Experts from Solar 4RAYS of the “Solar” Group discovered a new hacking group called Proxy Trickster, which engages in cryptocurrency mining and proxyjacking (hijacking control over servers for transformation and sale). Over the course of a year, the attackers targeted nearly 900 servers in 58 countries worldwide, including Russia.
In March 2025, specialists investigated a cybersecurity incident at an unnamed Russian IT company and discovered the activity of a previously unknown group, which has been named Proxy Trickster.
The hackers primarily earn income from cryptocurrency mining and proxyjacking, which involves taking control of legitimate servers through known vulnerabilities, converting them into proxy servers, and then selling them on the darknet to other criminals, who use them to conceal their activities and IP addresses.
The first traces of Proxy Trickster attacks were dated to May 2024, and since then, the hackers have not ceased their activities.
In the attack studied by experts, the entry point could not be restored. However, analysts from Cado Security reported that the group is exploiting previously discovered vulnerabilities in Selenium Grid. In the case examined by Solar 4RAYS, this software was not used, leading to the suggestion that the group targets various publicly available services that contain already known vulnerabilities.
In over a year of activity, the hacker group infected at least 874 devices across 58 countries. The most attacked servers were found in the USA (16% of the total infected servers), Germany (6%), Russia (4%), Ukraine (4%), France (4%), and other countries. Researchers conclude from this that the hackers are not concerned about the geographical location of their targets — they attack any accessible servers for profit.
Researchers believe that the group is more amateur, but uses tools and techniques of professional hackers, attacking with the aim of espionage and destructive actions.
For example, Proxy Trickster replaces system utilities (ps, pstree, pkill) with custom scripts that disguise malicious processes (such as [kworker/u8:1-events_unbound]) from system administrators. Additionally, it employs multi-layered attack automation.
In addition, the group maintains access to compromised servers, which theoretically allows for more complex attacks. This means the group could pose a threat to hundreds, if not thousands of companies, including those in Russia.
“At Solar 4RAYS, we have not yet found confirmation that these hackers have executed more complex attacks, but that does not mean it cannot happen in the future. For example, access to compromised servers could be sold to other malicious actors who might use it to carry out more serious attacks. Security teams within organizations should pay attention to this threat and take measures to protect against it,” comments Ivan Syukhin, head of the incident investigation group at Solar 4RAYS Research Center, Solar Group.
2025.03.16 — Researchers force DeepSeek to write malware
According to Tenable, the AI chatbot DeepSeek R1 from China can be used to write malware (e.g. keyloggers and ransomware). DeepSeek was released in January 2025 and caused a stir…
Full article →
2025.04.29 — FBI Offers 10 million USD for information on Salt Typhoon members
The FBI offers up to 10 million USD for information about members of the Chinese hacker group Salt Typhoon and last year's attack that had…
Full article →
2025.01.23 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts
Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code. This…
Full article →
2025.01.22 — Fake Homebrew Infects macOS and Linux Machines with infostealer
Attackers use Google ads to disguise themselves as the Homebrew website and distribute malware targeting Mac and Linux systems and stealing logon credentials, browser data, and cryptocurrency wallets.…
Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store
According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…
Full article →
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters
According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…
Full article →
2025.02.18 — Chrome Enhanced Protection mode is now powered by AI
The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…
Full article →
2025.04.08 — Website of Everest ransomware group hacked and defaced
Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: "Don't do crime…
Full article →
2025.02.20 — Newly-discovered vulnerabilities in OpenSSH open the door to MiTM and DoS attacks
OpenSSH fixed two vulnerabilities that could result in MiTM and denial of service (DoS) attacks. Interestingly, one of these bugs appeared in the code more than 10…
Full article →
2025.03.07 — YouTube warns of scam video featuring its CEO
According to YouTube, scammers use an AI-generated video of the company's CEO in phishing attacks to steal user credentials. The scammers attack content creators by sending them…
Full article →