APT / THREAT GROUP

AVrecon

2
aliases
Last seen:Mar 17, 2026

Intelligence Profile

AVrecon is a Linux-based Remote Access Trojan (RAT) targeting small-office/home-office (SOHO) routers and other ARM-embedded devices. The malware is distributed via exploitation of unpatched vulnerabilities or common misconfiguration of the targeted devices. Once deployed, AVreckon will collect some information about the infected device, open a session to pre-configured C&C server, and spawn a remote shell for command execution. It might also download additional arbitrary files and run them. The malware has recently been used in campaigns aimed at ad-fraud activities, password spraying and data exfiltration.

Threat Analysis

AVrecon is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

Intelligence Reports Mentioning AVrecon

External References

Quick Facts

TypeAPT / Threat Group
Aliases2

Also Known As

elf.avreconAVrecon

External Intelligence

Malpedia: elf.avrecon

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
AVrecon — APT / Threat Group | Threat Intelligence | CTIWATCH.COM