Home / News

Mystery Malware Takes Down 600,000 Windstream Routers in Coordinated Attack

In late October, subscribers of Windstream’s Kinetic broadband service reported widespread router failures, affecting approximately 600,000 devices across 18 states. Users flooded online forums with complaints, noting their ActionTec T3200 routers displayed a persistent red light and were unresponsive to resets. The outages significantly disrupted daily life, with one subscriber citing over $1,500 in losses due to the service interruption.

Windstream, serving 1.6 million subscribers, initially provided little explanation. The company replaced the bricked routers, but the incident remained shrouded in mystery until a recent report by security firm Lumen Technologies’ Black Lotus Labs. Their investigation revealed that the outage was the result of a deliberate cyberattack involving malware known as Chalubo. This malware infected the routers, executing custom Lua scripts that permanently overwrote the firmware, rendering the devices unusable.

The attack targeted a single autonomous system number (ASN), and Black Lotus Labs discovered a significant drop in the affected router models during the outage period. The attack’s scale and precision are unprecedented, with the only comparable incident being the 2022 AcidRain malware attack on Viasat modems amid the Ukraine conflict.

Researchers suspect a sophisticated threat actor, potentially a nation-state, orchestrated the attack, though they have not identified any specific group. The malware’s use of commodity tools rather than custom-developed ones complicates attribution. Despite thorough analysis, the initial infection vector remains unknown, with possibilities ranging from exploiting vulnerabilities to leveraging weak credentials or exposed administrative panels.

Windstream has not responded to inquiries about the incident, leaving affected customers and security experts seeking more answers about this significant and unusual cyberattack.

By CircleID Reporter

CircleID’s internal staff reporting on news tips and developing stories. Do you have information the professional Internet community should be aware of? Contact us.

Visit Page

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix


Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API


Sponsored byDNIB.com