The New Cyber Crime Trend No One is Talking About

While security teams are concerned mostly with AI-assisted phishing and ransomware threats, a more subtle danger has infiltrated networks silently. Cybercriminals have identified very quietly a stealthy weapon banked on such devices as your smart thermostat, your office printer, and networked storage devices. Besides these daily use gadgets, cybercriminals are also hijacking those devices for what researchers in cybersecurity refer to as Operational Relay Boxes (ORBs), thus turning the ordinary edge devices into invisible command-and-control infrastructure that is able to circumvent almost all traditional security controls.

This is not something notional. In 2024, some prominent botnet cases revealed the exact exploitation of edge devices through this method, however, the security community has not yet made this issue go so loud. The technique has introduced a new way for the attackers to keep their presence and dodge detection, and it is indeed spreading fast.

Why ORBs Are the Perfect Stealth Weapon

The brilliance of ORB attacks comes from the trust they exploited. The firewall you have set in place allows the connection to the security cameras. The SIEM you have does not highlight as abnormal the connections from the smart TV. These gadgets are in a vulnerability area from the security point of view, and the hackers are aware of it.

Here's how the attack chain typically unfolds:

1. Initial compromise through weak default passwords or unpatched vulnerabilities in IoT devices

2. Silent persistence by embedding malicious code in device firmware or memory

3. Traffic relay using the device's legitimate network permissions to tunnel commands to other compromised systems

4. Evasion of detection by blending malicious traffic with normal device communications

In contrast to conventional command-and-control servers that are easily noticeable in network logs, ORBs use trusted channels for their communication. A compromised smart speaker calling a cloud server at 2 AM, for instance, appears exactly like a normal firmware check.​

The Numbers Tell a Disturbing Story

The scope of the issue is still concealed as organizations are not searching for it. A shocking 48% of cybersecurity leaders confessed that they had not communicated significant breaches to their boards during the previous year, while 22% had kept five or more incidents hidden. Such a climate of underreporting keeps the real number of ORB-based attacks in the dark.​

What we do know is troubling:

• 30% of attacks now exploit public-facing applications, giving attackers the foothold needed to pivot toward edge devices​

• 68% of security leaders lack confidence in defending against AI-powered attacks, which increasingly include automated ORB exploitation​

• Healthcare and technology sectors-both saturated with connected devices-remain the most persistently targeted industries​

The tech industry is exposed to specific risks, as almost 50% of the total breaches in 2025 will be related to technology products and services used by vendor ecosystems. Any and every connected device used in these supply chains is equivalent to a potential ORB just waiting to be activated.

The Technical Evolution Making This Possible

The necessary tools and support for their malicious activities. The potential earnings from such exploits justify the investment, as there is a growing number of unprotected and vulnerable IoT devices in use.

The cyber threat landscape is still dominated by the use of ransomware as the primary attack vector, with the percentage of such incidents steadily increasing, as according to various reports. Furthermore, the number of targeted attacks has not decreased either, and rather, they have diversified in sophistication via the incorporation of new tools and techniques.

One example of a high-profile organization that fell victim to a disastrous ransomware attack is the Colonial Pipeline Company. The hackers not only encrypted the files of their victims but also threatened to release sensitive data if the ransom was not paid. This effectively made their demands much stronger and difficult to ignore. Ransomware attackers have been reported to be using more sophisticated methods for attacking organizations, resulting in bigger payouts. It is therefore not surprising that the trend of ransom demand escalation in inquiries has been on the rise.

To sum up, the present days have witnessed a significant and drastic change in the development and distribution of malware, and consequently, a reset in the battle of cat and mouse between the cybercriminals and security services.

• Automated vulnerability scanners for common IoT devices

• Pre-built payloads optimized for ARM and MIPS architectures

• Dashboards to manage thousands of compromised devices

• Integration modules for popular cloud platforms

This democratization means the threat isn't limited to nation-state actors. Ransomware gangs and data theft operations increasingly use ORBs as disposable infrastructure, burning through compromised devices to avoid attribution.​

Real-World Impact: Beyond the Technical Jargon

The implications go way beyond devices being compromised. When hackers establish ORBs inside your network, they are able to:

Lateral movement capabilities that bypass segmentation controls: A smart lightbulb becomes a bridge from your guest Wi-Fi to your financial systems.

Data exfiltration channels hiding in normal traffic patterns: Your network-attached storage device can be commanded to slowly siphon customer data without triggering Data Loss Prevention tools.

Persistent access that survives remediation of endpoints. It persists even after cleaning infected laptops, ready to reinfect.

Potential for massive disruption: State-aligned actors might activate millions of ORBs simultaneously during geopolitical tensions to overwhelm critical infrastructure.

While other financial institutions have witnessed a 47% increase in attacks, many of these incidents likely involved ORB infrastructure that granted persistent access to harvest credentials. The finance sector is particularly at risk in this regard because of the high interconnectedness of systems.​​

Why Traditional Defenses Fail

Current security stacks are designed for a world where threats come from outside the perimeter. ORBs turn this model on its head:

Zero Trust architectures help but do not solve the problem completely, mainly because while they require verification for every connection, quite often they exclude or improperly classify IoT devices due to their inability to run standard agents.

Most network monitoring tools whitelist device traffic. Your video conference system is whitelisted to freely communicate with outside servers without inspection, creating a perfect tunnel for attackers.

Managing patches for IoT devices is exceptionally challenging. Many manufacturers abandon support after 2-3 years, leaving devices with known vulnerabilities that never get fixed.

Asset inventories are incomplete. Most organizations cannot identify every connected device on their network, let alone monitor them for compromise.

Particularly exposed are the 76% of leaders who cited reduced federal cybersecurity programs as heightening their risk, as they've lost access to the threat intelligence that might identify ORB infrastructure before it becomes active.​

Detection Strategies That Actually Work

Identifying ORBs requires a change from signature-based detection to behavioral analysis. Following is what security teams should implement:

1. Baseline normal device behavior

• How often does your smart thermostat usually communicate?

• Which ports does your printer typically use?

• Establish these patterns then alert on deviations

2. Aggressively segment IoT devices

• Create a separate VLAN for all non-managed devices.

• Limit east-west traffic between IoT and production networks

• Treat each device as untrusted until proven otherwise

3. Monitor DNS requests from IoT devices

• DNS tunneling or Domain Generation Algorithms are commonly used by ORBs.

• Search for devices querying unusual hostnames

• Block IoT devices from using external DNS resolvers

4. Passive network scanning implementation

• Use tools that identify devices without active probing

• Track firmware versions and flag end-of-life devices

• Correlate device types with known vulnerabilities

5. Employ Deception Technology

• Honeypots emulating IoT devices can attract ORB operators.

• Early detection of reconnaissance activities

• Intelligence gathering on attack methodologies

In fact, organizations using managed security service providers have doubled to 66% today. This shift reflects the reality that specialized threat hunting capabilities-especially those focused on emerging techniques like ORB exploitation-are increasingly hard to maintain in-house.

The Path Forward: From Awareness to Action

It is time for the cybersecurity community to break its silence regarding ORB threats. The 48% rate of underreporting isn't just a transparency issue-it's creating a dangerous information gap where defenders can't see the full scope of the problem.​

Security leaders should:

Audit your edge device footprint comprehensively. You can't protect what you can't see. This includes not just IoT devices, but also network equipment, security systems, and building automation.

Pressure manufacturers for security transparency: demand documented support lifecycles, vulnerability disclosure programs, and the ability to monitor device behavior.

Invest in AI-powered detection that spots anomalous patterns across device communications. Although 68% of leaders aren't confident in AI defenses, the technology gap will continue to grow if defenders don't use the same tools as attackers.​

Update incident response plans for ORB scenarios. Can you isolate a compromised smart device without disrupting business operations? Do you have forensic capabilities for embedded systems?

Share threat intelligence about ORB indicators: The community has to break down the silos that enable this threat to stay under the radar. Each and every organization that uncovers ORB activity should contribute IoCs to the shared repositories.

Conclusion: The Conversation We Need to Have

The weaponization of edge devices isn't science fiction-it's happening now in networks worldwide. While security vendors chase AI-powered malware headlines, ORBs represent a more practical and immediate threat that exploits the trust relationships we've built into our connected environments.

The solution is not to tear out all of the IoT devices, but rather to extend the same security discipline we apply to servers and endpoints. This means ongoing monitoring, aggressive segmentation, and treating every connected device as a potential threat vector.

The ORB trend will only continue to accelerate as cybercriminals professionalize through Malware-as-a-Service platforms, and further automate their attacks with AI. The question isn't whether your devices will be targeted, but whether you'll detect it when they are.

Now is the time to have this conversation, before the ORBs in your network become the foothold for a breach that could have been prevented.