BACK TO NEWS
ResearchHigh

Badbox 2.0 Botnet Operators Identified: Key Players Behind China-Linked Cyber Threat

4 min readSource: Krebs on Security
Diagram of Badbox 2.0 botnet control panel showing authorized user emails and connections to Chinese operators

Investigation reveals Chen Daihai and Zhu Zhiyu as likely operators of the Badbox 2.0 botnet, linked to 10M+ compromised Android TV devices. FBI and Google pursue legal action.

Botnet Operators Exposed Through Cybercriminal Bragging

Cybersecurity researchers have identified key individuals likely operating the Badbox 2.0 botnet, a China-based cyber threat infecting over 10 million Android TV streaming devices. The breakthrough comes after operators of the Kimwolf botnet—a separate but equally disruptive malware network—shared a screenshot of the Badbox 2.0 control panel, revealing unauthorized access and exposing critical details about its administrators.

Both the FBI and Google are actively investigating Badbox 2.0, which pre-installs malicious software on Android TV boxes before they reach consumers. The botnet also spreads via unofficial app marketplaces, enabling advertising fraud and backdoor access to home networks.

Technical Deep Dive: How Badbox 2.0 Operates

Badbox 2.0 is a successor to the original Badbox campaign, disrupted in 2024. Unlike its predecessor, which primarily targeted Android TV boxes, Badbox 2.0 expands its reach by:

  • Pre-infecting devices before purchase: Malware is embedded in firmware, ensuring persistence even after factory resets.
  • Exploiting unofficial app stores: Users unknowingly download malicious apps during setup.
  • Enabling large-scale ad fraud: Compromised devices generate fraudulent ad impressions, costing advertisers millions.

The Kimwolf botnet, which infected over 2 million devices, recently demonstrated its ability to hijack Badbox 2.0’s infrastructure. Kimwolf’s operators—known by the aliases "Dort" and "Snow"—added their email (ABCD) to Badbox 2.0’s control panel, suggesting a potential merger or takeover of the botnet’s command-and-control (C2) systems.

Key Individuals Linked to Badbox 2.0

Forensic analysis of the Badbox 2.0 control panel screenshot revealed seven authorized users, including:

  1. Chen Daihai (陈代海)

    • Email: 34557257@qq.com (alias: Chen)
    • Linked to Beijing Hong Dake Wang Science & Technology Co Ltd and Moxin Beijing Science and Technology Co. Ltd.
    • Domains tied to Badbox 2.0: asmeisvip[.]net, moyix[.]com, vmud[.]net.
    • Password reuse (cdh76111) connected to cathead@gmail.com and daihaic@gmail.com.

  2. Zhu Zhiyu (朱志宇)

    • Email: xavierzhu@qq.com (alias: Mr.Zhu)
    • Co-founder of Beijing Astrolink Wireless Digital Technology Co. Ltd.
    • Domain registrations include astrolink[.]cn, another Badbox 2.0-linked domain.

  3. Huang Guilin (桂林 黄)

    • Email: 189308024@qq.com (alias: admin)
    • Linked to guilincloud[.]cn and phone number 18681627767.
    • Active on Chinese social media under the username h_guilin.

The remaining four users, all tied to qq.com email addresses, lacked clear corporate affiliations and did not respond to investigative inquiries.

Impact and Legal Ramifications

Badbox 2.0’s scale and sophistication pose significant risks:

  • Consumer Privacy: Compromised devices can exfiltrate personal data, including Wi-Fi credentials and browsing history.
  • Network Security: Infected devices act as gateways for further attacks on home or corporate networks.
  • Financial Fraud: Ad fraud schemes siphon revenue from legitimate advertisers.

In July 2025, Google filed a "John Doe" lawsuit against 25 unidentified defendants, alleging they operated Badbox 2.0 for profit. The FBI’s June 2025 advisory warned of pre-infected devices, urging consumers to avoid unofficial Android TV boxes.

Kimwolf’s Unauthorized Access: A Game-Changer

Kimwolf’s operators exploited Badbox 2.0’s infrastructure after residential proxy providers patched vulnerabilities in their systems. According to a source close to the investigation:

"Dort gained unauthorized access to Badbox’s control panel. Since Badbox doesn’t sell proxies, it remained unpatched—allowing Kimwolf to load malware directly onto Badbox-infected devices."

The method of access remains unclear, but the ABCD account (linked to Dort) is unlikely to persist, as investigators notified all Badbox 2.0 panel users of the breach.

Recommendations for Security Teams

  1. Device Audits: Identify and remove unofficial Android TV boxes from networks.
  2. Firmware Verification: Ensure devices run vendor-signed firmware to prevent pre-installed malware.
  3. Network Segmentation: Isolate IoT devices to limit lateral movement in case of compromise.
  4. Threat Intelligence: Monitor domains and IPs associated with Badbox 2.0 (e.g., asmeisvip[.]net, moyix[.]com).
  5. User Education: Warn employees and consumers about risks of unofficial app stores and pirated streaming services.

Conclusion

The exposure of Chen Daihai and Zhu Zhiyu as likely Badbox 2.0 operators marks a critical step in dismantling one of the largest botnets targeting Android devices. While legal action and technical mitigations are underway, the incident underscores the persistent threat of supply-chain attacks and the need for stricter oversight of IoT device manufacturing and distribution.

Share

TwitterLinkedIn