This malware botnet bricked over 600,000 routers in coordinated attack — but no one is really sure why

cables going into the back of a broadband router on white background
(Image credit: Shutterstock)

A malicious botnet bricked 600,000 office and home office (SOHO) routers in what seems to be a coordinated attack against a specific internet service provider (ISP).

Cybersecurity researchers from Lumen’s Black Lotus Labs recently released a report on a botnet they dubbed “Pumpkin Eclipse”. 

In the report, the researchers said that a piece of commodity remote access trojan (RAT) called Chalubo compromised hundreds of thousands of SOHO routers, consisting of three specific models: ActionTec T3200s, ActionTec T3260s, and Sagemcom F5380, all belonging to the same ISP. Chalubo pulled these routers into the botnet which, among other things, was capable of running distributed denial of service (DDoS) attacks.

Replacing the devices

Then, between October 25 and 27, 2023, the routers started dying. While Black Lotus did not name the ISP being attacked, BleepingComputer said that the attack “bears a striking resemblance” to the Windstream outage, since its users started reporting dead routers on October 25. 

"So I've had a T3200 modem for a while now, but today, something happened that I've never experienced before. The internet light is showing solid red. What does it mean, and how do I fix it?," one out of many Redditors said at the time.

Soon after, Windstream reached out saying the users need to replace their devices with new ones. 

What remains a mystery is how the routers got infected with Chalubo to begin with. Apparently, the researchers weren’t able to find the initial access point, so either the attackers found a zero-day vulnerability, or simply exploited routers with weak credentials. In any case, almost half (49%) of the ISP’s routers were forced out of use in mere days. 

Ironically enough, Chalubo does not have a persistence mechanism, so all it took to disrupt the botnet was to physically restart the router (a simple power outage would have sufficed). However, if the credentials on the router were weak, the attackers could re-establish the connection. In conclusion, having a strong password on a router is a must. 

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Cisco, ASUS, QNAP, and Synology devices hijacked to major botnet
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Dangerous new botnet targets webcams, routers across the world
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Industrial routers are being hit by zero-days from new Mirai botnets
Abstract image of robots working in an office environment including creating blueprint of robot arm, making a phone call, and typing on a keyboard
This worrying botnet targets unsecure TP-Link routers - thousands of devices already hacked
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
IoT’s botnet problem is up 500% – three things admins must do now
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Another huge new botnet is infecting thousands of webcams and video recorders for DDoS attacks
Latest in Security
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
Sam Altman and OpenAI
OpenAI is upping its bug bounty rewards as security worries rise
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Dangerous new CoffeeLoader malware executes on your GPU to get past security tools
China
Notorious Chinese hackers FamousSparrow allegedly target US financial firms
A digital representation of a lock
NYU website defaced as hacker leaks info on a million students
NHS
NHS IT supplier hit with major fine following ransomware attack
Latest in News
Nintendo Switch 2 Joy-Con up-close from app store
Nintendo's new app gave us another look at the Switch 2, and there's something different with the Joy-Con
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think
Amazon Echo Smart Speaker
Amazon is experimenting with renaming Echo speakers to Alexa speakers, and it's about time
Shigeru Miyamoto presents Nintendo Today app
Nintendo Today smartphone app is out now on iOS and Android devices – and here's what it does