SANS Stormcast Friday, January 30th, 2026: Residential Proxy Networks; Clowdbot/Moltbot Themed Malware; eScan Malicious Updates

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9788.mp3

previous

Residential Proxy Networks; Clowdbot/Moltbot Themed Malware; eScan Malicious Updates

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Friday January 30th, 2026
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Graduate Certificate Program in Cloud
 Security. Google announced today that it did take down
 the world's largest residential proxy network. At
 least that's what Google is claiming here. And residential
 proxy networks have been in the news quite a few times of
 the last year. Now in the past, and I'm talking about
 sort of 10 years or so ago, when we talked about these
 type of proxy networks, what we usually talked about was
 compromised IoT devices. Like in particular routers were
 often used. There was a big sort of proxy network that was
 set up by a large, more advanced attacker with a micro
 tick devices. But in this case, in addition to these
 compromised devices, we also now have criminal
 organizations that are essentially offering money for
 volunteers who will install their proxy. It's not always
 clear to these volunteers that what they're doing is actually
 contributing to attacks and to illegal activity. In part, you
 could also talk about Tor here. And if someone setting
 up a Tor exit node is a little bit similar in this sense. But
 of course, Tor exit nodes are usually publicly known and
 people can block them. What really differentiates these
 residential proxy networks is that they are taking advantage
 of average residential IP addresses that are very
 difficult, if not impossible, to distinguish from normal
 traffic. What Google took actually down here was some
 domains that this group used in order to advertise and
 manage their proxy network. The individual users that set
 up these proxies, they probably still have these
 proxies running. And that's something if you know of
 anybody or if you have yourself installed some of
 this software, you may want to take a look at and consider
 uninstalling this software. There are still others out
 there and I assume Google sort of is making it currently a
 little bit of focus. We have seen this over the last few
 months to go after some of these residential proxy
 networks because they are causing quite a bit of pain
 for their defense. Well, whenever there is a big
 breaking news story, there tends to also be malware
 associated with it. This time it's all the news about
 Clawdbot or as it has rebranded itself now as
 Moldbot. There are a couple of different sightings of malware
 that either attempts to claim to be a Clawdbot replacement
 or some kind of add-on. Aikido Security has, for example,
 discovered some Visual Studio Code extensions that are being
 used to impersonate the Clawdbot or Moldbot brand and
 then trick developers into installing their malicious
 extension, which in turn will install the Screen Connect
 remote access tool. So, as always, be careful. Don't sort
 of go after everything hype. Not sure you actually should
 install Moldbot, Clawdbot or whatever it's called now. Just
 because, well, that's why it's sort of in the news that it
 itself opens some fairly big security holes. And what's
 worse than having your anti-malware software turn against
 you and install malware? That is what happened according to
 Morphy SecBlock to some of their customers that had eScan
 installed. eScan is sort of your standard anti-malware
 product. And it was actually in the news like two years ago
 for its insecure update mechanism being exploited to
 install malware. This time the attacker actually compromised
 the eScan update infrastructure and was able to
 push what looked like a legitimate update to eScan
 customers. This update will not just disable eScan, it
 will also install additional malware like a downloader that
 can then be used to, well, download whatever additional
 software that the attacker would like to install.
 Apparently only a subset of eScan customers was affected.
 But if you are running eScan, you definitely have to pay
 attention. Double check if your install has been
 compromised. Because the auto update feature of course has
 been disabled if you are compromised. And as a result,
 you must manually remove any malware and then reset or
 reinstall eScan. So contact eScan there for additional
 advice. I'll link to the MorphySec blog which also has
 some indicators of compromise you can use. Let me have
 another pickle related vulnerability in PyTorch. In
 this case, even if you enabled the waits only feature which
 should not load any Python code. Well, while it doesn't
 load Python code, if there is a malicious path file, this
 could actually then lead to arbitrary code execution via
 memory corruption. So update PyTorch and make sure as usual
 whenever you download any models that you know where
 they come from. After all, you are loading some form of
 Python code when you're doing that. Well, and that's it for
 today. Thanks for listening. Thanks for liking and
 subscribing to this podcast. And talk to you again on
 Monday. Bye.