Overview
On March 12, 2026, the Federal Bureau of Investigation (FBI) released FLASH 20260312-001, titled “AVrecon Malware-Infected Routers Exploited as Residential Proxies by SocksEscort.” In that FLASH, the FBI identified certain D-Link legacy router models among the top 20 most represented device models observed in the campaign.
The D-Link models referenced by the FBI are legacy products that have already reached End of Life (EOL) / End of Service (EOS) status. As a general policy, once products reach EOL/EOS, they no longer receive ongoing support, maintenance, or firmware development. D-Link recommends that affected legacy devices be retired and replaced.
Please read the information and recommendations below.
3rd Party / Government Report Information
Report #1
Date: 03/12/2026
Source: Federal Bureau of Investigation (FBI)
Reference: FLASH 20260312-001
Title: AVrecon Malware-Infected Routers Exploited as Residential Proxies by SocksEscort
Summary
The FBI reported that AVrecon malware has been used by threat actors to compromise routers and IoT devices, maintain remote access, and monetize those devices as residential proxies through SocksEscort.
The FBI’s list of the top 20 most represented device models includes the following D-Link models:
DIR-818LW
DIR-850L
DIR-860L
Affected Models
|
Model
|
Region
|
Hardware Revision
|
End of Service / End of Life
|
Legacy Website
|
Related D-Link Publication
|
|
DIR-818L
|
All Regions
|
All H/W Revisions
|
05/01/2017
|
|
|
|
DIR-818LW
|
All Regions
|
All H/W Revisions
|
05/01/2017
|
|
|
|
DIR-850L
|
All Regions
|
All H/W Revisions
|
03/01/2020
|
|
|
|
DIR-860L
|
All Regions
|
All H/W Revisions
|
05/01/2018
|
|
|
Source basis for the lifecycle dates above: D-Link support-announcement publications SAP10453, SAP10277, and SAP10397.
Recommendation for End-of-Support / End-of-Life Products
From time to time, D-Link determines that certain products have reached End of Support (EOS) / End of Life (EOL). D-Link may designate products as EOS/EOL due to technology evolution, market requirements, product maturity, component availability, or replacement by functionally superior technologies.
For US Consumers
If a product has reached End of Support (EOS) / End of Life (EOL), there is typically no further extended support or ongoing firmware development for that product. In most cases, D-Link is unable to resolve device or firmware issues on such products because development and support activity have ceased.
D-Link provides a legacy product site for affected products that are no longer supported or under development:
D-Link strongly recommends that the products listed above be retired and replaced.
For customers who continue using any affected legacy product pending replacement, D-Link recommends taking the following actions immediately:
- Replace the device as soon as possible with a currently supported networking product that receives security updates.
- Ensure the device is running the latest available firmware for its hardware revision, if firmware remains available.
- Change the administrator password immediately and use a strong, unique password.
- Ensure Wi-Fi encryption is enabled and protected with a strong, unique wireless password.
- Disable remote management unless it is strictly required.
- Review the network for unusual activity and consider replacing the device immediately if compromise is suspected.
- Rebooting alone may not be sufficient to remediate a compromised device, as the FBI noted that some infections may persist through modified firmware and disabled update functionality.
Additional Information
Customers may consult the FBI FLASH at
HERE for additional technical details regarding AVrecon malware, attacker behavior, and indicators associated with the SocksEscort operation.
Customers who believe a device or network may have been compromised should follow their internal incident response procedures and contact qualified cybersecurity professionals or law enforcement as appropriate.