Security researchers with CenturyLink have released a report documenting the recent evolution of TheMoon, an internet of things (IoT) botnet that was first detected in 2014. While TheMoon was originally used by cybercriminals to carry out DDoS attacks, it is now being used for other malicious purposes, such as brute-force attacks and credential stuffing attacks on websites, as well as advertising fraud.
Recently, the threat actors operating the botnet have added a new, unique module that allows them to use the devices infected by the botnet malware as proxies, i.e. intermediaries for web traffic. The operators rent these proxies out to other criminals, who use them to commit various cybcercrimes. One of the campaigns involving TheMoon was a YouTube ad fraud scheme.
Read more: IoT botnet used in YouTube ad fraud scheme