Massive 'Asocks' Botnet of 17 Million Infected Devices Taken Down in Dutch Law Enforcement Operation

Dutch Authorities Dismantle 'Asocks' Botnet Enslaving 17 Million Devices

HIGH
June 1, 2026
5m read
Security OperationsMalwareThreat Intelligence

Impact Scope

People Affected

17,000,000+

Industries Affected

TechnologyTelecommunications

Related Entities

Organizations

Dutch PolitieNational Cyber Security Center (NCSC)

Other

AsocksPROXYLIB

MITRE ATT&CK Techniques

T1090

Proxy

T1573.001

Symmetric Cryptography

T1475

Install Insecure or Malicious Application

T1071.001

Web Protocols

Full Report

Executive Summary

Dutch law enforcement, including the Dutch Politie (Police) and the National Cyber Security Center (NCSC), has successfully dismantled a massive botnet infrastructure comprising at least 17 million infected devices worldwide. The operation targeted a criminal enterprise operating a residential proxy service known as "Asocks." Authorities seized over 200 servers located in the Netherlands, effectively decapitating the botnet's command and control (C2) network. The infected devices, which included a mix of computers, mobile phones, and IoT hardware, were unknowingly routing traffic for cybercriminals, facilitating a wide range of illicit activities.

Threat Overview

The Asocks service operated as a 'proxyware' platform. It offered paying customers access to a vast pool of IP addresses belonging to residential, corporate, and mobile devices. While marketed for legitimate uses like web scraping and ad verification, its foundation was a botnet of malware-infected devices. Users of the infected devices were unaware that their bandwidth and IP address were being sold and used by third parties.

Cybercriminals leverage such services for numerous malicious purposes:

  • Anonymity: To hide the true origin of their attacks.
  • Credential Stuffing: To launch attacks from thousands of different IP addresses, bypassing rate-limiting and IP-based blocking.
  • Phishing and Fraud: To make malicious traffic appear as if it's coming from a legitimate residential user.
  • Content Distribution: To distribute malware or other illegal content.

The takedown operation involved identifying the C2 servers hosted with a provider in the Netherlands and executing a legal seizure, forcing the provider to take the infrastructure offline.

Technical Analysis

The Asocks botnet was built by distributing malware that turned victim devices into proxy nodes. This type of malware is often bundled with free software, cracked applications, or delivered via phishing. Once installed, the malware establishes a connection to the C2 server, registers the device, and awaits instructions. This technique is a form of Proxying (T1090).

The scale of the operation—17 million devices and over 200 servers—indicates a sophisticated and well-managed infrastructure. The business model of selling proxy access provides a continuous revenue stream for the botnet operators. The PROXYLIB campaign mentioned in previous research highlights that Android devices were a key target, likely infected via malicious apps sideloaded outside of official app stores (T1475).

Impact Assessment

The immediate impact of the takedown is the disruption of the Asocks service and the neutralization of the botnet, preventing its 17 million nodes from being used for further criminal activity. This is a significant blow to the cybercrime ecosystem that relies on such large-scale proxy networks for anonymity. However, the underlying malware likely remains on the millions of infected devices. Without a coordinated effort to notify victims and provide removal tools, these devices remain vulnerable to being co-opted by other botnets in the future.

IOCs — Directly from Articles

No specific technical Indicators of Compromise (IOCs) such as IP addresses, domains, or file hashes were provided in the source articles.

Cyber Observables — Hunting Hints

Security teams can hunt for signs of proxyware infection on their networks.

Type
network_traffic_pattern
Value
Unusual outbound connections
Description
Monitor for persistent outbound connections from endpoints to unknown C2 servers over non-standard ports.
Type
process_name
Value
Unsigned or suspicious processes
Description
Look for running processes that are not signed by a trusted publisher and are consuming significant network bandwidth.
Type
log_source
Value
DNS Query Logs
Description
Hunt for endpoints making frequent DNS requests for domains associated with known proxyware or dynamic DNS services.
Type
network_traffic_pattern
Value
High volume of outbound traffic
Description
An endpoint generating an unusually high volume of outbound network traffic to diverse IP addresses may be acting as a proxy node.

Detection & Response

  1. Network Behavior Analysis: Use network traffic analysis tools to identify endpoints exhibiting behavior consistent with a proxy node, such as accepting inbound connections from the internet and forwarding them to other external sites. This is a core use case for D3FEND's Network Traffic Analysis.
  2. Endpoint Security: A modern EDR or antivirus solution should be able to detect and block known proxyware malware. Ensure signatures and behavioral detection engines are up to date. D3FEND's Process Analysis can help spot the malicious processes.
  3. Egress Filtering: Block outbound traffic on non-essential ports from user workstations to prevent malware from establishing C2 connections.

Mitigation

  1. Application Control (M1033): Prevent users from installing unauthorized software, especially from untrusted sources. Use application allowlisting to ensure only approved software can run.
  2. User Training (M1017): Educate users about the dangers of downloading software from unofficial sites, torrents, or clicking on suspicious links.
  3. Patch Management (M1051): Keep all operating systems and applications up to date to prevent malware from exploiting vulnerabilities for initial installation.
  4. Network Security: Secure Wi-Fi networks with strong WPA2/WPA3 encryption and change default router passwords.

Timeline of Events

1
June 1, 2026
This article was published

MITRE ATT&CK Mitigations

Filter Network Traffic

M1037enterprise

Use egress filtering to block outbound connections on non-standard ports and to known malicious or suspicious domains associated with botnet C2.

Limit Software Installation

M1033enterprise

Use application control or allowlisting to prevent users from installing unauthorized or untrusted software, which is a primary vector for proxyware.

Antivirus/Antimalware

M1049enterprise

Deploy and maintain updated endpoint security solutions to detect and remove known proxyware malware.

D3FEND Defensive Countermeasures

Outbound Traffic Filtering

D3-OTFMaps to MITREM1037
D3FEND

Implement a policy of default-deny for outbound network traffic from user endpoints. Create explicit allow rules for necessary business traffic (e.g., HTTP/S to the internet via a proxy, specific application ports). This strategy is highly effective against botnet malware like Asocks, which relies on establishing a connection back to its C2 server, often over a non-standard port. By blocking these unauthorized outbound connections, the infected device cannot register with the botnet or receive commands, rendering it inert. Monitoring blocked connection attempts provides valuable intelligence on potentially infected hosts within the network.

Executable Denylisting

D3-EDLMaps to MITREM1038
D3FEND

Deploy application control policies that prevent the execution of unauthorized software. Since proxyware like Asocks is often bundled with pirated software or freeware from untrusted sources, a strong application control policy can prevent the initial infection. In a less mature environment, a denylisting approach using an EDR solution can be used to block known malicious executables. For a more robust defense, an allowlisting approach should be adopted, where only explicitly approved and signed applications are permitted to run. This effectively closes the door on the primary infection vector for this class of malware.

Sources & References

Dutch Authorities Dismantle Botnet Linked to 17 Million Infected Devices
The Hacker NewsMay 31, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

BotnetAsocksTakedownProxywareDutch PoliceCybercrime

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.