Mystery miscreant remotely bricked 600,000 SOHO routers with malicious firmware update

Source and motive of 'Pumpkin Eclipse' assault unknown

Unknown miscreants broke into more than 600,000 routers belonging to a single ISP late last year and deployed malware on the devices before totally disabling them, according to security researchers.

The cyber attack, which wasn't reported at the time, took place over a 72-hour period between October 25 and 27, 2023. It "rendered the infected devices permanently inoperable, and required a hardware-based replacement," according to US telco Lumen Technologies' Black Lotus Labs, which published details about the destructive event on Thursday and named it "Pumpkin Eclipse."

It seems the mysterious intruders specifically targeted two different routers – ActionTec's T3200 and T3260 – but it's unclear how they gained access.

"When searching for exploits impacting these models in [vulnerability alerting platform] OpenCVE for ActionTec, none were listed for the two models in question, suggesting the threat actor likely either abused weak credentials or exploited an exposed administrative interface," the Black Lotus researchers opined – without naming the impacted ISP.

It's been speculated that Arkansas-based Windstream was the victim, but the ISP declined to comment when approached by The Register.

Black Lotus revealed the unknown attackers broke the 600,000-plus routers using Chalubo – a remote access trojan (RAT).

The malware has been around since 2018 and has built-in features to encrypt communications with the command-and-control server, perform distributed-denial-of-service attacks, and execute Lua scripts on infected devices. Oddly, the criminals didn't use the DDoS functionality, we're told.

"At this time, we do not have an overlap between this activity and any known nation-state activity clusters," the threat hunters wrote.

Specifically, there's no overlap with China's Volt Typhoon, which also has an affinity for infecting routers, or Russia's Sandworm, aka SeaShell Blizzard, another crew known for destructive attacks.

The researchers added that this type of attack has only ever been seen once before: the AcidRain wiper case, which has been attributed to Sandworm and was used to take out KA-SAT modems used in Ukraine as a prelude to Russia's invasion.

Black Lotus asserts a high level of confidence that "the malicious firmware update was a deliberate act intended to cause an outage, and though we expected to see a number of router make and models affected across the internet, this event was confined to the single ASN [autonomous system number]." ®

More about


Send us news

Other stories you might like