Malware botnet bricked 600,000 routers in mysterious 2023 attack (2025)

Malware botnet bricked 600,000 routers in mysterious 2023 attack (1)

A malware botnet named 'Pumpkin Eclipse' performed a mysterious destructive event in 2023 that destroyed 600,000 office/home office (SOHO) internet routers offline, disrupting customers' internet access.

According to researchers at Lumen's Black Lotus Labs, who observed the incident, it disrupted internet access across numerous Midwest states between October 25 and October 27, 2023. This left owners of the infected devices with no option but to replace the routers.

Although large-scale, the incident had a focused impact, affecting a single internet service provider (ISP) and three models of routers used by the firm: the ActionTec T3200s, ActionTec T3260s, and Sagemcom F5380.

Black Lotus Labs says the particular ISP serves vulnerable communities in the United States and suffered a 49% reduction in operating modems due to the 'Pumpkin Eclipse' incident.

Malware botnet bricked 600,000 routers in mysterious 2023 attack (2)

While Black Lotus did not name the ISP, it bears a striking resemblance to a Windstream outage that occurred during the same timeframe.

Starting on October 25, 2023, Windstream customers began reporting on Reddit that their routers were no longer working.

"So I've had a T3200 modem for a while now, but today, something happened that I've never experienced before. The internet light is showing solid red. What does it mean, and how do I fix it?," reported a user in the Winstream subreddit.

"Mine went down about 9PM last night, ignored until I had time to troubleshoot this afternoon. After going through the chatbot (and the T3200 not responding to the factory reset), it was pretty clear the router was the problem," said another user.

Subscribers impacted by the Windstream outage were told they needed to replace the routers with a new one to restore their internet access.

When contacted about the incident, Windstream told BleepingComputer that they do not have a comment.

Pumpkin Eclipseattack

Fast forward seven months and a new report by Black Lotus may finally shed some light on the incident, explaining that a botnet was responsible for bricking 600,000 routers across the midwest states at a single ISP in October 2023.

"Lumen Technologies’ Black Lotus Labsidentified a destructive event, as over 600,000 small office/home office (SOHO) routers were taken offline belonging to a single internet service provider (ISP). The incident took place over a 72-hour period between October 25-27, rendered the infected devices permanently inoperable, and required a hardware-based replacement. Public scan data confirmed the sudden and precipitous removal of 49% of all modems from the impacted ISP’s autonomous system number (ASN) during this time period."

❖ Black Lotus Labs

The researchers couldn't find the vulnerability used for initial access, so the attackers either used an unknown zero-day flaw or exploited weak credentials in combination with an exposed administrative interface.

The first stage payload is a bash script named "get_scrpc," which executes to fetch a second script called "get_strtriiush," which is responsible for retrieving and executing the primary bot payload, 'Chalubo' ("mips.elf").

Chalubo is executed from memory to evade detection and uses ChaCha20 encryption when communicating with command and control (C2) servers to protect the communication channel, while it wipes all files from the disk and changes the process name once it's running.

The attacker can send commands to the bot through Lua scripts, which enable data exfiltration, downloading of additional modules, or introducing new payloads on the infected device.

Malware botnet bricked 600,000 routers in mysterious 2023 attack (3)

Upon execution, which includes a 30-minute delay to evade sandboxes, the bot collects host-based information such as the MAC address, device ID, device type, device version, and local IP address.

Chalubo has distributed denial of service (DDoS) functionality, indicating Pumpkin Eclipse's operational goals. However, Black Lotus Labs did not observe any DDoS attacks from the botnet.

The analysts note that Chalubo misses a persistence mechanism, so rebooting the infected router disrupts the bot's operation.

Black Lotus Labs says its telemetry data indicates that Chalubo operates 45 malware panels communicating over 650,000 unique IP addresses from October 3 to November 3, most based in the United States.

Malware botnet bricked 600,000 routers in mysterious 2023 attack (4)

Only one of these panels was used for the destructive attack and it focused on a specific American ISP, causing Black Lotus researchers to believe that the attacker purchased the Chalubo panel for the specific purpose of deploying the destructive payload on routers.

"The second unique aspect is that this campaign was confined to a particular ASN. Most previous campaigns we’ve seen target a specific router model or common vulnerability and have effects across multiple providers’ networks. In this instance, we observed that both Sagemcom and ActionTec devices were impacted at the same time, both within the same provider’s network. This led us to assess it was not the result of a faulty firmware update by a single manufacturer, which would normally be confined to one device model or models from a given company. Our analysis of the Censys data shows the impact was only for the two in question. This combination of factors led us to conclude the event was likely a deliberate action taken by an unattributed malicious cyber actor, even if we were not able to recover the destructive module." - Black Lotus

Unfortunately, the researchers could not find the payload used to brick the routers, so they were unable to determine how it was done or for what purpose.

Black Lotus Labs notes that this is the first time, apart from the "AcidRain" incident, that a botnet malware was ordered to destroy its hosts and cause large-scale financial damage by imposing hardware replacements.

Related Articles:

Multiple botnets exploiting one-year-old TP-Link flaw to hack routers

Police seize over 100 malware loader servers, arrest four cybercriminals

TP-Link fixes critical RCE bug in popular C5400X gaming router

Ebury botnet malware infected 400,000 Linux servers since 2009

New Cuttlefish malware infects routers to monitor traffic for credentials

Malware botnet bricked 600,000 routers in mysterious 2023 attack (2025)

FAQs

Malware botnet bricked 600,000 routers in mysterious 2023 attack? ›

A malware botnet named 'Pumpkin Eclipse' performed a mysterious destructive event in 2023 that destroyed 600,000 office/home office (SOHO) internet routers offline, disrupting customers' internet access.

What mysterious hack destroyed 600000 routers? ›

Black Lotus Labs researchers say the attacker used off-the-shelf Chalubo malware to gain access to the routers, and that their firmware was eventually overwritten, effectively bricking the devices. The disruption resulted in a flood of complaints on a forum about the damaged routers.

What mystery malware destroys 600000? ›

According to Black Lotus Labs, the routers—conservatively estimated at a minimum of 600,000—were taken out by an unknown threat actor with equally unknown motivations. The actor took deliberate steps to cover their tracks by using commodity malware known as Chalubo, rather than a custom-developed toolkit.

Did unidentified attackers bricked 600000 routers in 72 hours using ChalUBO? ›

Over 600,000 SOHO routers belonging to a single ISP and infected with the Chalubo trojan were rendered inoperable. More than 600,000 small office/home office (SOHO) routers belonging to the same ISP were rendered inoperable in a single destructive event, Lumen Technologies reports.

What mystery malware destroys routers? ›

Mystery malware destroys 600,000 routers from a single ISP during 72-hour span | An unknown threat actor with equally unknown motives forces ISP to replace routers.

Can I tell if my router has been hacked? ›

Unusual network activity

Spotting strange outgoing connections or network activity at odd hours when no one is using the internet could indicate that your router has been compromised.

Can someone hack my router remotely? ›

Yes, hackers can access your router and Wi-Fi remotely, especially if you have either of the following: Remote management is enabled in your router's settings. A weak router password that can be easily guessed.

Which malware can spy on you? ›

Spyware is loosely defined as malicious software designed to enter your computer device, gather data about you, and forward it to a third-party without your consent. Spyware can also refer to legitimate software that monitors your data for commercial purposes like advertising.

What is the hardest malware to detect? ›

Fileless Malware

This makes it extremely difficult to detect and remove using traditional antivirus solutions. Fileless malware operates by embedding itself in a system's RAM and leveraging legitimate tools and processes already present on the victim's computer.

How do I know if my router is bricked? ›

How do I know if my router turns a brick or not? If your router has powered on but only an LED lights orange in the middle, then it may turn a brick. You can find the router's model on the label at the bottom of the router.

What malware destroys 600000 routers? ›

A malware botnet named 'Pumpkin Eclipse' performed a mysterious destructive event in 2023 that destroyed 600,000 office/home office (SOHO) internet routers offline, disrupting customers' internet access.

How do you fix a bricked router? ›

switching off your router and hold down the Reset button on the back of the router and switch it on again, release the reset button when there pop-up a flashing window. Wait for some time until the router reboot itself.

What is the FBI warning about routers? ›

The FBI warns that: “The remediated routers remain vulnerable to future exploitation by Volt Typhoon and other hackers, and the FBI strongly encourages router owners to remove and replace any end-of-life SOHO router currently in their networks.”

How do I know if my Wi-Fi has malware? ›

Common Signs Your Router May Be Infected By Hackers

Your computer programs are randomly crashing. You notice several fake antivirus messages in pop up windows on your screen. Your web browser has new toolbars names you don't recognize. Your internet searches are redirected to websites you aren't trying to reach.

How do I scan my router for malware? ›

Use a dedicated router virus checker
  1. Open AVG AntiVirus FREE and click Computer under the Basic Protection category.
  2. Select Network Inspector. ...
  3. Choose the type of network you're using: Home or Public.
  4. After you make your selection, AVG AntiVirus FREE will start scanning your wireless network.
Nov 5, 2020

Which routers are prone to hijacking? ›

Most of the routers affected were old or outdated routers produced by Cisco and NetGear, according to the DOJ. Outdated devices are more vulnerable to attacks like this because they're not eligible for software updates and security patches.

Can hackers break your router? ›

Routers have vulnerabilities that attackers can exploit if they're not patched. Installing firmware updates will ensure that there are no vulnerabilities that attackers can capitalize upon to break into the device and eavesdrop on your activity.

What can hackers see if they hack your Wi-Fi? ›

A Wi-Fi hack can be extremely dangerous. A hacker can spy and gain access to any information sent out from all of the devices on your hacked network. This can include login credentials and passwords, as well as other personal and financial information. A hacker can also plant malware on your device.

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Fr. Dewey Fisher

Last Updated:

Views: 6186

Rating: 4.1 / 5 (62 voted)

Reviews: 85% of readers found this page helpful

Author information

Name: Fr. Dewey Fisher

Birthday: 1993-03-26

Address: 917 Hyun Views, Rogahnmouth, KY 91013-8827

Phone: +5938540192553

Job: Administration Developer

Hobby: Embroidery, Horseback riding, Juggling, Urban exploration, Skiing, Cycling, Handball

Introduction: My name is Fr. Dewey Fisher, I am a powerful, open, faithful, combative, spotless, faithful, fair person who loves writing and wants to share my knowledge and understanding with you.