TheMoon is malware targeting network edge and IoT devices, especially legacy Linksys and Cisco routers, and has also been associated with ASUS router targeting. It has been used to compromise vulnerable devices and enroll them into botnet and residential proxy infrastructure. In May 2025, U.S. and Dutch law enforcement dismantled the 5socks/Anyproxy criminal proxy services, which had turned years-old Linksys and Cisco routers infected with TheMoon into residential proxies sold commercially. The malware has historically exploited Linksys router vulnerabilities, including the /tmUnblock.cgi command-injection issue referenced as CVE-2025-34037, which the content states had been documented since 2013 and historically exploited by TheMoon. Multiple sources in the content cite prior real-world exploitation of Linksys flaws by TheMoon and note that unsupported consumer networking devices remain at risk. TheMoon is also referenced as part of the broader pattern of router-based proxy botnets alongside campaigns such as AVrecon and SocksEscort. Infrastructure and services linked to Faceless and its apparent successor Doppelganger were described as previously associated with TheMoon malware, indicating its use in proxy-for-rent ecosystems. High-confidence behavior directly stated in the content is that TheMoon compromises vulnerable IoT/network devices and converts them into proxy nodes; the content also states that recent updates have improved its effectiveness and evasion capabilities. Associated indicators and artifacts mentioned in the content include exploitation of Linksys /tmUnblock.cgi and use of infected devices in the 5socks and Anyproxy residential proxy networks.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
the next request hits /tmUnblock.cgi, a CGI endpoint in Linksys E-series routers carrying a critical command injection vulnerability (CVE-2025-34037). While documented since 2013 and historically exploited by "TheMoon" worm, this vulnerability continues to be actively weaponized by modern botnets. | .../tmUnblock.cgi, a CGI endpoint in Linksys E-series routers carrying a critical command injection vulnerability (CVE-2025-34037). While documented since 2013 and historically exploited by "TheMoon" worm, this vulnerability continues to be actively weaponized by modern botnets...
5 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A worm historically known for exploiting the Linksys /tmUnblock.cgi vulnerability on E-series routers.
Malware infecting older Linksys and Cisco routers and used to turn them into residential proxy infrastructure.
AryStinger follows the same pattern seen in campaigns such as AVrecon, SocksEscort, and TheMoon.
Referenced historically as malware used to turn routers into residential proxies.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.