This malware botnet bricked over 600,000 routers in coordinated attack — but no one is really sure why

cables going into the back of a broadband router on white background

(Image credit: Shutterstock)

A malicious botnet bricked 600,000 office and home office (SOHO) routers in what seems to be a coordinated attack against a specific internet service provider (ISP).

Cybersecurity researchers from Lumen’s Black Lotus Labs recently released a report on a botnet they dubbed “Pumpkin Eclipse”.

In the report, the researchers said that a piece of commodity remote access trojan (RAT) called Chalubo compromised hundreds of thousands of SOHO routers, consisting of three specific models: ActionTec T3200s, ActionTec T3260s, and Sagemcom F5380, all belonging to the same ISP. Chalubo pulled these routers into the botnet which, among other things, was capable of running distributed denial of service (DDoS) attacks.

Replacing the devices

Then, between October 25 and 27, 2023, the routers started dying. While Black Lotus did not name the ISP being attacked, BleepingComputer said that the attack “bears a striking resemblance” to the Windstream outage, since its users started reporting dead routers on October 25.

"So I've had a T3200 modem for a while now, but today, something happened that I've never experienced before. The internet light is showing solid red. What does it mean, and how do I fix it?," one out of many Redditors said at the time.

Soon after, Windstream reached out saying the users need to replace their devices with new ones.

What remains a mystery is how the routers got infected with Chalubo to begin with. Apparently, the researchers weren’t able to find the initial access point, so either the attackers found a zero-day vulnerability, or simply exploited routers with weak credentials. In any case, almost half (49%) of the ISP’s routers were forced out of use in mere days.

Ironically enough, Chalubo does not have a persistence mechanism, so all it took to disrupt the botnet was to physically restart the router (a simple power outage would have sufficed). However, if the credentials on the router were weak, the attackers could re-establish the connection. In conclusion, having a strong password on a router is a must.

More from TechRadar Pro

The Internet Archive is fighting a major battle against DDoS attacks
Here's a list of the best firewalls today
These are the best endpoint protection tools right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.