The Ngioweb malware has been linked to powering the NSOCKS residential proxy service, targeting IoT devices and small office/home office (SOHO) routers, with two-thirds of the proxies based in the U.S., according to Lumen Technologies. First identified in 2018, Ngioweb infects devices running Windows and Linux, registering them as proxies on marketplaces within minutes of infection. Operated by a threat actor known as Water Barghest, the botnet employs automated scripts to exploit vulnerabilities in devices from vendors like NETGEAR, Hikvision, and Zyxel. NSOCKS enables users to route traffic through over 180 C2 nodes, facilitating credential-stuffing attacks, DDoS campaigns, and other malicious activities. This proxy service allows location-specific targeting and supports advanced threat operations, posing significant risks to governments, enterprises, and individuals