A recent development in the shadowy world of cybercrime has shed new light on the operators behind Badbox 2.0, a vast China-based botnet primarily powered by malicious software pre-installed on numerous Android TV streaming boxes. The individuals controlling Kimwolf, a disruptive botnet that has already infected over two million devices, recently shared a screenshot indicating they had gained unauthorized access to the control panel of Badbox 2.0. This revelation is significant because both the Federal Bureau of Investigation (FBI) and Google have been actively pursuing the masterminds behind Badbox 2.0, and the bragging by the Kimwolf operators may have inadvertently provided crucial clues.

Our earlier reporting on the Kimwolf botnet, detailed in "The Kimwolf Botnet is Stalking Your Local Network" (January 2026), highlighted its unique and highly invasive propagation methods. We warned that the overwhelming majority of Kimwolf-infected systems were unofficial Android TV boxes, often marketed as a one-time purchase solution for unlimited (and pirated) movie and TV streaming. These devices, due to their often unsecured nature and the malware embedded within them, become fertile ground for botnet operations.

Further investigation into the Kimwolf network, as documented in "Who Benefitted from the Aisuru and Kimwolf Botnets?" (January 8, 2026), pointed to individuals operating under the aliases "Dort" and "Snow" as the current administrators. The leaked screenshot of the Badbox 2.0 control panel emerged earlier this month, shared by a former associate of Dort and Snow, who claimed it was captured by the Kimwolf botmasters themselves.

The screenshot displays seven authorized users of the Badbox 2.0 control panel, along with their associated email addresses. Notably, one account, labeled "ABCD" and logged in at the top right, stands out. According to the source, this "ABCD" account belongs to Dort, who managed to add their email address as a legitimate user of the Badbox 2.0 botnet. This unauthorized access, if confirmed, represents a significant breach of security and a powerful connection between two major botnet operations.

The history of Badbox is extensive, predating Kimwolf’s emergence in October 2025. In July 2025, Google initiated a "John Doe" lawsuit against 25 unidentified defendants accused of orchestrating Badbox 2.0. Google described it as a botnet encompassing over ten million unsanctioned Android streaming devices, primarily engaged in advertising fraud. Their complaint detailed how Badbox 2.0 compromised various devices before purchase and could also infect devices through malicious app downloads from unofficial marketplaces.

Who Operates the Badbox 2.0 Botnet?

This legal action by Google followed a June 2025 advisory from the FBI. The federal agency warned of cybercriminals gaining unauthorized access to home networks by either pre-installing malware on devices or infecting them during the download of required applications containing backdoors, often during the initial setup process. The FBI’s discovery of Badbox 2.0 came after the disruption of the original Badbox campaign in 2024. The initial Badbox, identified in 2023, primarily consisted of compromised Android TV boxes infected with backdoor malware before being sold to consumers.

Initially, KrebsOnSecurity expressed skepticism regarding the claim that Kimwolf operators had infiltrated the Badbox 2.0 botnet. However, a deeper dive into the email addresses found in the screenshot, particularly those using the qq.com domain, revealed compelling connections.

CATHEAD

A search for the email address "[email protected]," identified in the screenshot as belonging to a user named "Chen," linked it to several China-based technology companies. These include Beijing Hong Dake Wang Science & Technology Co Ltd., Beijing Hengchuang Vision Mobile Media Technology Co. Ltd., and Moxin Beijing Science and Technology Co. Ltd. The website for Beijing Hong Dake Wang Science, asmeisvip[.]net, was flagged in a March 2025 report by HUMAN Security as one of many sites involved in the distribution and management of the Badbox 2.0 botnet. Similarly, moyix[.]com, associated with Beijing Hengchuang Vision Mobile, was also implicated.

Further investigation using the breach tracking service Constella Intelligence revealed that the email address [email protected] had previously used the password "cdh76111." Pivoting on this password in Constella’s database showed it was also used by two other email accounts: [email protected] and [email protected]. Constella found that [email protected] had registered an account on jd.com (China’s largest online retailer) in 2021 under the name "陈代海," which translates to "Chen Daihai." DomainTools.com records indicated that the name Chen Daihai was present in the original registration details (dating back to 2008) for moyix[.]com, along with the email address cathead@astrolink[.]cn.

It’s worth noting that astrolink[.]cn is also among the domains identified in HUMAN Security’s March 2025 report as being tied to Badbox 2.0. DomainTools data further shows that cathead@astrolink[.]cn was used to register over a dozen domains, including vmud[.]net, another domain flagged by HUMAN Security in relation to Badbox 2.0.

Who Operates the Badbox 2.0 Botnet?

XAVIER

An archived version of astrolink[.]cn from archive.org reveals that the website belonged to a mobile app development company named Beijing Astrolink Wireless Digital Technology Co. Ltd. An archived "Contact Us" page from around 2007 lists Chen Daihai as part of the company’s technology department. The other individual featured on that page is Zhu Zhiyu, whose email address is provided as xavier@astrolink[.]cn.

The Badbox 2.0 control panel also lists a user named "Mr.Zhu" associated with the email address [email protected]. Searches in Constella for this address reveal a jd.com account registered under the name Zhu Zhiyu. A distinctive password used for this account matches the password used by [email protected], which DomainTools identifies as the original registrant of astrolink[.]cn. This correlation strongly suggests a link between Chen Daihai, Zhu Zhiyu, and the Badbox 2.0 operation.

ADMIN

The very first account listed in the Badbox 2.0 panel, "admin," registered in November 2020, used the email address [email protected]. DomainTools records show this email address is associated with the 2022 registration of the domain guilincloud[.]cn, which lists the registrant name as "Huang Guilin."

Constella Intelligence findings connect [email protected] to the China phone number 18681627767. The open-source intelligence platform osint.industries indicates that this phone number is linked to a Microsoft profile created in 2014 under the name "Guilin Huang (æ¡‚æž— 黄)." The cyber intelligence platform Spycloud reports that this phone number was used in 2017 to create a Weibo account under the username "h_guilin."

Who Operates the Badbox 2.0 Botnet?

The remaining three users and their corresponding qq.com email addresses in the Badbox 2.0 panel were also linked to individuals in China. However, unlike Chen Daihai and Zhu Zhiyu, these individuals, including Mr. Huang, did not exhibit any apparent connections to the entities associated with Badbox 2.0 or any significant corporate structures. Attempts to reach these individuals for comment were unsuccessful.

The interconnectedness of these individuals and domains is further illustrated by a mind map created from search pivots on email addresses, company names, and phone numbers, which strongly suggests a connection between Chen Daihai, Zhu Zhiyu, and the Badbox 2.0 botnet.

The implication of the Kimwolf botmasters having direct access to the Badbox 2.0 botnet is substantial. Kimwolf’s propagation strategy relies on exploiting residential proxy services to relay malicious commands to vulnerable devices on local networks. These vulnerable devices are predominantly Internet of Things (IoT) devices, such as unsanctioned Android TV boxes and digital photo frames, which often lack basic security and authentication. If a device can be communicated with, it can be compromised with a single command.

Research from the proxy-tracking firm Synthient, highlighted in our January 2 story, revealed that 11 different residential proxy providers had endpoints vulnerable to abuse for local network probing and exploitation. Many of these providers have since implemented measures to prevent such upstream access. This suggested that Kimwolf’s rapid spread might be curtailed.

However, the source who provided the Badbox 2.0 screenshot revealed that the Kimwolf botmasters possessed a critical advantage: clandestine access to the Badbox 2.0 botnet control panel. "Dort has gotten unauthorized access," the source stated. "So, what happened is normal proxy providers patched this. But Badbox doesn’t sell proxies by itself, so it’s not patched. And as long as Dort has access to Badbox, they would be able to load the Kimwolf malware directly onto TV boxes associated with Badbox 2.0."

The exact method by which Dort gained access to the Badbox botnet panel remains unclear. Nevertheless, it is highly probable that Dort’s unauthorized access will not persist indefinitely. All the qq.com email addresses listed in the control panel screenshot received a copy of the leaked image, along with inquiries about the anomalous "ABCD" account, suggesting that the operators of Badbox 2.0 are now aware of the breach. This situation highlights the fluid and often interconnected nature of the cybercriminal landscape, where the actions of one botnet can inadvertently expose the operations of another.