Thanks Richard. When your daily driver turns into a beacon for bad guys, your world becomes the SOC. -------- Original Message -------- On Saturday, 01/17/26 at 12:26 rgolodner via NANOG <nanog@lists.nanog.org> wrote: Hello, I love seeing these old school descriptions of overflows and device compromise. Reminds me when I was doing SOC work for another company.Thank you and know some of us older guys and gals enjoy this immensely. Sincerely,Richard Golodner Info@infratection.com -------- Original message --------From: Intergalactic Auditor via NANOG <nanog@lists.nanog.org> Date: 1/17/26 10:45 (GMT-06:00) To: North American Network Operators Group <nanog@lists.nanog.org> Cc: Marco Moock <mm@dorfdsl.de>, Intergalactic Auditor <fr0mTheCloud@proton.me> Subject: Re: ISP Operators AISURU/Kimwolf botnet Why use tor when you can ride the carriers wave?This report is an example:https://github.com/0verdu/Stepped-On_Silicon/blob/main/infrastructure/tmobil... isn’t even in the picture. The setup bypasses the MVNO layer entirely and hits the MNO core to tunnel into private AWS space (172.31.35.241).When the C2 is integrated into the IMS core and uses a system-level NEVPN, it’s invisible to the user.-------- Original Message --------On Friday, 01/16/26 at 11:35 Tom Beecher via NANOG <nanog@lists.nanog.org> wrote:>> How does this work if the devices use TOR to contact their command and> control server?The most detailed analysis I have seen makes no mention of C2s comms viaTOR. If you have a reference that it does, can you share?On Fri, Jan 16, 2026 at 11:18 AM Marco Moock via NANOG <nanog@lists.nanog.org> wrote:> Am 16.01.2026 um 16:12:43 Uhr schrieb Mel Beckman via NANOG:>> > One way to do this is via DDoS filtering services like Lumen’s Lotus> > Defender. These have been effective at disrupting the botnet's> > infrastructure by filtering the low-volume inbound control channel.> > Yes, such services are not free, but the problem on your network is> > due to your customers, not anybody else’s. It is your customers’> > android IoT devices that are compromised.>> How does this work if the devices use TOR to contact their command and> control server?>> --> Gruß> Marco>> Send unsolicited bulk mail to 1768576363muell@cartoonies.org> _______________________________________________> NANOG mailing list>> https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/SIUGXVHC... mailing listhttps://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/TKCEPDNY... mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/AJEL3YS3... _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/3P3IEZLN...