Texas Border Business
Texas Border Business
According to Lumen Technologies’ Black Lotus Labs, a major cyberattack took over 600,000 small office/home office (SOHO) routers offline at a single internet service provider (ISP). The attack happened between October 25-27, 2023, and made the routers permanently unusable, requiring hardware replacements. Public scan data confirmed that 49% of all modems from the affected ISP were suddenly removed during this period.
Black Lotus Labs identified “Chalubo,” a remote access trojan (RAT), as the main malware used in the attack. First identified in 2018, Chalubo hides its tracks by running only in memory, using random process names, and encrypting its communications. These tactics likely explain why one report on Chalubo has been published only now. Chalubo can perform DDoS attacks and execute scripts, which were probably used by the hackers to deliver the destructive payload.
Lumen’s data shows that Chalubo was very active in late 2023 and early 2024. In October, Lumen found over 330,000 unique IP addresses communicating with 75 command servers, confirming infections. The attack was confined to one ISP, likely to hide the hackers’ identity. Lumen is confident that the firmware update causing the outage was deliberate.
This attack is particularly concerning because it affected rural and underserved communities, disrupting emergency services, farming information, and healthcare access. Recovery from such disruptions takes longer in isolated or vulnerable communities.
Black Lotus Labs started investigating in late October 2023 after noticing complaints about specific ActionTec devices. Many users reported their routers, models T3200s and T3260s, displayed a static red light and needed replacing. Data analysis showed a significant drop in the number of exposed devices on the ISP’s network, confirming the attack’s impact.
For more details, visit Pumpkin Eclipse.
