{"id":55961,"date":"2024-05-01T00:00:00","date_gmt":"2024-05-01T00:00:00","guid":{"rendered":"urn:uuid:c7f2bf0b-3afe-a5b1-b715-589ac5b1446e"},"modified":"2024-05-01T00:00:00","modified_gmt":"2024-05-01T00:00:00","slug":"router-roulette-cybercriminals-and-nation-states-sharing-compromised-networks","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/router-roulette-cybercriminals-and-nation-states-sharing-compromised-networks\/","title":{"rendered":"Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/Pawn Storm:Large?qlt=80\"><\/p>\n<div><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/24\/Pawn%20Storm.jpg\" class=\"ff-og-image-inserted\"><\/div>\n<p>This shows that securing internet facing routers remains highly important. The last section of this entry provides a guide for network defenders.<\/p>\n<h2><span class=\"body-subhead-title\">Ngioweb malware found on EdgeOS<\/span><\/h2>\n<p>While investigating the Linux botnet that was partially taken down by the FBI and international partners in January 2024, we found another Linux botnet with malware running on some of the same EdgeRouters that were abused by Pawn Storm. This botnet is more discreet, with better operational security, with the associated malware running in memory only as far as we could tell, with no malicious files left on-disk. By investigating memory dumps and the C&amp;C connections the bots made, we found them to be a version of the Ngioweb malware that was described in three separate <a href=\"https:\/\/blog.netlab.360.com\/linux-ngioweb-v2-going-after-iot-devices-en\/\">blog<\/a> posts from 2018 to 2020 . We have evidence that the bots in this botnet are being utilized in a residential botnet that is commercially available to paying subscribers. We will share the indicators of this botnet for network defenders, and we plan on releasing a full analysis of the botnet in the future.<\/p>\n<p>The fact that we found at least three significant threat actors on some of the EdgeRouters shows that they have a sizeable interest in compromising internet-facing routers.<\/p>\n<h2><span class=\"body-subhead-title\">Outlook and conclusion<\/span><\/h2>\n<p>Cyberiminals and APT groups use anonymization tools to blend their malicious activity in with benign normal traffic. Commercial VPN services and commercially available residential proxy networks are popular options for these types of activities.<\/p>\n<p>Internet-facing devices like SOHO routers are also a popular asset for criminal purposes and espionage. While some of the networks of compromised SOHO routers may look like a zoo that anybody can abuse, especially when default credentials remain valid, malicious actors can capitalize on this noisy environment for their own benefit and make use of them discreetly.<\/p>\n<p>In the specific case of the compromised Ubiquiti EdgeRouters, we observed that a botnet operator has been installing backdoored SSH servers and a suite of scripts on the compromised devices for years without much attention from the security industry, allowing persistent access. Another threat actor installed the Ngioweb malware that runs only in memory to add the bots to a commercially available residential proxy botnet. Pawn Storm most likely easily brute forced the credentials of the backdoored SSH servers and thus gained access to a pool of EdgeRouter devices they could abuse for various purposes.<\/p>\n<h2><span class=\"body-subhead-title\">Recommendations<\/span><\/h2>\n<p>SOHO owners and operators must be aware of the risks presented by a backdoored version of OpenSSH. These implants are difficult to detect \u2014 legitimate credentials remain valid, but the server accepts an additional root password that is only known by the attackers when remotely authenticating clients. Disabling root access via <i>sshd_config<\/i> doesn\u2019t help since the backdoored code is ready to bypass it. To check for the presence of the backdoor, here are our recommendations for EdgeRouter device owners:<\/p>\n<p>Use the verbose option of your SSH command-line client to see the banner your device (acting as a server) gives you. The following example shows a banner from a EdgeRouter model ER-X-SFP whose IP address is <i>192.168.50.85<\/i>:<\/p>\n<p><span class=\"blockquote\">$ ssh -v<br \/>&#8211;snip&#8211;<br \/>debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 Debian-10+deb9u7<br \/>&#8211;snip&#8211;<\/span><\/p>\n<p>You can then press Ctrl+C without needing to log in to the device.<\/p>\n<p>Since EdgeOS is based on Debian GNU\/Linux, you should see a banner that includes the \u201cDebian\u201d string. Also, the OpenSSH version must match with <a href=\"https:\/\/www.openssh.com\/releasenotes.html\">an existing<\/a> release number. The previous example shows that the server is running OpenSSH version 7.4p1, which is an official one.<\/p>\n<p>Users who are comfortable with the command line interface can also perform the following additional steps:<\/p>\n<p>1. Log in to your device using the web administration page (to avoid credential theft in case your device has already been backdoored) and temporarily enable telnet.<\/p>\n<p>2. Log in via telnet.<\/p>\n<p>3. Search for <i>sshd_config<\/i> files and check if they have a <i>GatewayPorts<\/i> configuration option set to \u201cyes\u201d:<\/p>\n<p><span class=\"blockquote\">$ (find \/ -type f -name sshd_config -exec grep Gate {} +;) 2&gt;\/dev\/null<\/span><\/p>\n<p>If the output contains the string \u201cGatewayPorts yes\u201d and you don\u2019t recognize this setting, it might be a sign the device is compromised.<\/p>\n<p>4.&nbsp;<a href=\"https:\/\/github.com\/trendmicro\/research\/blob\/main\/sshdoor\/sshdoor_local_scan.sh\">Check the hashes<\/a> of all sshd binaries in your device. If any of them is on the IOC list section, the device might be compromised:<\/p>\n<p><span class=\"blockquote\">$ (find \/ -type f -name sshd -exec shasum {} +;) 2&gt;\/dev\/null<\/span><\/p>\n<p>5. Log in using the web UI again and disable telnet.<\/p>\n<p>If you suspect the device is backdoored, you may want to perform a <a href=\"https:\/\/help.ui.com\/hc\/en-us\/articles\/205202620-EdgeRouter-Reset-to-Factory-Defaults\">factory reset<\/a> and choose a strong password. Also, consider not allowing connections to the router\u2019s administrative interface from the internet. For system administrators and SOHO owners, we have written a script that be found here &lt;&lt;insert link&gt;&gt;. This script can be run locally on routers and will assist in finding compromises related to Water Zmeu.<\/p>\n<h2><span class=\"body-subhead-title\">Indicators of Compromise<\/span><\/h2>\n<p>For the indicators of compromise for this entry, please refer to <a href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/d\/cybercriminals-and-nation-states-sharing-compromised-networks\/ioc-router-roulette-cybercriminals-and-nation-states-sharing-compromised-networks.txt\">this document<\/a>.<\/p>\n<p> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/e\/router-roulette.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This blog entry aims to highlight the dangers of internet-facing routers and elaborate on Pawn Storm&#8217;s exploitation of EdgeRouters, complementing the FBI&#8217;s advisory from February 27, 2024. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":55962,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9546,9510,9511,9516,9509],"class_list":["post-55961","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-apttargeted-attacks","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cyber-threats","tag-trend-micro-research-reports","tag-trend-micro-research-research"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/router-roulette-cybercriminals-and-nation-states-sharing-compromised-networks\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/router-roulette-cybercriminals-and-nation-states-sharing-compromised-networks\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2024-05-01T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/24\/Pawn%20Storm.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/router-roulette-cybercriminals-and-nation-states-sharing-compromised-networks\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/router-roulette-cybercriminals-and-nation-states-sharing-compromised-networks\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks\",\"datePublished\":\"2024-05-01T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/router-roulette-cybercriminals-and-nation-states-sharing-compromised-networks\/\"},\"wordCount\":828,\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/router-roulette-cybercriminals-and-nation-states-sharing-compromised-networks\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/05\/router-roulette-cybercriminals-and-nation-states-sharing-compromised-networks.jpg\",\"keywords\":[\"Trend Micro Research : APT&amp;Targeted Attacks\",\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cyber Threats\",\"Trend Micro Research : Reports\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/router-roulette-cybercriminals-and-nation-states-sharing-compromised-networks\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/router-roulette-cybercriminals-and-nation-states-sharing-compromised-networks\/\",\"name\":\"Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/router-roulette-cybercriminals-and-nation-states-sharing-compromised-networks\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/router-roulette-cybercriminals-and-nation-states-sharing-compromised-networks\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/05\/router-roulette-cybercriminals-and-nation-states-sharing-compromised-networks.jpg\",\"datePublished\":\"2024-05-01T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/router-roulette-cybercriminals-and-nation-states-sharing-compromised-networks\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.threatshub.org\/blog\/router-roulette-cybercriminals-and-nation-states-sharing-compromised-networks\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/router-roulette-cybercriminals-and-nation-states-sharing-compromised-networks\/#primaryimage\",\"url\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/05\/router-roulette-cybercriminals-and-nation-states-sharing-compromised-networks.jpg\",\"contentUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/05\/router-roulette-cybercriminals-and-nation-states-sharing-compromised-networks.jpg\",\"width\":1200,\"height\":800},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/router-roulette-cybercriminals-and-nation-states-sharing-compromised-networks\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.threatshub.org\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : APT&amp;Targeted Attacks\",\"item\":\"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-apttargeted-attacks\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/router-roulette-cybercriminals-and-nation-states-sharing-compromised-networks\/","og_locale":"en_US","og_type":"article","og_title":"Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/router-roulette-cybercriminals-and-nation-states-sharing-compromised-networks\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2024-05-01T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/24\/Pawn%20Storm.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/router-roulette-cybercriminals-and-nation-states-sharing-compromised-networks\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/router-roulette-cybercriminals-and-nation-states-sharing-compromised-networks\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks","datePublished":"2024-05-01T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/router-roulette-cybercriminals-and-nation-states-sharing-compromised-networks\/"},"wordCount":828,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/router-roulette-cybercriminals-and-nation-states-sharing-compromised-networks\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/05\/router-roulette-cybercriminals-and-nation-states-sharing-compromised-networks.jpg","keywords":["Trend Micro Research : APT&amp;Targeted Attacks","Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cyber Threats","Trend Micro Research : Reports","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/router-roulette-cybercriminals-and-nation-states-sharing-compromised-networks\/","url":"https:\/\/www.threatshub.org\/blog\/router-roulette-cybercriminals-and-nation-states-sharing-compromised-networks\/","name":"Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/router-roulette-cybercriminals-and-nation-states-sharing-compromised-networks\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/router-roulette-cybercriminals-and-nation-states-sharing-compromised-networks\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/05\/router-roulette-cybercriminals-and-nation-states-sharing-compromised-networks.jpg","datePublished":"2024-05-01T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/router-roulette-cybercriminals-and-nation-states-sharing-compromised-networks\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/router-roulette-cybercriminals-and-nation-states-sharing-compromised-networks\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/router-roulette-cybercriminals-and-nation-states-sharing-compromised-networks\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/05\/router-roulette-cybercriminals-and-nation-states-sharing-compromised-networks.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/05\/router-roulette-cybercriminals-and-nation-states-sharing-compromised-networks.jpg","width":1200,"height":800},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/router-roulette-cybercriminals-and-nation-states-sharing-compromised-networks\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : APT&amp;Targeted Attacks","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-apttargeted-attacks\/"},{"@type":"ListItem","position":3,"name":"Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/55961","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=55961"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/55961\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/55962"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=55961"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=55961"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=55961"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}