Re: ISP Operators AISURU/Kimwolf botnet

[Intergalactic Auditor via NANOG <nanog () lists nanog org>]

Thanks Richard. When your daily driver turns into a beacon for bad guys, your world becomes the SOC.


-------- Original Message --------
On Saturday, 01/17/26 at 12:26 rgolodner via NANOG <nanog () lists nanog org> wrote:
Hello, I love seeing these old school descriptions of overflows and device compromise. Reminds me when I was doing SOC 
work for another company.Thank you and know some of us older guys and gals enjoy this immensely. Sincerely,Richard 
Golodner Info () infratection com
-------- Original message --------From: Intergalactic Auditor via NANOG <nanog () lists nanog org> Date: 1/17/26  10:45 
 (GMT-06:00) To: North American Network Operators Group <nanog () lists nanog org> Cc: Marco Moock <mm () dorfdsl de>, 
Intergalactic Auditor <fr0mTheCloud () proton me> Subject: Re: ISP Operators AISURU/Kimwolf botnet Why use tor when you 
can ride the carriers wave?This report is an 
example:https://github.com/0verdu/Stepped-On_Silicon/blob/main/infrastructure/tmobile_usa.mdTor isn’t even in the 
picture. The setup bypasses the MVNO layer entirely and hits the MNO core to tunnel into private AWS space 
(172.31.35.241).When the C2 is integrated into the IMS core and uses a system-level NEVPN, it’s invisible to the 
user.-------- Original Message --------On Friday, 01/16/26 at 11:35 Tom Beecher via NANOG <nanog () lists nanog org> 
wrote:>> How does this work if the devices use TOR to contact their command and> control server?The most detailed 
analysis I have seen makes no mention of C2s comms viaTOR.  If you have a reference that it does, can you share?On Fri, 
Jan 16, 2026 at 11:18 AM Marco Moock via NANOG <nanog () lists nanog org> wrote:> Am 16.01.2026 um 16:12:43 Uhr schrieb 
Mel Beckman via NANOG:>> > One way to do this is via DDoS filtering services like Lumen’s Lotus> > Defender. These have 
been effective at disrupting the botnet's> > infrastructure by filtering the low-volume inbound control channel.> > 
Yes, such services are not free, but the problem on your network is> > due to your customers, not anybody else’s.  It 
is your customers’> > android IoT devices that are compromised.>> How does this work if the devices use TOR to contact 
their command and> control server?>> --> Gruß> Marco>> Send unsolicited bulk mail to 1768576363muell () cartoonies org> 
_______________________________________________> NANOG mailing list>> https://lists.nanog.org/archives/list/nanog () 
lists nanog org/message/SIUGXVHCN74O2H4PGCVHOBU6TFVMUUF6/_______________________________________________NANOG mailing 
listhttps://lists.nanog.org/archives/list/nanog () lists nanog 
org/message/TKCEPDNYOH6A6XI45AHWVW5S676NBIXN/_______________________________________________NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/AJEL3YS3DZCRIWPGXDNCIEEJX2TY2I45/
_______________________________________________
NANOG mailing list
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/3P3IEZLN4BHJZCEAJTB5LNU23H4ZMXSG/
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/IRQW3AP3OLGENDLI3YZ73UFFV457O26M/