Belarus-Linked DSLRoot Proxy Network Deploys Hardware in U.S. Residences, Including Military Homes
DSLRoot, a residential proxy provider, operates a network of hardware devices deployed in U.S. homes across at least 20 states. The network is managed by a Belarusian national with ties to both Minsk and Moscow. Unlike typical proxy services, DSLRoot uses dedicated hardware in American residences, creating persistent access to U.S. home networks. The company's custom software enables remote management of consumer modems and Android devices, allowing for IP address rotation and connectivity control. The network operates without authentication, permitting anonymous traffic routing through U.S. residential IPs. The operator also runs related services, including virtual credit card issuance and company formation, targeting both English and Russian-speaking markets. The discovery raises concerns about foreign-controlled infrastructure in sensitive locations, including military homes.
AI Analysis
Technical Summary
DSLRoot is a residential proxy network operated by a Belarusian individual with connections to Minsk and Moscow. This network uniquely deploys dedicated hardware devices inside U.S. residences across at least 20 states, including homes linked to military personnel. Unlike conventional proxy services that rely on virtualized or cloud-based IP addresses, DSLRoot's approach involves physically embedding hardware in consumer environments, granting persistent and direct access to these home networks. The custom software developed by DSLRoot enables remote management of consumer modems and Android devices, facilitating IP address rotation and control over connectivity. Notably, the network operates without authentication, allowing anonymous routing of traffic through U.S. residential IP addresses. This lack of authentication significantly lowers the barrier for misuse, enabling potentially malicious actors to route traffic through these devices without detection or consent. Additionally, the operator manages ancillary services such as virtual credit card issuance and company formation, targeting both English and Russian-speaking markets, which may be leveraged for financial fraud or obfuscation of illicit activities. The presence of foreign-controlled infrastructure embedded within sensitive U.S. locations, including military homes, raises serious concerns about espionage, data exfiltration, and the potential for covert surveillance or cyber operations. The campaign is tagged with multiple MITRE ATT&CK techniques (e.g., T1583, T1133, T1090), indicating tactics involving proxy use, credential access, and network reconnaissance. Although no known exploits in the wild have been reported, the persistent and unauthenticated nature of this proxy network represents a significant operational security risk.
Potential Impact
For European organizations, the direct technical impact of DSLRoot is limited given the network's physical deployment in U.S. residences. However, the threat has indirect implications for Europe. European entities with transatlantic ties or dependencies on U.S.-based infrastructure could face risks if threat actors leverage DSLRoot's proxies to anonymize malicious activities targeting European networks. The ability to route traffic through U.S. residential IPs complicates attribution and may facilitate advanced persistent threat (APT) operations against European targets. Furthermore, the operator's involvement in virtual credit card issuance and company formation services could enable financially motivated cybercrime affecting European financial institutions and businesses. The geopolitical context, involving Belarusian-linked actors with ties to Moscow, aligns with broader concerns about state-sponsored cyber operations targeting Western interests, including Europe. Thus, European organizations, especially those in critical infrastructure, defense, finance, and government sectors, should be vigilant about potential indirect exploitation of this proxy network for reconnaissance, lateral movement, or anonymized attack staging.
Mitigation Recommendations
European organizations should implement advanced network monitoring to detect anomalous traffic patterns indicative of proxy-based anonymization, particularly traffic originating from or routed through suspicious U.S. residential IP ranges associated with DSLRoot. Deploying threat intelligence feeds that include DSLRoot-related IPs, domains, and hashes can enhance detection capabilities. Network segmentation and strict egress filtering can limit unauthorized outbound connections that might leverage such proxy networks. For organizations with U.S. operations or partnerships, conducting security assessments of residential network devices and ensuring firmware integrity is critical to prevent unauthorized hardware deployment. Collaboration with U.S. cybersecurity agencies and information sharing through European CERTs can facilitate timely awareness and coordinated response. Additionally, financial institutions should scrutinize transactions involving virtual credit cards and newly formed companies linked to the identified domains to detect potential fraud. Employing behavioral analytics and anomaly detection on user and network activity can help identify exploitation attempts that use residential proxies for obfuscation. Finally, raising awareness among employees about the risks of unauthorized hardware and software installations in home environments, especially for remote workers, can reduce the risk of inadvertent participation in such proxy networks.
Affected Countries
United Kingdom, Germany, France, Netherlands, Poland, Belgium, Italy
Indicators of Compromise
- hash: 042a8fa307e585952ada30070a2aa5606a9a8fbdf7c9f15d50753fcf33736bc9
- ip: 185.251.38.102
- ip: 46.56.202.82
- ip: 66.199.231.251
- ip: 93.125.1.209
- ip: 93.174.90.64
- ip: 93.174.90.66
- domain: 4groot.com
- domain: andreigolos.com
- domain: cardnow.ru
- domain: dslbay.com
- domain: dslroot.com
- domain: incorptoday.com
- domain: instantvirtualcreditcards.com
- domain: proxyrental.net
- domain: proxysource.net
- domain: rdslpro.com
- domain: regacard.com
- domain: residential-ip.com
- domain: shdwsl.com
- domain: simple-proxies.com
- domain: virtualcards.biz
Belarus-Linked DSLRoot Proxy Network Deploys Hardware in U.S. Residences, Including Military Homes
Description
DSLRoot, a residential proxy provider, operates a network of hardware devices deployed in U.S. homes across at least 20 states. The network is managed by a Belarusian national with ties to both Minsk and Moscow. Unlike typical proxy services, DSLRoot uses dedicated hardware in American residences, creating persistent access to U.S. home networks. The company's custom software enables remote management of consumer modems and Android devices, allowing for IP address rotation and connectivity control. The network operates without authentication, permitting anonymous traffic routing through U.S. residential IPs. The operator also runs related services, including virtual credit card issuance and company formation, targeting both English and Russian-speaking markets. The discovery raises concerns about foreign-controlled infrastructure in sensitive locations, including military homes.
AI-Powered Analysis
Technical Analysis
DSLRoot is a residential proxy network operated by a Belarusian individual with connections to Minsk and Moscow. This network uniquely deploys dedicated hardware devices inside U.S. residences across at least 20 states, including homes linked to military personnel. Unlike conventional proxy services that rely on virtualized or cloud-based IP addresses, DSLRoot's approach involves physically embedding hardware in consumer environments, granting persistent and direct access to these home networks. The custom software developed by DSLRoot enables remote management of consumer modems and Android devices, facilitating IP address rotation and control over connectivity. Notably, the network operates without authentication, allowing anonymous routing of traffic through U.S. residential IP addresses. This lack of authentication significantly lowers the barrier for misuse, enabling potentially malicious actors to route traffic through these devices without detection or consent. Additionally, the operator manages ancillary services such as virtual credit card issuance and company formation, targeting both English and Russian-speaking markets, which may be leveraged for financial fraud or obfuscation of illicit activities. The presence of foreign-controlled infrastructure embedded within sensitive U.S. locations, including military homes, raises serious concerns about espionage, data exfiltration, and the potential for covert surveillance or cyber operations. The campaign is tagged with multiple MITRE ATT&CK techniques (e.g., T1583, T1133, T1090), indicating tactics involving proxy use, credential access, and network reconnaissance. Although no known exploits in the wild have been reported, the persistent and unauthenticated nature of this proxy network represents a significant operational security risk.
Potential Impact
For European organizations, the direct technical impact of DSLRoot is limited given the network's physical deployment in U.S. residences. However, the threat has indirect implications for Europe. European entities with transatlantic ties or dependencies on U.S.-based infrastructure could face risks if threat actors leverage DSLRoot's proxies to anonymize malicious activities targeting European networks. The ability to route traffic through U.S. residential IPs complicates attribution and may facilitate advanced persistent threat (APT) operations against European targets. Furthermore, the operator's involvement in virtual credit card issuance and company formation services could enable financially motivated cybercrime affecting European financial institutions and businesses. The geopolitical context, involving Belarusian-linked actors with ties to Moscow, aligns with broader concerns about state-sponsored cyber operations targeting Western interests, including Europe. Thus, European organizations, especially those in critical infrastructure, defense, finance, and government sectors, should be vigilant about potential indirect exploitation of this proxy network for reconnaissance, lateral movement, or anonymized attack staging.
Mitigation Recommendations
European organizations should implement advanced network monitoring to detect anomalous traffic patterns indicative of proxy-based anonymization, particularly traffic originating from or routed through suspicious U.S. residential IP ranges associated with DSLRoot. Deploying threat intelligence feeds that include DSLRoot-related IPs, domains, and hashes can enhance detection capabilities. Network segmentation and strict egress filtering can limit unauthorized outbound connections that might leverage such proxy networks. For organizations with U.S. operations or partnerships, conducting security assessments of residential network devices and ensuring firmware integrity is critical to prevent unauthorized hardware deployment. Collaboration with U.S. cybersecurity agencies and information sharing through European CERTs can facilitate timely awareness and coordinated response. Additionally, financial institutions should scrutinize transactions involving virtual credit cards and newly formed companies linked to the identified domains to detect potential fraud. Employing behavioral analytics and anomaly detection on user and network activity can help identify exploitation attempts that use residential proxies for obfuscation. Finally, raising awareness among employees about the risks of unauthorized hardware and software installations in home environments, especially for remote workers, can reduce the risk of inadvertent participation in such proxy networks.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://infrawatch.app/blog/dslroot-us-proxy-investigation"]
- Adversary
- DSLRoot
- Pulse Id
- 68af30b52ebb20fed2ec85f7
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash042a8fa307e585952ada30070a2aa5606a9a8fbdf7c9f15d50753fcf33736bc9 | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip185.251.38.102 | — | |
ip46.56.202.82 | — | |
ip66.199.231.251 | — | |
ip93.125.1.209 | — | |
ip93.174.90.64 | — | |
ip93.174.90.66 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domain4groot.com | — | |
domainandreigolos.com | — | |
domaincardnow.ru | — | |
domaindslbay.com | — | |
domaindslroot.com | — | |
domainincorptoday.com | — | |
domaininstantvirtualcreditcards.com | — | |
domainproxyrental.net | — | |
domainproxysource.net | — | |
domainrdslpro.com | — | |
domainregacard.com | — | |
domainresidential-ip.com | — | |
domainshdwsl.com | — | |
domainsimple-proxies.com | — | |
domainvirtualcards.biz | — |
Threat ID: 68af59dead5a09ad0065762f
Added to database: 8/27/2025, 7:17:50 PM
Last enriched: 8/27/2025, 7:33:12 PM
Last updated: 10/17/2025, 5:27:38 PM
Views: 44
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
Hidden links: why your website traffic is declining
MediumLastPass Warns Customers It Has Not Been Hacked Amid Phishing Emails
MediumDPRK Adopts EtherHiding: Nation-State Malware Hiding on Blockchains
MediumChina-linked APT Jewelbug targets Russian IT provider in rare cross-nation cyberattack
MediumOpenAI’s Guardrails Can Be Bypassed by Simple Prompt Injection Attack
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.