Thanks Richard. When your daily driver turns into a beacon for bad guys, your world becomes the SOC.
-------- Original Message -------- On Saturday, 01/17/26 at 12:26 rgolodner via NANOG <[email protected]> wrote: Hello, I love seeing these old school descriptions of overflows and device compromise. Reminds me when I was doing SOC work for another company.Thank you and know some of us older guys and gals enjoy this immensely. Sincerely,Richard Golodner [email protected] -------- Original message --------From: Intergalactic Auditor via NANOG <[email protected]> Date: 1/17/26 10:45 (GMT-06:00) To: North American Network Operators Group <[email protected]> Cc: Marco Moock <[email protected]>, Intergalactic Auditor <[email protected]> Subject: Re: ISP Operators AISURU/Kimwolf botnet Why use tor when you can ride the carriers wave?This report is an example:https://github.com/0verdu/Stepped-On_Silicon/blob/main/infrastructure/tmobile_usa.mdTor isn’t even in the picture. The setup bypasses the MVNO layer entirely and hits the MNO core to tunnel into private AWS space (172.31.35.241).When the C2 is integrated into the IMS core and uses a system-level NEVPN, it’s invisible to the user.-------- Original Message --------On Friday, 01/16/26 at 11:35 Tom Beecher via NANOG <[email protected]> wrote:>> How does this work if the devices use TOR to contact their command and> control server?The most detailed analysis I have seen makes no mention of C2s comms viaTOR. If you have a reference that it does, can you share?On Fri, Jan 16, 2026 at 11:18 AM Marco Moock via NANOG <[email protected]> wrote:> Am 16.01.2026 um 16:12:43 Uhr schrieb Mel Beckman via NANOG:>> > One way to do this is via DDoS filtering services like Lumen’s Lotus> > Defender. These have been effective at disrupting the botnet's> > infrastructure by filtering the low-volume inbound control channel.> > Yes, such services are not free, but the problem on your network is> > due to your customers, not anybody else’s. It is your customers’> > android IoT devices that are compromised.>> How does this work if the devices use TOR to contact their command and> control server?>> --> Gruß> Marco>> Send unsolicited bulk mail to [email protected]> _______________________________________________> NANOG mailing list>> https://lists.nanog.org/archives/list/[email protected]/message/SIUGXVHCN74O2H4PGCVHOBU6TFVMUUF6/_______________________________________________NANOG mailing listhttps://lists.nanog.org/archives/list/[email protected]/message/TKCEPDNYOH6A6XI45AHWVW5S676NBIXN/_______________________________________________NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/AJEL3YS3DZCRIWPGXDNCIEEJX2TY2I45/ _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/3P3IEZLN4BHJZCEAJTB5LNU23H4ZMXSG/ _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/IRQW3AP3OLGENDLI3YZ73UFFV457O26M/
