Why use tor when you can ride the carriers wave? This report is an example: https://github.com/0verdu/Stepped-On_Silicon/blob/main/infrastructure/tmobil... Tor isn’t even in the picture. The setup bypasses the MVNO layer entirely and hits the MNO core to tunnel into private AWS space (172.31.35.241). When the C2 is integrated into the IMS core and uses a system-level NEVPN, it’s invisible to the user. -------- Original Message -------- On Friday, 01/16/26 at 11:35 Tom Beecher via NANOG <nanog@lists.nanog.org> wrote:
How does this work if the devices use TOR to contact their command and control server?
The most detailed analysis I have seen makes no mention of C2s comms via TOR. If you have a reference that it does, can you share? On Fri, Jan 16, 2026 at 11:18 AM Marco Moock via NANOG < nanog@lists.nanog.org> wrote:
Am 16.01.2026 um 16:12:43 Uhr schrieb Mel Beckman via NANOG:
One way to do this is via DDoS filtering services like Lumen’s Lotus Defender. These have been effective at disrupting the botnet's infrastructure by filtering the low-volume inbound control channel. Yes, such services are not free, but the problem on your network is due to your customers, not anybody else’s. It is your customers’ android IoT devices that are compromised.
How does this work if the devices use TOR to contact their command and control server?
-- Gruß Marco
Send unsolicited bulk mail to 1768576363muell@cartoonies.org _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/SIUGXVHC...
NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/TKCEPDNY...