Researchers have identified a significant surge in malicious HTTP scanning activities originating from approximately 2,200 compromised small business routers across multiple vendors.
The campaign, which began escalating on July 30th, 2025, primarily targets Cisco Small Business RV series, Linksys LRT series, and Araknis Networks AN-300-RT-4L2W devices, indicating a coordinated botnet operation exploiting known vulnerabilities in these network appliances.
The attack infrastructure demonstrates sophisticated command and control (C2) capabilities, with compromised devices being weaponized to conduct reconnaissance activities against potential targets.
Key Takeaways
1. 2,200 Cisco RV/Linksys LRT/Araknis routers compromised since July 30th.
2. HTTP scanning on ports 80/443/8080/8443 for target reconnaissance.
3. Update firmware, change credentials, monitor outbound traffic.
Network telemetry data reveals that the United States leads in affected devices, though the campaign has achieved global reach with significant infections reported across multiple countries, including Canada, Brazil, India, and various European nations.
Affected devices
Botnet Attack Analysis
Analysis of the attack patterns shows the botnet operators are leveraging compromised routers to perform HTTP GET requests and port scanning activities against honeypot infrastructure.
The geographic distribution follows a pattern consistent with the market penetration of targeted device models, with the highest concentration of malicious traffic originating from IP address ranges associated with small and medium businesses.
The scanning behavior exhibits characteristics of vulnerability discovery operations, suggesting the compromised devices are being used to identify potential targets for lateral movement or data exfiltration.
Security researchers have observed specific User-Agent strings and HTTP header patterns that indicate automated scanning tools are being deployed across the botnet infrastructure.
Network defenders should monitor for anomalous outbound traffic patterns from Cisco RV series routers (models including RV042, RV082, RV320, RV325), Linksys LRT series devices, and Araknis Networks equipment.
Traffic patterns from Cisco
The Shadowserver Foundation’s honeypot data indicates scanning activities targeting TCP ports 80, 443, 8080, and 8443, with particular focus on web application endpoints vulnerable to exploitation.
Organizations operating affected device models should immediately implement firmware updates, change default administrative credentials, and deploy network segmentation to limit potential lateral movement.
Security teams are advised to correlate internal network logs with Shadowserver’s IP reputation feeds and configure intrusion detection systems (IDS) to alert on suspicious outbound scanning activities originating from network infrastructure devices.
The ongoing campaign underscores the critical importance of IoT security hygiene and proactive vulnerability management for network infrastructure components that often remain unpatched and poorly monitored in enterprise environments.
Safely detonate suspicious files to uncover threats, enrich your investigations, and cut incident response time. Start with an ANYRUN sandbox trial →
The post Scans From Hacked Cisco Small Business Routers, Linksys and Araknis are at the Raise appeared first on Cyber Security News.
