Lumen warns of malware-backed proxy networks in APAC

Lumen Technologies has published its 2026 Lumen Defender Threatscape Report, which finds that cyber attackers are increasingly hiding their activity through malware-backed proxy networks.

The report centres on what Lumen describes as a shift away from endpoint-led attacks toward activity staged further upstream in internet infrastructure. Black Lotus Labs, its threat research and operations unit, says attackers are using compromised small office and home office routers, internet-connected devices, and virtual infrastructure to hide malicious traffic within ordinary network flows.

Lumen argues this shift is particularly relevant in Asia Pacific, where large digital estates, widespread use of connected devices, and growing adoption of artificial intelligence have expanded the number of potential entry points. Organisations in the region often run distributed environments across branch networks, regional data centres, industrial sites, and partner systems, leaving more edge infrastructure exposed.

One of the main findings is that attackers are using generative AI to rebuild and rotate malicious infrastructure more quickly. According to the report, this shortens the time between a system being exposed and an attack taking effect.

Another focus is the use of internet-facing devices such as routers, virtual private network gateways, and firewalls. Attackers are targeting these systems because they can provide privileged access, often sit outside standard endpoint security tools, and offer limited forensic visibility.

Lumen also highlighted what it called the rise of residentially disguised proxies. In this model, criminal groups and state-backed operators use compromised home and small business devices as relay points, making malicious traffic appear to come from ordinary residential internet users and helping it evade controls based on geography or trust assumptions.

The report also points to increasingly blurred attribution in advanced campaigns. It says some espionage actors are hijacking criminal infrastructure to conceal their role, blending state-directed activity into noisier criminal operations.

For Asia Pacific businesses, the analysis links these methods to a broader threat environment shaped by rapid digitisation and close ties to manufacturing, energy, telecommunications, logistics, and technology supply chains. In sectors with extensive operational networks and partner links, edge systems can present a larger attack surface than centrally managed corporate devices.

Separate IDC research, sponsored by Lumen, found that the top three AI-driven threats affecting businesses in Asia Pacific are AI-enhanced phishing and impersonation, large language model prompt attacks, and AI-powered ransomware with real-time negotiation.

Wai Kit Cheah, APAC CISO & Connected Ecosystem Leader at Lumen, said the regional picture reflects a broader change in attacker behaviour. "Asia Pacific organisations are navigating a threat landscape that is growing in both scale and sophistication, with attackers operating well upstream of traditional defences," Cheah said. "The 2026 Defender Threatscape Report reinforces that effective defence now begins before the attacker reaches the enterprise. Network-layer visibility upstream gives security teams the ability to detect and disrupt adversaries earlier and at scale."

Heist Crews

The report describes what it calls a "heist crew" model of cybercrime, in which attackers run operations with a high degree of coordination. Rather than relying on a single piece of malware, groups combine proxy networks, automated infrastructure changes, and service-based business models.

Lumen says the model is especially effective in Asia Pacific because of the scale and variety of connected devices in use. That creates larger pools of hardware and addresses that can be taken over and repurposed, while making it less reliable to assume that residential or otherwise clean-looking IP space is low risk.

Black Lotus Labs monitors more than 200 billion NetFlow sessions and 46,000 command-and-control servers each day, while maintaining visibility into 99% of public IPv4 addresses, according to Lumen. Based on that network view, the company says it took part in eight multi-partner disruption efforts in 2025 and disrupted 5,000 IP addresses.

The document cites several examples to illustrate these changes. They include Raptor Train, described as a nation-state botnet that used a centralised control structure to manage more than 200,000 compromised internet of things devices, and Kimwolf, a distributed denial-of-service botnet that expanded to hundreds of thousands of bots within weeks through residential proxy ecosystems, according to the company.

Lumen says it observed Kimwolf triple its bot count in one week and launch attacks reaching 30 terabits per second. It also cited Rhadamanthys, which it described as a malware-as-a-service platform that, at the time of its takedown, had more than 12,000 victims and operated with subscription tiers and customer support.

Chris Kissel, IDC Vice-President, Security & Trust, said early detection depends on infrastructure-level intelligence. "Threat intelligence is needed to find the adversary as early as possible and as close to the point of origination as possible," Kissel said. "Lumen's massive infrastructure and the quality of Black Lotus Labs provide optimal visibility of the IP backbone, greatly reducing the odds of successful cyber-attack campaigns."