A multinational law enforcement operation (Operation Lightning) dismantled SocksEscort, a criminal proxy-as-a-service network built on approximately 369,000 hijacked residential and SOHO routers across 163 countries. The AVrecon malware underpinning this botnet achieves firmware-level persistence by flashing custom firmware through the device’s own update mechanism and disabling future over-the-air patching, making standard patch management and factory resets ineffective for remediation. Organizations with branch-office or remote-site edge devices from Cisco, D-Link, Hikvision, MikroTik, NETGEAR, TP-Link, or Zyxel face potential device compromise that may require physical replacement or vendor-assisted firmware reimaging to resolve.