
• Implement continuous vulnerability management for all IoT and network infrastructure components to ensure timely patching.