Escorted Out! Major Cybersecurity Takedown

Escorted Out! Major Cybersecurity Takedown 🚨

Black Lotus Labs is proud to have partnered with the Department of Justice in taking down the proxy network known as SocksEscort, which was powered by the malware known as AVRecon, first unveiled by Black Lotus Labs in 2023. Since early 2025, we have observed SocksEscort victimize 280,000 distinct IP addresses. Botnets such as these are integral to the ransomware ecosystem.

This botnet posed a significant threat, as it was marketed exclusively to criminals and composed solely of compromised edge devices. Over the past several years, SocksEscort maintained an average size of approximately 20,000 distinct victims weekly, with communications routed through an average of 15 command-and-control nodes (C2s).

Notably, over half of its victims were located in the United States or the United Kingdom, enabling attackers to conduct highly targeted operations, as detailed in the original AVRecon analysis. The concentration of victims in specific regions heightened the severity of threats posed by SocksEscort, reinforcing the need for ongoing collaboration between cybersecurity organizations and law enforcement.

As we began to track this network, the IOCs were added to Lumen Defender in an effort to protect our customers as we worked with Law Enforcement toward the disruption. At the time of publication, Lumen is blocking all traffic throughout its network, to or from SocksEscort’s infrastructure.

To read the complete article see: Read full article