{ "type": "Domain", "indicator": "meterstrack.cc", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/meterstrack.cc", "alexa": "http://www.alexa.com/siteinfo/meterstrack.cc", "indicator": "meterstrack.cc", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4272788208, "indicator": "meterstrack.cc", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "69d12848319a0b693dfbd1cd", "name": "AVrecon Malware-Infected Routers Exploited as Residential Proxies by SocksEscort", "description": "AVrecon malware has been identified as a significant threat targeting routers and Internet of Things (IoT) devices worldwide, with operations affecting approximately 163 countries, including the United States. This malware allows threat actors, particularly associated with the SocksEscort service, to compromise routers, install AVrecon, and subsequently sell access to these devices as residential proxies. The service is reported to have compromised around 369,000 devices since its inception in 2020. The FBI, in collaboration with various global law enforcement agencies, has recently initiated actions against SocksEscort, leading to its takedown.", "modified": "2026-05-04T15:01:49.491000", "created": "2026-04-04T15:03:36.128000", "tags": [ "avrecon malware", "md5 hash", "c2 domains", "c2 uri" ], "references": [ "https://fbi.gov/file-repository/cyber-alerts/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "AVrecon", "display_name": "AVrecon", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1595.002", "name": "Vulnerability Scanning", "display_name": "T1595.002 - Vulnerability Scanning" }, { "id": "T1601.001", "name": "Patch System Image", "display_name": "T1601.001 - Patch System Image" } ], "industries": [ "Finance", "E-commerce", "IoT" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 34, "domain": 23 }, "indicator_count": 57, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bb3bb2bc2687dfec2ea41c", "name": "AVrecon Malware-Infected Routers Exploited as Residential Proxies by SocksEscort", "description": "AVrecon Malware MD5 Hashes are described as \"probable\" and \"unreal\" by some of the people involved in developing the software for the use of malware.", "modified": "2026-04-17T23:31:23.722000", "created": "2026-03-18T23:56:28.895000", "tags": [ "md5 hash", "avrecon loader", "avrecon malware", "additional md5", "hashes", "c2 ips", "c2 domains" ], "references": [ "avrecon_iocs.txt" ], "public": 1, "adversary": "SocksEscort", "targeted_countries": [], "malware_families": [ { "id": "AVrecon", "display_name": "AVrecon", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1542.001", "name": "System Firmware", "display_name": "T1542.001 - System Firmware" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1090.003", "name": "Multi-hop Proxy", "display_name": "T1090.003 - Multi-hop Proxy" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" } ], "industries": [ "Telecommunications", "iot devices", "small office", "home office", "Enterprises indirectly abused through proxy-enabled fraud" ], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Rokalien77", "id": "207164", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 33, "domain": 23 }, "indicator_count": 56, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "43 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "avrecon_iocs.txt", "https://fbi.gov/file-repository/cyber-alerts/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "SocksEscort" ], "malware_families": [ "Avrecon" ], "industries": [ "Small office", "E-commerce", "Enterprises indirectly abused through proxy-enabled fraud", "Iot", "Finance", "Telecommunications", "Iot devices", "Home office" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "69d12848319a0b693dfbd1cd", "name": "AVrecon Malware-Infected Routers Exploited as Residential Proxies by SocksEscort", "description": "AVrecon malware has been identified as a significant threat targeting routers and Internet of Things (IoT) devices worldwide, with operations affecting approximately 163 countries, including the United States. This malware allows threat actors, particularly associated with the SocksEscort service, to compromise routers, install AVrecon, and subsequently sell access to these devices as residential proxies. The service is reported to have compromised around 369,000 devices since its inception in 2020. The FBI, in collaboration with various global law enforcement agencies, has recently initiated actions against SocksEscort, leading to its takedown.", "modified": "2026-05-04T15:01:49.491000", "created": "2026-04-04T15:03:36.128000", "tags": [ "avrecon malware", "md5 hash", "c2 domains", "c2 uri" ], "references": [ "https://fbi.gov/file-repository/cyber-alerts/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "AVrecon", "display_name": "AVrecon", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1595.002", "name": "Vulnerability Scanning", "display_name": "T1595.002 - Vulnerability Scanning" }, { "id": "T1601.001", "name": "Patch System Image", "display_name": "T1601.001 - Patch System Image" } ], "industries": [ "Finance", "E-commerce", "IoT" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 34, "domain": 23 }, "indicator_count": 57, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bb3bb2bc2687dfec2ea41c", "name": "AVrecon Malware-Infected Routers Exploited as Residential Proxies by SocksEscort", "description": "AVrecon Malware MD5 Hashes are described as \"probable\" and \"unreal\" by some of the people involved in developing the software for the use of malware.", "modified": "2026-04-17T23:31:23.722000", "created": "2026-03-18T23:56:28.895000", "tags": [ "md5 hash", "avrecon loader", "avrecon malware", "additional md5", "hashes", "c2 ips", "c2 domains" ], "references": [ "avrecon_iocs.txt" ], "public": 1, "adversary": "SocksEscort", "targeted_countries": [], "malware_families": [ { "id": "AVrecon", "display_name": "AVrecon", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1542.001", "name": "System Firmware", "display_name": "T1542.001 - System Firmware" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1090.003", "name": "Multi-hop Proxy", "display_name": "T1090.003 - Multi-hop Proxy" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" } ], "industries": [ "Telecommunications", "iot devices", "small office", "home office", "Enterprises indirectly abused through proxy-enabled fraud" ], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Rokalien77", "id": "207164", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 33, "domain": 23 }, "indicator_count": 56, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "43 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "meterstrack.cc", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "meterstrack.cc", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780236835.4530728 }