The cybercriminals behind the Kimwolf botnet – a disruptive force infecting over 2 million devices – have reportedly compromised the control panel for Badbox 2.0, a vast, China-based botnet pre-installed on many Android TV streaming boxes. This development, first reported by KrebsOnSecurity, suggests a significant escalation in the ongoing battle against these malicious networks, and has prompted investigations by both the FBI and Google.
Badbox 2.0 has a long history, predating the rise of Kimwolf in . Google filed a lawsuit in against 25 unidentified defendants accusing them of operating the botnet, which the company estimates has infected over ten million devices. The core issue is the pre-installation of malware on these inexpensive streaming devices, often marketed as providing access to unlimited pirated content for a one-time fee. The FBI issued a similar warning in , detailing how these devices are compromised either before purchase or during app downloads from unofficial marketplaces.
Kimwolf, as detailed in a KrebsOnSecurity report from , employs unique and invasive methods to spread. The botnet targets primarily Android TV boxes, set-top boxes, and tablets, leveraging vulnerabilities to turn them into tools for distributed denial-of-service (DDoS) attacks, proxy forwarding, and even remote shell access. Recent analysis indicates Kimwolf issued 1.7 billion DDoS attack commands within a three-day period in , briefly surpassing even Google in terms of network traffic.
The individuals currently administering Kimwolf are known as “Dort” and “Snow.” A screenshot shared by a former associate of Dort and Snow appears to show their access to the Badbox 2.0 control panel. The screenshot reveals seven authorized users, including an account labeled “ABCD” which, according to the source, belongs to Dort. This suggests Dort successfully added their email address (34557257@qq.com) as a valid user within the Badbox 2.0 system.
Further investigation by KrebsOnSecurity uncovered connections between the email addresses listed in the Badbox 2.0 control panel and several China-based technology companies, including Beijing Hong Dake Wang Science & Technology Co Ltd., Beijing Hengchuang Vision Mobile Media Technology Co. Ltd., and Moxin Beijing Science and Technology Co. Ltd. The domain asmeisvip[.]net, associated with Beijing Hong Dake Wang Science, was flagged in a HUMAN Security report in as being tied to the distribution and management of Badbox 2.0.
The investigation also revealed connections between other users listed in the Badbox 2.0 panel – including “Mr.Zhu” (xavierzhu@qq.com) and “Chen” (34557257@qq.com) – and individuals associated with Beijing Astrolink Wireless Digital Technology Co. Ltd. Specifically, the email address xavierzhu@gmail.com was used to register the domain astrolink[.]cn, which has also been linked to Badbox 2.0 infrastructure.
The significance of Kimwolf’s potential access to Badbox 2.0 lies in the way Kimwolf spreads. The botnet exploits vulnerabilities in residential proxy services to probe and compromise devices on local networks. Previously, security patches implemented by these proxy providers were effective in limiting Kimwolf’s reach. However, direct access to the Badbox 2.0 control panel circumvents these protections. As the source explained, Badbox 2.0 doesn’t rely on proxy services for distribution, meaning it remains unpatched and vulnerable to direct malware loading by Dort and the Kimwolf operation.
The implications are concerning. Badbox 2.0 represents a massive, pre-existing network of compromised devices. By leveraging this network, Kimwolf can bypass recent security improvements and continue to expand its reach, potentially impacting millions more homes and networks. The FBI and Google are actively investigating the individuals behind Badbox 2.0, and the recent revelations regarding Kimwolf’s access may provide crucial leads in their efforts. The incident underscores the risks associated with purchasing inexpensive, unofficial Android TV boxes and highlights the importance of securing home networks against these types of threats.
