Over 600,000 Routers Bricked by Chalubo Malware in Major U.S. Outage

In October 2023, customers of the internet provider Windstream reported a widespread outage when their routers suddenly stopped working, becoming unresponsive to reboots and all recovery attempts. Security researchers have now revealed that this large-scale attack, dubbed “Pumpkin Eclipse” (as it occurred right before Halloween), affected more than 600,000 devices and was carried out using the Chalubo malware.

Incident Details and Impact

According to researchers from Black Lotus Labs at Lumen, who monitored the incident from October 25 to 27, 2023, internet access was disrupted for users across several states, including Iowa, Alabama, Arkansas, Georgia, and Kentucky.

One affected user described the situation with their ActionTec T3200 routers, provided by Windstream: “Now our routers just sit there with a solid red light on the front panel. They don’t even respond to the RESET button.”

Another user shared on the same forum: “We have three kids and both work from home. This outage cost us $1,500, considering lost business, no TV, no Wi-Fi, hours spent on the phone, and so on. It’s so sad that a company can treat its customers this way.”

As a result, Windstream was forced to urgently replace the affected routers, providing customers with new devices.

Scope of the Attack

Despite its scale, the incident was limited to a single internet provider and three router models used by Windstream: ActionTec T3200s, ActionTec T3260s, and Sagemcom F5380. Researchers estimate that the “Pumpkin Eclipse” attack reduced the number of operational Windstream devices by 49%, impacting nearly half of the provider’s subscribers.

“Black Lotus Labs identified a destructive incident: over 600,000 SOHO routers belonging to one ISP were rendered inoperable. The incident lasted 72 hours from October 25 to 27 and resulted in the permanent failure of infected devices, requiring their replacement,” analysts wrote in their published report.

Attack Methodology

Researchers were unable to determine the exact vulnerability used to gain initial access to the routers. It is believed that the attackers either exploited an unknown zero-day vulnerability or weak credentials combined with an exposed administrative interface.

The attack unfolded in several stages. First, a bash script called get_scrpc was executed to download a second script, get_strtriiush, which extracted and ran the main payload—Chalubo malware (mips.elf).

Chalubo runs in memory to avoid detection, uses ChaCha20 encryption to communicate with its command and control servers, wipes all files from disk, and changes its process name after launch. Attackers can send commands to the bot via Lua scripts, enabling data exfiltration, loading additional modules, or deploying new payloads to the infected device.

After execution and a 30-minute pause (to evade sandbox analysis), the malware collects host information, including MAC address, device ID, type and version, and local IP address. Notably, Chalubo does not persist on the system, so rebooting an infected router disrupts the malware’s operation.

Chalubo also has built-in DDoS attack capabilities, though researchers did not observe such activity from this botnet during the incident.

Chalubo’s Reach and Unique Aspects of the Attack

Black Lotus Labs telemetry shows that from October 3 to November 3, 2024, Chalubo used 45 malicious panels communicating with 650,000 unique IP addresses, most of which were in the United States. Only one of these panels was used for the destructive attack on the American ISP, leading researchers to believe that an attacker specifically acquired access to Chalubo to deploy destructive malware on Windstream routers.

“Another unique aspect of this incident is that the campaign was limited to a specific ASN,” experts explained. “Most previous campaigns targeted a particular router model or a widespread vulnerability, affecting networks of multiple providers. In this case, we saw Sagemcom and ActionTec devices affected simultaneously, but only within one provider’s network. This suggests the cause was not a firmware update from a specific manufacturer, as that would have impacted only one model or one company’s devices. These factors led us to conclude that this was most likely a deliberate attack by an unknown threat actor, although we were unable to recover the destructive module itself.”

Unanswered Questions and First-of-its-Kind Attack

Since experts could not find or recover the payload used by the attackers, they were unable to determine exactly how the attack was carried out or the hackers’ ultimate goal. Chalubo allowed arbitrary Lua scripts to be executed on infected devices, and researchers believe the malware downloaded and ran code that overwrote the routers’ firmware, intentionally damaging it.

According to Black Lotus Labs, this is the first known case (apart from the AcidRain incident) where a botnet was instructed to destroy devices and inflict financial damage on the victim company.