nanog mailing list archives

Re: ISP Operators AISURU/Kimwolf botnet

From: Intergalactic Auditor via NANOG <nanog () lists nanog org>
Date: Sat, 17 Jan 2026 15:17:32 +0000

Why use tor when you can ride the carriers wave?


This report is an example:
https://github.com/0verdu/Stepped-On_Silicon/blob/main/infrastructure/tmobile_usa.md

Tor isn’t even in the picture. The setup bypasses the MVNO layer entirely and hits the MNO core to tunnel into private 
AWS space (172.31.35.241).

When the C2 is integrated into the IMS core and uses a system-level NEVPN, it’s invisible to the user.

-------- Original Message --------
On Friday, 01/16/26 at 11:35 Tom Beecher via NANOG <nanog () lists nanog org> wrote:


How does this work if the devices use TOR to contact their command and
control server?



The most detailed analysis I have seen makes no mention of C2s comms via
TOR.  If you have a reference that it does, can you share?

On Fri, Jan 16, 2026 at 11:18 AM Marco Moock via NANOG <
nanog () lists nanog org> wrote:

Am 16.01.2026 um 16:12:43 Uhr schrieb Mel Beckman via NANOG:

One way to do this is via DDoS filtering services like Lumen’s Lotus
Defender. These have been effective at disrupting the botnet's
infrastructure by filtering the low-volume inbound control channel.
Yes, such services are not free, but the problem on your network is
due to your customers, not anybody else’s.  It is your customers’
android IoT devices that are compromised.


How does this work if the devices use TOR to contact their command and
control server?

--
Gruß
Marco

Send unsolicited bulk mail to 1768576363muell () cartoonies org
_______________________________________________
NANOG mailing list

https://lists.nanog.org/archives/list/nanog () lists nanog org/message/SIUGXVHCN74O2H4PGCVHOBU6TFVMUUF6/

_______________________________________________
NANOG mailing list
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/TKCEPDNYOH6A6XI45AHWVW5S676NBIXN/
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/AJEL3YS3DZCRIWPGXDNCIEEJX2TY2I45/

Current thread:

ISP Operators AISURU/Kimwolf botnet Corey Smith via NANOG (Jan 16)
- Re: ISP Operators AISURU/Kimwolf botnet Josh Luthman via NANOG (Jan 16)
  - Re: ISP Operators AISURU/Kimwolf botnet Benjamin Hatton via NANOG (Jan 16)
    - Re: ISP Operators AISURU/Kimwolf botnet Mel Beckman via NANOG (Jan 16)
    - Re: ISP Operators AISURU/Kimwolf botnet Marco Moock via NANOG (Jan 16)
    - Re: ISP Operators AISURU/Kimwolf botnet Mel Beckman via NANOG (Jan 16)
    - Re: ISP Operators AISURU/Kimwolf botnet Tom Beecher via NANOG (Jan 16)
    - Re: ISP Operators AISURU/Kimwolf botnet Intergalactic Auditor via NANOG (Jan 17)
    - Re: ISP Operators AISURU/Kimwolf botnet rgolodner via NANOG (Jan 17)
    - Re: ISP Operators AISURU/Kimwolf botnet Intergalactic Auditor via NANOG (Jan 17)
    - Re: ISP Operators AISURU/Kimwolf botnet Dobbins, Roland via NANOG (Jan 16)
    - Re: ISP Operators AISURU/Kimwolf botnet Mel Beckman via NANOG (Jan 16)
    - Re: ISP Operators AISURU/Kimwolf botnet Mike Simpson via NANOG (Jan 17)
    - Re: ISP Operators AISURU/Kimwolf botnet Mel Beckman via NANOG (Jan 17)
    - Re: ISP Operators AISURU/Kimwolf botnet Mike Simpson via NANOG (Jan 17)
    - Re: ISP Operators AISURU/Kimwolf botnet Jon Lewis via NANOG (Jan 17)
    - Re: ISP Operators AISURU/Kimwolf botnet Mel Beckman via NANOG (Jan 17)
    - Re: ISP Operators AISURU/Kimwolf botnet Tom Beecher via NANOG (Jan 17)

(Thread continues...)