14,000 Routers Hijacked Into a Mysterious New Botnet That’s Been Hiding in Plain Sight

Researchers at Infoblox uncovered a 14,000-device botnet dubbed Mikro Typo, hijacking MikroTik routers as email proxies. Exploiting misconfigured SPF DNS records, the botnet relays spam and phishing campaigns that bypass authentication checks — a stealthy, service-oriented operation that went undetected for months.
14,000 Routers Hijacked Into a Mysterious New Botnet That’s Been Hiding in Plain Sight
Written by Emma Rogers

Somewhere around 14,000 routers — mostly older MikroTik devices — have been quietly conscripted into a botnet unlike anything researchers have documented before. The network doesn’t launch DDoS attacks. It doesn’t scan for new victims. Instead, it does something far more insidious: it turns compromised routers into proxy servers that funnel malicious email through what appear to be legitimate IP addresses, bypassing spam filters and domain authentication checks with disturbing efficiency.

The discovery, reported by Slashdot and detailed by researchers at Infoblox, reveals a botnet that has been operating under the radar by exploiting misconfigured DNS records — specifically, SPF (Sender Policy Framework) records that use an overly permissive “+all” option. That single configuration error essentially tells receiving mail servers to accept email from any IP address claiming to send on behalf of a given domain. It’s a gift to spammers. And this botnet has been exploiting it at scale.

Here’s what makes this operation distinct. Traditional botnets amass infected machines to generate brute-force traffic or steal credentials. This one, which Infoblox has dubbed “Mikro Typo” (a nod to the MikroTik hardware it targets), is built around deception and trust manipulation. The compromised routers act as SOCKS proxies, relaying spam and phishing emails so they appear to originate from trusted networks. Because the SPF records of the spoofed domains are misconfigured to allow all senders, the emails pass authentication checks that would normally flag or reject them.

A clever trick. And not a new concept in isolation — SPF misconfigurations have been a known problem for years. But weaponizing thousands of routers to operationalize that weakness at this scale? That’s new.

The MikroTik routers being exploited run various firmware versions, some dating back years. Many are known to have unpatched vulnerabilities. But Infoblox researchers noted that the exact initial compromise vector isn’t fully confirmed — it could be a mix of known CVEs, default credentials, and brute-force attacks. What’s clear is that once a router is compromised, a script reconfigures it to function as a SOCKS4 or SOCKS5 proxy, routing traffic for the botnet’s operators without the device owner ever noticing.

MikroTik routers are popular with small businesses and ISPs, particularly in emerging markets. They’re powerful, affordable, and notoriously left unmanaged after initial setup. That makes them perfect targets.

The spam campaigns facilitated by Mikro Typo aren’t garden-variety junk mail. According to Infoblox’s analysis, many of the emails impersonate well-known brands and carry payloads designed to harvest credentials or deliver malware. The botnet’s operators appear to rent out proxy access to other threat actors as well, making it a service infrastructure — a malicious relay network available to the highest bidder. This fits a growing trend in cybercrime: specialization. One group compromises devices, another handles distribution, another crafts the phishing lures.

So why has this gone undetected for so long? Partly because the traffic looks normal. Routers sending email isn’t inherently suspicious if the volume per device stays low. Spread across 14,000 nodes, even a large spam campaign generates modest traffic from any single IP. And because the spoofed domains have misconfigured SPF records that technically authorize the traffic, automated filters don’t raise alarms.

“The use of SPF records with ‘+all’ is essentially the same as having no SPF record at all,” Infoblox researchers wrote in their report, as covered by Ars Technica. It’s a blunt assessment, but accurate. Organizations that configure their DNS this way are unknowingly providing cover for operations like Mikro Typo.

The implications for network defenders are immediate and practical. First: audit your SPF records. If you see “+all” in any TXT record associated with your domain, fix it. The correct posture for most organizations is “-all” (hard fail) or “~all” (soft fail), which instruct receiving servers to reject or flag unauthorized senders. Second: if you’re running MikroTik hardware, update the firmware. Check for unauthorized proxy configurations. Look for SOCKS services running on unexpected ports. MikroTik’s own documentation provides guidance on hardening RouterOS, but many administrators simply never revisit configurations after deployment.

Third — and this one is harder — organizations need to treat outbound traffic anomalies from network edge devices as seriously as they treat inbound threats. A router quietly proxying email traffic may not trigger traditional intrusion detection signatures. But flow analysis, DNS monitoring, and behavioral baselines can catch it. Infoblox specifically flagged DNS-layer visibility as a critical detection mechanism for this type of threat.

The broader pattern here is worth paying attention to. Botnets have been evolving away from noisy, volumetric attacks toward stealthier, service-oriented models. The Mēris botnet in 2021 also targeted MikroTik routers but focused on DDoS. Mikro Typo represents a different philosophy — persistence over power, stealth over spectacle. Its operators don’t want to be noticed. They want to blend into the background noise of normal internet traffic and sell that invisibility as a product.

This isn’t the first time researchers have warned about the soft underbelly of small office and home office networking equipment. The FBI’s 2024 takedown of the Volt Typhoon-linked KV Botnet, which also targeted end-of-life routers, underscored how state-sponsored actors exploit the same class of neglected devices. The difference here appears to be financially motivated cybercrime rather than espionage, but the attack surface is identical.

And that’s the uncomfortable truth. The internet’s infrastructure relies heavily on millions of devices that nobody actively manages. Routers, NAS boxes, IoT gateways — they sit in closets and server rooms running firmware from 2019, with default credentials and no monitoring. Each one is a potential node in the next botnet.

Infoblox has published indicators of compromise and detection guidance. CERT teams and ISPs in affected regions have been notified. But the structural problem — masses of unmanaged network devices with known vulnerabilities — isn’t going away. It’s getting worse as more connected hardware ships, gets installed, and gets forgotten.

For security teams, the takeaway is concrete. Check your DNS. Patch your routers. Monitor your egress traffic. And assume that if a device is internet-facing and unmanaged, someone else is probably already managing it for you.

Subscribe for Updates

NetSecPro Newsletter

Your essential briefing on the evolving world of cybersecurity. The latest threat intelligence, security research, best practices and actionable insights for IT leaders and security professionals.

By signing up for our newsletter you agree to receive content related to ientry.com / webpronews.com and our affiliate partners. For additional information refer to our terms of service.

Notice an error?

Help us improve our content by reporting any issues you find.

Get the WebProNews newsletter delivered to your inbox

Get the free daily newsletter read by decision makers

Subscribe
Advertise with Us

Ready to get started?

Get our media kit

Advertise with Us