You will begin to see emails regarding tickets to create for the Badbox 2 Malware issue.
If you are the one to take this task, post in the Chat and go into Other status while you create the tickets.
The emails will contain a spreadsheet with details of the customer who will receive an email to follow with details about the infection. Please take the following steps to open tickets for all affected customers:
- Sort rows by IP and remove the duplicates from the spreadsheet (Data > Remove Duplicates > Select All > Choose the Column that contains the IP address).
2. Find customers by IP listed in the spreadsheet using the MX480. Example: Type in “show subscribers address IPAddressHere”
3. Take the username from the MX480 and search for it in iVue (All tab > Search Type: Internet ID).
4. Open a ticket on customer’s Internet Agreement using the details from the spreadsheet. Subscriber Report will be “PQC Compromised Device / Website”.
Example TT 126686
2025-07-27 00:17:48Z 163.182.240.78 395261 AS-HCCL-7, CA suspected compromise malware infection android.badbox2 android.badbox2 This host is most likely infected with malware. https://www.shadowserver.org/what-we-do/network-reporting/sinkhole-events-report/ 178.162.217.107 443 60270 tcp a20facb6-604e-44ff-9dc5-f29cdcf514a9 An Autonomous System Number, 395261, defined in your asset configuration matched the ASN in this observation. Shadowserver high
5. After all tickets are created, create a Maintenance Ticket using the same subscriber report and merge all the tickets you just created into the maintenance ticket.
6. On the maintenance ticket, click on the Affected Service Points tab, then Send to > On Demand Messaging.
7. If there are any customers that do not have email addresses listed in iVue, you will get an error message. From there remove (Split) those tickets set to My Support to be called.
8. Send a Slack message to Marcel when the Maintenance ticket has been sent to On Demand Messaging and he will send out the email.