Cyber Threats Move Deeper into Networks via Edge Infrastructure Hubs

Cybercriminals Expand Tactics, Hiding in Edge Infrastructure

As cybersecurity efforts focus on protecting endpoints, attackers are shifting their attention to edge infrastructure, exploiting vulnerabilities in routers, VPN gateways, firewalls, and other exposed systems. This tactic allows them to operate undetected, leveraging compromised devices to launch attacks and evade detection.

The Trend Continues

• 80% of breaches against web applications and internet-exposed services involved brute force or stolen credentials in 2022.
• Microsoft reported a global peak of 11,000 password-based attacks per second in April 2023.
• Endpoint detection and response (EDR) tools covered only 72% of in-scope devices on average.

Examples of Malicious Activity

• J-magic began its malicious activities in 2023, staying active until at least mid-2024, with telemetry identifying 36 unique IP addresses matching its signature conditions.
• Fifty percent of targeted devices appeared to function as VPN gateways.
• Secret Blizzard operated from December 2022 to November 2024, infiltrating 33 separate Storm-0156 C2 nodes.
• Proxy networks and botnets expanded their roles in 2025, with Aisuru recording 2,948,616 IPs, Vo1d following with 2,519,125, and AWM reaching 2,356,202.
• Average daily bot counts revealed Aisuru Proxies ranking first at 129,487, followed by Mysterium at 45,097 and Aisuru at 31,549.
• Rhadamanthys emerged in late 2022, passing 12,000 victims globally by October 2025, with over 60% of its C2 servers hosted in the US, Germany, the UK, and the Netherlands.
• SystemBC surfaced in September 2025 with 80+ C2 servers and a daily average of 1,500 victims.
• DanaBot, first seen in 2018, remained highly active until May 2025, resurfacing in November 2025 with “Version 669” – leveraging complex multi-stage attacks to target financial institutions, cryptocurrency wallets, and individual victims.
• Nearly 150 active C2 servers per day and 1,000 daily victims in 40+ countries.

Accelerated Growth

• Aisuru’s bot count tripled in one week in September.
• Its 1.8 million bots were generated through exploitation of proxy services.
• Kimwolf emerged from this shift, launching attacks approaching 30 Tbps.
• Following disruption pressure, Kimwolf’s operators rebuilt their control plane, introducing new C2 domains, retooled malware, and shifted traffic patterns, scaling to hundreds of thousands of bots within weeks.

Modern Campaigns

• Raptor Train demonstrates the importance of network intelligence in spotting and stopping attacks.
• This botnet was over four years in the making, peaking in June 2023 with over 60,000 actively compromised devices.
• Its C2 estate increased from approximately 1 to 5 nodes from 2020 to 2022, to 11 in mid-2023, 30 from February to March 2024, and over 60 from June to August 2024.
• Tier 1 bots lasted an average of 17 days, while Tier 2 and Tier 3 nodes averaged 77 days.

Defenders need proactive measures to address these evolving threats, focusing on network intelligence to identify and mitigate attacks before they spread.

About Author

Vaibhav

See author's posts