A threat actor is monetizing vulnerable Internet-of-Things (IoT) devices by infecting them with malware and listing them as residential proxies within minutes after exploitation, Trend Micro reports.

Tracked as Water Barghest, the adversary has compromised over 20,000 IoT devices to date, renting them to threat actors looking to anonymize their activities.

Active for at least five years, Water Barghest has remained under the radar by extensively relying on automation, erasing log files to cover its tracks, and only accepting cryptocurrency payments.

The threat actor acquires IoT device vulnerabilities (including zero-days), uses publicly available online scanners to identify vulnerable devices, and then attempts to exploit them from a set of data center IP addresses. Compromised devices are quickly monetized on specialized marketplaces.

“In the case of Water Barghest, we have seen that the time between exploiting an IoT device and putting them for sale on a residential proxy marketplace can be as little as 10 minutes,” Trend Micro says.

As of October 2024, the threat actor had created a botnet of over 20,000 devices from Cisco, DrayTek, Fritz!Box, Linksys, Netgear, Synology, Tenda, Western Digital, and Zyxel, all of which were infected with the Ngioweb malware.

“At the time of writing, Water Barghest deploys about 17 workers on virtual private servers (VPS) that continuously scan routers and IoT devices for known vulnerabilities. The same workers are also used to upload Ngioweb malware to freshly compromised IoT devices,” Trend Micro notes.

Initially observed in 2018, when it was targeting Windows systems, Ngioweb started targeting Linux computers in 2019, and switched focus to IoT devices in 2020. A new variant of Ngioweb was seen this year.

According to Trend Micro, Water Barghest’s activity was uncovered after the threat actor started targeting a zero-day in Cisco IOS XE devices in October last year from the same infrastructure it had been using for years in previous attacks.

The cybersecurity firm also points out that mid-sized proxy botnets such as Water Barghest’s typically remain active for years due to automation and refinements that help them evade detection.

As both APTs and financially motivated groups will continue using third-party IoT botnets and commercially available residential proxy services for anonymization and espionage, the demand for these botnets will likely increase.

Related: Discontinued GeoVision Products Targeted in Botnet Attacks via Zero-Day

Related: Organizations Warned of Critical Vulnerabilities in NetModule Routers

Related: C&C Panels of 10 IoT Botnets Compromised by Researchers

Related: Critical Vulnerabilities Expose ​​Weintek HMIs to Attacks