Proxy Trickster Group Attacks Nearly 900 Servers Across 58 Countries

Security experts at Solar 4RAYS, a division of the Solar Group, have identified a previously unknown hacker collective named Proxy Trickster. This group has been quietly compromising servers across the globe—targeting 874 systems in 58 countries over the span of a year, including several in Russia.

Discovery and Attack Overview

The group first surfaced in March 2025 during a cybersecurity investigation at an unnamed Russian IT company. Analysts noticed behavior inconsistent with known threat actors and began tracking the activity under the newly coined moniker "Proxy Trickster."

The hackers primarily profit from two tactics:

• Cryptocurrency mining
• Proxyjacking—the hijacking of vulnerable servers to convert them into proxy nodes for resale on darknet markets

By exploiting known vulnerabilities, they take control of legitimate servers and then resell proxy access to other criminals. This allows buyers to conceal their digital footprints and bypass geo-blocking or blacklists.

Timeline and Geographic Reach

The first signs of Proxy Trickster’s operations trace back to May 2024, and the group has remained active ever since. According to the researchers, the attackers are indiscriminate in their targeting—opting for any exposed server they can monetize.

The infection map spans 58 countries, with the largest concentrations in:

• United States – 16% of all infections
• Germany – 6%
• Russia – 4%
• Ukraine – 4%
• France – 4%
• Others – remaining 66%

This wide reach reflects a strategy focused more on opportunity than geography.

Attack Vectors and Techniques

In the incident analyzed by Solar 4RAYS, the initial access method was not identified. However, experts from Cado Security observed the group exploiting older vulnerabilities in Selenium Grid—a browser automation tool commonly used in testing environments.

While Selenium Grid was not deployed on the compromised Russian system, its absence suggests Proxy Trickster is actively scanning for—and targeting—other exposed services as well.

Once inside a system, the attackers use tools and techniques that belie their amateur appearance. For example:

• Custom Rootkits: They replace system binaries like ps, pstree, and pkill with malicious versions to hide processes. One disguised process, [kworker/u8:1-events_unbound], was designed to evade casual detection by sysadmins.
• Automation Layers: Their operation is highly automated—scripts coordinate scanning, exploitation, payload deployment, and persistence.
• Persistence: The attackers maintain access even after deployment, leaving systems vulnerable to follow-up attacks by other actors.

Risk of Escalation

Though the group appears focused on profit through resource hijacking, the retained access to compromised servers poses a latent risk.

“So far, we have not found evidence that these hackers have carried out more complex attacks,” said Ivan Syukhin, Head of Incident Investigation at Solar 4RAYS.
“But that could change. Access to compromised servers could be sold to others with more destructive goals. Cybersecurity teams should take this threat seriously and implement protective measures.”

Key Takeaways

• Proxyjacking is an emerging revenue stream for cybercriminals, and it’s flying under the radar compared to ransomware.
• Automation-first threats like Proxy Trickster can compromise hundreds of devices with minimal human intervention.
• Ongoing access to infected servers remains a threat vector—even if the initial intent is not espionage or sabotage.

Definitions

• Proxyjacking: Hijacking public-facing servers and converting them into proxy endpoints to sell access.
• Selenium Grid: A testing infrastructure for running automated browser tests on remote machines—previously exploited due to known vulnerabilities.
• Multi-layered attack automation: A coordinated, script-driven approach to scanning, exploiting, masking, and monetizing server access.