Connect with us

Hi, what are you looking for?


Malware & Threats

Mysterious Threat Actor Used Chalubo Malware to Brick 600,000 Routers

Over 600,000 SOHO routers belonging to a single ISP and infected with the Chalubo trojan were rendered inoperable.

More than 600,000 small office/home office (SOHO) routers belonging to the same ISP were rendered inoperable in a single destructive event, Lumen Technologies reports.

The impacted router models, from ActionTec and Sagemcom, were confined to the ISP’s autonomous system number (ASN), and were likely infected with Chalubo, a remote access trojan (RAT) that ensnares devices into a botnet.

The destructive incident occurred over a 72-hour period between October 25 and October 27, 2023, and impacted ActionTec T3200s, ActionTec T3260s, and Sagemcom F5380 router models.

The unique event, Lumen says, resulted in roughly 49% of the impacted ASNs modems being taken offline, with the affected devices having to be physically replaced. Overall, roughly 179,000 ActionTec and 480,000 Sagemcom routers might have been bricked.

“We assess with high confidence that the malicious firmware update was a deliberate act intended to cause an outage, and though we expected to see a number of router make and models affected across the internet, this event was confined to the single ASN,” Lumen notes.

The threat actor responsible for the attack, Lumen says, likely chose Chalubo to deploy malicious firmware on the impacted routers to obfuscate attribution, but no evidence of overlaps between this incident and known nation-state actors, such as Volt Typhoon, has been found.

Initially discovered in 2018, the Chalubo malware ensnares devices in a botnet capable of launching distributed denial-of-service (DDoS) attacks, but also supports the execution of Lua scripts on the infected devices. After infection, the trojan resides in memory, making it difficult to detect.

Lumen discovered hundreds of thousands of Chalubo bots worldwide, each interacting with only one of the tens of malware panels the botnet operator was seen using between September and November 2023. Most of the infections are in the US.

Advertisement. Scroll to continue reading.

Only one panel was used during the disruptive attack and not all Chalubo infections participated in it, suggesting that the panel might have been purchased to hinder attribution.

“This suggests that while the Chalubo malware was used in this destructive attack, it was not written specifically for destructive actions. We suspect the threat actors behind this event chose a commodity malware family to obfuscate attribution, instead of using a custom-developed toolkit,” Lumen says.

Related: US Government Urges Cleanup of Routers Infected by Russia’s APT28

Related: Sierra Wireless Router Flaws Could Expose Critical Infrastructure to Attacks

Related: Hardcoded Accounts Allow Full Takeover of Technicolor Routers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Gabriel Agboruche has been named Executive Director of OT and Cybersecurity at Jacobs.

Data security startup Reco adds Merritt Baer as CISO

Chris Pashley has been named CISO at Advanced Research Projects Agency for Health (ARPA-H).

More People On The Move

Expert Insights