How Threat Actors Weaponized Edge Devices to Build a Global Botnet

TLDR: This research details a multi-year campaign where threat actors exploited vulnerabilities in firewalls and edge devices to deploy custom rootkits like Snoopy and 2own. By chaining SQL injection and buffer overflows, attackers gained persistence and exfiltrated data while masquerading as legitimate traffic. Security teams must prioritize patching edge devices and monitoring for anomalous outbound connections that bypass standard inspection.

Firewalls are the last line of defense, which makes them the first target for anyone looking to maintain long-term access to a network. The recent research presented at DEF CON 2025 regarding the Pacific Rim campaign proves that threat actors are not just looking for a quick entry point. They are systematically compromising edge devices to turn them into persistent, stealthy command-and-control nodes. If you are still treating your edge appliances as "set and forget" infrastructure, you are already behind the curve.

The Mechanics of the Breach

The campaign, which spanned from 2018 to 2024, relied on a mix of known vulnerabilities and custom-built tooling. Attackers targeted Sophos XG Firewalls and Cyberoam devices, using SQL injection to gain initial access. Once inside, they deployed a rootkit named Snoopy.

Snoopy is a masterclass in stealth. It functions as a deep packet inspection engine that monitors all inbound traffic. Instead of using a standard C2 channel that would trigger alerts, it watches for packets with specific source port numbers. These source ports act as the command instructions for the rootkit. When a correctly crafted packet arrives, the rootkit executes the instruction, steals data, and retransmits the stolen information through the same TCP connection. The firewall never logs the difference because the traffic appears to be part of an established, legitimate session.

Persistence Through Hooking

Persistence is where this campaign gets particularly nasty. The attackers utilized a tool called plthook to manipulate the Procedure Linkage Table (PLT) of running processes. By hooking these functions, they could redirect execution flow to their own malicious code without modifying the binary on disk.

For example, when a legitimate process calls a function to log network activity, the hook intercepts that call, executes the attacker's logic—such as deleting specific log entries—and then returns control to the original function. This makes the malicious activity invisible to standard log analysis tools. If you are relying on the device's own logs to detect an intrusion, you are looking at a curated version of reality.

Real-World Implications for Pentesters

During a penetration test or a red team engagement, you should treat edge devices as high-value targets for lateral movement. If you find an edge device with an outdated firmware version, do not just report it as a finding. Attempt to identify if the device is already compromised. Look for:

• Unexplained outbound traffic to non-standard IP ranges.
• Discrepancies between the device's internal logs and external network traffic captures.
• Unexpected processes running in memory that do not appear in the standard process list.

The use of Sliver and other adversary emulation frameworks on these devices is becoming common. Attackers are no longer just using off-the-shelf exploits; they are tailoring their payloads to the specific architecture of the firewall. When you encounter a device that seems to be "acting weird," it is likely because it is being used as a relay for someone else's traffic.

Defensive Strategies

Defending against this level of sophistication requires moving beyond signature-based detection. You need to implement strict egress filtering. If your firewall does not need to communicate with a specific external IP, block it. Furthermore, monitor for Broken Access Control patterns that might indicate an attacker is attempting to escalate privileges on the appliance itself.

The most critical takeaway is that no device is an exclusive target. The sheer volume of CVEs affecting these devices is staggering. If you are responsible for managing these assets, you must assume that any device exposed to the public internet is under constant, automated reconnaissance.

The era of the "set and forget" firewall is over. Attackers are using our own security tools against us, turning our perimeter defenses into their private infrastructure. If you are not actively hunting for these indicators of compromise, you are leaving the front door wide open. Start by auditing your edge device configurations and ensuring that your monitoring tools are capturing traffic at the network level, not just relying on the logs generated by the potentially compromised device itself. The next time you see a suspicious connection, do not assume it is a false positive. It might be the only sign you get before the network is fully compromised.