Cybercriminals move deeper into networks, hiding in edge infrastructure

Attack activity is moving toward infrastructure outside endpoint visibility. Proxy networks support a wide range of operations, edge devices serve as initial access points, and GenAI speeds up how attackers assemble and rebuild their tooling. Lumen’s 2026 Threatscape Report describes this pattern in criminal and nation-state activity.

“Threat intelligence is needed to find the adversary as early as possible and as close to the point of origination as possible,” said Chris Kissel, IDC VP, Security & Trust.

Early pressure built at the edge

The movement had been building for several years. In 2022, over 80% of breaches against web applications and internet-exposed services involved brute force or stolen credentials. Microsoft then reported a global peak of 11,000 password-based attacks per second in April 2023.

By 2025, endpoint tools were widely deployed, with 91% of organizations running EDR and those tools covering 72% of in-scope devices on average. That left routers, VPN gateways, firewalls, and other exposed systems as attractive entry points.

“By lurking in devices outside of the reach of standard security controls and reaching back out days, weeks, or even months after the initial access, attackers can better evade detection and prevent defenders from connecting the dots,” researchers said.

Some of the strongest signs appeared in infrastructure that rarely gets the same scrutiny as laptops or servers. J-magic began in mid-2023 and stayed active into at least mid-2024. Telemetry from March through September 2024 identified 36 unique IP addresses that matched its signature conditions, a level below 0.01% of analyzed NetFlow.

50% of targeted devices appeared to function as VPN gateways. Secret Blizzard followed a different path. Beginning in December 2022 and running into November 2024, that campaign infiltrated 33 separate Storm-0156 C2 nodes. Investigators later documented 37 Secret Blizzard and Storm-0156 C2 nodes tied to the operation.

Botnets grew into working infrastructure

Proxy and botnet operations also moved into a larger role. Aisuru recorded 2,948,616 IPs, the highest total among threat families in 2025. Vo1d followed with 2,519,125, and AWM reached 2,356,202.

By average daily bot count, Aisuru Proxies ranked first at 129,487, followed by Mysterium at 45,097 and Aisuru at 31,549. NSOCKS appeared in both rankings.

Rhadamanthys, which emerged in late 2022, passed 12,000 victims globally by October 2025. It ran a daily average of 300 active servers and hit a peak of 535 servers that month.

More than 60% of its C2 servers were hosted in the US, Germany, the UK and the Netherlands. More than 60% of its C2s showed zero detection on VirusTotal at the time of original reporting. Black Lotus Labs said the wider industry tracked about 20% of the roughly 200 daily Rhadamanthys C2 servers it followed.

SystemBC surfaced in September 2025 with 80+ C2 servers and a daily average of 1,500 victims. Each victim showed an average of 20 unpatched CVEs and at least one critical CVE. One observed server had 160+ unpatched vulnerabilities. Investigators also saw a single proxy IP generate 16+ GB of proxy traffic in a 24-hour period. Nearly 100% of bots eventually landed on block list sites.

DanaBot, first seen in 2018, stayed highly active until May 2025. “Following Operation Endgame II, DanaBot resurfaced in November 2025 with “Version 669”—leveraging complex multi-stage attacks to target financial institutions,cryptocurrency wallets, and individual victims,” researchers noted.

During its 2025 run, it maintained nearly 150 active C2 servers per day and 1,000 daily victims in 40+ countries. Only 25% of its C2 infrastructure had a VirusTotal detection score greater than zero. Half of victims contacted a DanaBot C2 for a single day, and 75% of infections lasted less than three days.

Late 2025 brought faster turnover

The sharpest acceleration came near the end of the year. Aisuru’s bot count tripled in one week in September 2025. Investigators later found that its 1.8 million bots were generated through exploitation of proxy services.

Kimwolf emerged from that shift in mid-October 2025 and launched attacks approaching 30 Tbps.

“Following disruption pressure on Aisuru, Kimwolf’s operators quickly rebuilt their control plane. New C2 domains appeared, malware was retooled, and traffic patterns shifted rapidly. Within weeks, the botnet scaled to hundreds of thousands of bots, sustaining massive DDoS capacity while actively evading suppression,” they said.

Raptor Train shows the longer arc behind that late-year surge. The botnet was more than four years in the making at takedown. It peaked in June 2023 with over 60,000 actively compromised devices, and more than 200,000 devices were pulled into the botnet over its run.

Its C2 estate moved from approximately 1 to 5 nodes from 2020 to 2022, to 11 in mid-2023, 30 from February to March 2024, and over 60 from June to August 2024. Tier 1 bots lasted an average of 17 days. Tier 2 and Tier 3 nodes averaged 77 days.

“Raptor Train demonstrates what modern campaigns look like when the infrastructure layer becomes the operation, and why defenders need network intelligence to proactively spot, and stop, attacks,” researchers concluded.