U.S. and international law enforcement dismantled the 911S5 botnet—the largest of its kind—and arrested operator YunHe Wang. The operation uncovered a long-running residential proxy service built from infected devices via bundled free VPN software, which later rebranded as CloudRouter before its takedown. #911S5 #CloudRouter
Keypoints
- Law enforcement announced the takedown of 911S5 and arrested its administrator YunHe Wang, highlighting a multinational operation.
- Victims were infected when they downloaded free VPN software bundled with malicious code, creating a backdoor and proxy network for customers.
- 911S5 operated from 2014 until 2022 and reappeared in 2023 as CloudRouter before its 2024 dismantling.
- Free VPN programs associated with the operation included ProxyGate, MaskVPN, DewVPN, and ShineVPN, with ProxyGate being the earliest active sample (2016–2020).
- Shared infrastructure links 911S5 to its VPN programs, via common email hosts and a server at 173.244.211.96, suggesting a single operator.
- Research shows similar code, process chains, and evolution across 911S5 and its successors (PaladinVPN, ShieldVPN, CloudRouter), indicating a cohesive operation.
MITRE Techniques
- [T1090] Proxy – The malware builds a proxy network from infected devices to provide access for customers. “providing access to a proxy network built from infected devices”
- [T1543.003] Create or Modify System Process – It creates persistent services functioning as backdoors on compromised machines. “will create a persistent service as a backdoor”
- [T1105] Ingress Tool Transfer – Victims download software, including free VPN programs, that are bundled with malicious code. “bundled with malicious code software, free VPN programs”
- [T1027.001] Obfuscated/Compressed Files and Information – The families show similar encoding methods and process chains across variants. “similar encoding methods and process chains”
- [T1583] Acquire Infrastructure – The operation used shared infrastructure across 911S5 and VPN-related families (domains, IPs), indicating centralized infrastructure. “shared infrastructure”
Indicators of Compromise
- [Domain] Shared infrastructure domains – 911.re, 911s5.com, and other related domains
- [IP] Common infrastructure IPs – 173.244.211.96, 209.126.108.53
- [Hash] PaladinVPN sample hashes – 1875e43e224862cbf60bffc51c96cf1a, 25e627a9a583f08ffbbd60cbc276f87e
- [Hash] ShieldVPN sample hashes – 6db6b7b99a0e87f142a56e256a62ef82, fd72d909e280110cd6ccbae8e86d29e4
- [URL] Download URLs – https://d1f64skmkl5mzn.cloudfront.net/paladinvpn.exe, https://d3d5qtzjda7oy3.cloudfront.net/paladinvpn-setup.exe
Read more: https://blog.netlab.360.com/911s5/