A serious cybersecurity warning has been issued regarding commonly used Wi-Fi routers that many people still have in their homes. These devices, which quietly power everyday internet use, are now being seen as weak points that hackers can easily exploit using malware. The concern is especially high for older models that no longer receive regular updates to fix security issues and protect against malware threats.
The warning explains that once these routers are targeted, users may not notice anything unusual at first. However, behind the scenes, attackers can take control through malware and misuse the connection for illegal purposes. This makes it important for users to understand which devices are affected and how the threat actually works.
Specific Router Models Identified as High Risk
The warning clearly points out several older router models that are more vulnerable due to outdated software and lack of security updates. Among the affected devices are models from D-Link such as DIR-818LW, DIR-850L, and DIR-860L, which were once popular for home use but are now considered outdated.
Malware campaign targeting telecom networks reported by Cisco Talos researchers
From Netgear, models like DGN2200v4 and the widely used AC1900 R700 have also been listed. These devices were known for their strong performance in the past, but their aging firmware has made them easier targets for malware-based cyberattacks.
TP-Link routers have also been included in the list, with models such as Archer C20, TL-WR840N, TL-WR849N, and WR841N being highlighted. Similarly, Zyxel devices including EMG6726-B10A, VMG1312-B10D, VMG1312-T20B, VMG3925-B10A, VMG3925-B10C, VMG4825-B10A, VMG4927-B50A, and VMG8825-T50K are considered at risk.
These routers are especially vulnerable because they no longer receive important firmware updates. Hackers are aware of this and actively scan for such devices to exploit their weaknesses and install malware.
How AVrecon Malware and SocksEscort Are Being Used
The main threat linked to these routers is a type of malware called AVrecon. Once it infects a device, this malware allows attackers to gain remote access and quietly control the router. This control is then used to turn the router into part of a larger network of compromised devices.
FBI reports more than 700 ATM jackpotting cases in 2025 as financial losses exceed 12 million
These infected routers are then connected to a service known as SocksEscort. This service works as a residential proxy network, meaning it lets cybercriminals use someone else’s internet connection to carry out online activities.
This misuse includes actions such as ad fraud, where fake clicks generate revenue, and attempts to break into websites by exploiting weaknesses. It also involves password spraying attacks, online marketplace fraud, banking scams, and even romance-related fraud.
Because all of these actions appear to come from the victim’s internet connection, it becomes extremely difficult to identify the real source of the activity. Reports indicate that access to compromised devices has already been sold more than 369,000 times, showing how widespread the issue has become.
Warning Signs and Safety Measures for Users
Detecting whether a router has been infected is not always easy. Unlike phones or computers, routers do not show clear signs of malware infections. However, users can watch for unusual behavior such as slower internet speeds, unknown connected devices, or unexpected network activity.
One of the first steps is to check if your router is one of the listed models or another outdated device that no longer receives updates. If so, replacing it with a newer and supported model is strongly recommended.
Users should also ensure that their router’s firmware is updated regularly. In many cases, this requires manually checking the manufacturer’s website or router settings. Changing default usernames and passwords, as well as enabling advanced security settings, can further reduce risk.
From 57,000 to 5,500: FBI Sharply Cuts Back Surveillance of Americans Under Section 702
Restarting the router may temporarily disrupt some malware activity, but it does not fully remove the threat. Performing a factory reset and installing the latest firmware can help, although some advanced variants of AVrecon malware may resist these measures.
The warning also highlights the growing misuse of residential proxy networks, where attackers rely on compromised devices to hide their identity while conducting illegal operations online.
