The Black Lotus Labs team at Lumen Technologies has identified a multi-year campaign targeting end-of-life (EoL) small home/small office (SOHO) routers and IoT devices, associated with an updated version of “TheMoon” malware. TheMoon, which emerged in 2014, has been operating quietly while growing to over 40,000 bots from 88 countries in January and February of 2024.…
On December 13, 2023, Lumen’s Black Lotus Labs reported our findings on the KV-botnet, a covert data transfer network used by state-sponsored actors based in China to conduct espionage and intelligence activities targeting U.S. critical infrastructure. Around the time of the first publication, we identified a spike in activity that we assess aligns with a significant effort by the operators managing this network to combat takedown efforts underway by the U.S.…
The Black Lotus Labs team at Lumen Technologies is tracking a small office/home office (SOHO) router botnet that forms a covert data transfer network for advanced threat actors. We are calling this the KV-botnet, based upon artifacts in the malware left by the authors.…
The Black Lotus Labs team has discovered a highly unique piece of malware designed to compromise the security of the extended Berkeley Packet Filter (eBPF) functionality in the Linux kernel of container-based operating systems, like CoreOS. eBPF is a programmable framework that allows users to run code within the kernel of Linux systems, without having to write a kernel-specific module.…
In March 2023, Lumen Black Lotus Labs reported on a complex campaign called “HiatusRAT” that infected over 100 edge networking devices globally. The campaign leveraged edge routers, or “living on the edge” access, to passively collect traffic and functioned as a covert network of command and control (C2) infrastructure. …
Lumen Black Lotus Labs® identified another multi-year campaign involving compromised routers across the globe. This is a complex operation that infects small-office/home-office (SOHO) routers, deploying a Linux-based Remote Access Trojan (RAT) we’ve dubbed “AVrecon.” Apart from a single reference to AVrecon in May 2021, the malware has been operating undetected for more than two years.…
Qakbot (aka Pinkslipbot, Qbot) has persisted as a banking trojan – then a potent malware/ransomware distribution network – for well over a decade, its origins going back as far as 2007. As a ransomware botnet, Qakbot is usually spread through email hijacking and social engineering, dropping malicious files that infect Windows hosts.…
Just nine months after discovering ZuoRAT – a novel malware targeting small office/home office (SOHO) routers – Lumen Black Lotus Labs® identified another, never-before-seen campaign involving compromised routers. This is a complex campaign we are calling “Hiatus”. It infects business-grade routers and deploys two malicious binaries, including a Remote Access Trojan (RAT) we’re calling HiatusRAT, and a variant of tcpdump that enables packet capture on the target device.…
The sophistication of threat actors’ DDoS strategy and tactics continues to evolve rapidly in response to improved mitigation-side efforts. Actors have complicated filtering and firewalling by bringing a more diverse set of vectors to the attack, attacking at multiple network layers at the same time and automating changes to the mix of vectors at attack time – perhaps even in response to the ongoing mitigation efforts.…
The prevalence of malware written in Go programming language has increased dramatically in recent years due to its flexibility, low antivirus detection rates and difficulty to reverse-engineer. Black Lotus Labs, the threat intelligence arm of Lumen Technologies, recently uncovered a multifunctional Go-based malware that was developed for both Windows and Linux, as well as a wide array of software architectures used in devices ranging from small office/home office (SOHO) routers to enterprise servers.…