The FBI Just Named 18 Popular Routers Targeted By A Massive Malware Operation

Wi-Fi routers play a key role in your home's internet connection, as they act as the bridge between your devices and the rest of the internet while helping regulate your network's traffic. If a router is compromised, it can put the rest of the devices in your network at risk. A malicious actor gaining access to your router could spy on your communications and even steal your data. That's the reason the FBI is always keen to let Americans know when it discovers certain routers have been compromised. For example, in May 2025, the FBI issued a FLASH notice listing various routers Americans should avoid. 

More recently, the FBI has named 18 more popular router models that have been targeted in a malware operation in a FLASH notice dated March 12, 2026. These routers were exploited by bad actors and added to a network of hacked devices used for malicious purposes. The devices involved were sold as residential proxies, which criminals use to hide their identities and locations while perpetrating cybercrime. According to the notice, roughly 1,200 device models, including routers and Internet of Things (IOT) devices from various manufacturers, were targeted. However, 18 routers and two security cameras were mentioned as the most frequently compromised models. 

The shortlist includes three routers from D-Link (the DIR-818LW, DIR-850L, and DIR-860L), two Netgear models (the DGN2200v4 and AC1900 R7000), four from TP-Link (the Archer C20, TL-WR840N, TL-WR849N, and WR841N), and nine from Zyxel with the following model numbers: EMG6726-B10A, PMG5617GA, VMG1312-B10D, VMG1312-T20B, VMG3925-B10A, VMG3925-B10C, VMG4825-B10A, VMG4927-B50A, and VMG8825-T50K.

The FBI's FLASH notice highlights that the key method used by attackers to infect these devices was taking advantage of existing vulnerabilities. Threat actors exploited routers and IoT devices known for issues with vulnerabilities like Remote Code Execution and command injection and were able to install malware the FBI refers to as AVrecon. Interestingly, the FLASH notice reports that some of the affected devices may already have patches available for some of the vulnerabilities exploited by the malware, which illustrates exactly why it's essential not to ignore software updates on critical devices like your router. Once the malware was installed, the actors used it to gain control of the devices and sell access to them as proxies using the SocksEscort residential proxy service. Furthermore, the malware can also be used to establish a remote shell, allowing an attacker to download and execute malicious code remotely without your knowledge. 

The agency says the malware was used to target devices in the U.S. and over 160 other countries. Thousands of devices have been affected by the malware, with the FBI estimating that access to around 369,000 devices has been sold since 2020. Though this issue was not as widespread as the 60 malware-infested apps that impacted over 100 million Android users, thousands of households and businesses could still have been affected in the past few years. Thankfully, the SocksEscort service was taken down by the combined efforts of the FBI and teams from Europol, Austria, the Netherlands, and France.