SANS Stormcast Friday, January 30th, 2026: Residential Proxy Networks; Clowdbot/Moltbot Themed Malware; eScan Malicious Updates

January 29, 2026

Episode Transcript

No Place Like Home Network: Disrupting the World's Largest Residential Proxy Network
Google dismantled the IPIDEA network that used residential proxies to route malicious traffic.
https://cloud.google.com/blog/topics/threat-intelligence/disrupting-largest-residential-proxy-network
Fake Clawdbot VS Code Extension Installs ScreenConnect RAT
The news about Clawdbot (now Moltbot) is used to distribute malware, in particular malicious VS Code extensions.
https://www.aikido.dev/blog/fake-clawdbot-vscode-extension-malware
Threat Bulletin: Critical eScan Supply Chain Compromise
Anti-virus vendor eScan was compromised, and its update servers were used to install malware on some customer systems.
https://www.morphisec.com/blog/critical-escan-threat-bulletin/

News Tech News

See full episode transcriptTranscript is autogenerated by AI

Hello and welcome to the Friday January 30th, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from Jacksonville, Florida. And this episode is brought to you by the SANS.edu Graduate Certificate Program in Cloud Security. Google announced today that it did take down the world's largest residential proxy network. At least that's what Google is claiming here. And residential proxy networks have been in the news quite a few times of the last year. Now in the past, and I'm talking about sort of 10 years or so ago, when we talked about these type of proxy networks, what we usually talked about was compromised IoT devices. Like in particular routers were often used. There was a big sort of proxy network that was set up by a large, more advanced attacker with a micro tick devices. But in this case, in addition to these compromised devices, we also now have criminal organizations that are essentially offering money for volunteers who will install their proxy. It's not always clear to these volunteers that what they're doing is actually contributing to attacks and to illegal activity. In part, you could also talk about Tor here. And if someone setting up a Tor exit node is a little bit similar in this sense. But of course, Tor exit nodes are usually publicly known and people can block them. What really differentiates these residential proxy networks is that they are taking advantage of average residential IP addresses that are very difficult, if not impossible, to distinguish from normal traffic. What Google took actually down here was some domains that this group used in order to advertise and manage their proxy network. The individual users that set up these proxies, they probably still have these proxies running. And that's something if you know of anybody or if you have yourself installed some of this software, you may want to take a look at and consider uninstalling this software. There are still others out there and I assume Google sort of is making it currently a little bit of focus. We have seen this over the last few months to go after some of these residential proxy networks because they are causing quite a bit of pain for their defense. Well, whenever there is a big breaking news story, there tends to also be malware associated with it. This time it's all the news about Clawdbot or as it has rebranded itself now as Moldbot. There are a couple of different sightings of malware that either attempts to claim to be a Clawdbot replacement or some kind of add-on. Aikido Security has, for example, discovered some Visual Studio Code extensions that are being used to impersonate the Clawdbot or Moldbot brand and then trick developers into installing their malicious extension, which in turn will install the Screen Connect remote access tool. So, as always, be careful. Don't sort of go after everything hype. Not sure you actually should install Moldbot, Clawdbot or whatever it's called now. Just because, well, that's why it's sort of in the news that it itself opens some fairly big security holes. And what's worse than having your anti-malware software turn against you and install malware? That is what happened according to Morphy SecBlock to some of their customers that had eScan installed. eScan is sort of your standard anti-malware product. And it was actually in the news like two years ago for its insecure update mechanism being exploited to install malware. This time the attacker actually compromised the eScan update infrastructure and was able to push what looked like a legitimate update to eScan customers. This update will not just disable eScan, it will also install additional malware like a downloader that can then be used to, well, download whatever additional software that the attacker would like to install. Apparently only a subset of eScan customers was affected. But if you are running eScan, you definitely have to pay attention. Double check if your install has been compromised. Because the auto update feature of course has been disabled if you are compromised. And as a result, you must manually remove any malware and then reset or reinstall eScan. So contact eScan there for additional advice. I'll link to the MorphySec blog which also has some indicators of compromise you can use. Let me have another pickle related vulnerability in PyTorch. In this case, even if you enabled the waits only feature which should not load any Python code. Well, while it doesn't load Python code, if there is a malicious path file, this could actually then lead to arbitrary code execution via memory corruption. So update PyTorch and make sure as usual whenever you download any models that you know where they come from. After all, you are loading some form of Python code when you're doing that. Well, and that's it for today. Thanks for listening. Thanks for liking and subscribing to this podcast. And talk to you again on Monday. Bye.

Digital Dispatch Podcast Podcast Artwork Image

SANS Daily Stormcast

Johannes Ullrich

Contact Show