@drizzy @GossiTheDog
It doesn't really matter, once a website is on the targetlist it is already being attacked.
It might buy them a couple of minutes but in practice that won't do much.
NN only mentions successful attacks on their Telegram.
Not to burst any bubble but Kevin isn't predicting anything, he extracts the active targetlist from their DDoS client and publishes it in full, whereas NN only publishes sites that went down.

@verovaleros While I agree the Enterprise matrix is "enterprise centric", it looks like most techniques would work. I haven't really thought of a usecase to map home infections to the ATT&CK framework but I think it's possible.
Since you compare internal lateral movement to scanning/attacking the internet you could also go for "T1584.005 Compromise Infrastructure: Botnet" maybe a small botnet but it might be less of a stretch since the compromise was likely not targeted (so there might be more infected devices under control of the actor) and the infected device is used as a proxy.