Who Operates the Badbox 2.0 Botnet?

The shadowy figures behind the prolific Kimwolf botnet, which has ensnared over two million devices, have inadvertently provided a significant clue in the hunt for the operators of Badbox 2.0, a massive China-based botnet. A recently shared screenshot, purportedly taken by the Kimwolf masterminds, depicts them logged into the control panel of Badbox 2.0, offering a tantalizing glimpse into the individuals potentially orchestrating this vast criminal enterprise. Both the FBI and Google have been actively investigating Badbox 2.0, and this development, stemming from the boastful actions of the Kimwolf operators, may accelerate their efforts considerably.

The Kimwolf botnet, first detailed in a January 2026 report titled "The Kimwolf Botnet is Stalking Your Local Network," is known for its particularly insidious propagation methods. This botnet predominantly targets unofficial Android TV streaming boxes, often marketed as a one-time purchase solution for accessing a seemingly unlimited library of pirated movies and television shows. The invasive nature of Kimwolf lies in its ability to spread rapidly within local networks, often exploiting the inherent vulnerabilities of these less secure devices.

Further investigation into the Kimwolf operation, specifically in a January 8, 2026 article, "Who Benefitted from the Aisuru and Kimwolf Botnets?", pointed to two key individuals operating under the monikers "Dort" and "Snow." The recent screenshot, allegedly captured by these very individuals while accessing the Badbox 2.0 control panel, lists seven authorized users. Among these, one account stands out: "ABCD," which is shown as actively logged in. According to the source who provided the screenshot, this "ABCD" account belongs to Dort, who appears to have successfully added their own email address as a legitimate user of the Badbox 2.0 botnet. This act of unauthorized access and self-insertion into the Badbox 2.0 infrastructure is a critical piece of evidence.

The history of Badbox 2.0 predates the rise of Kimwolf significantly. In July 2025, Google initiated a "John Doe" lawsuit against 25 unidentified defendants accused of running Badbox 2.0. Google described it as a botnet comprised of over ten million unauthorized Android streaming devices, primarily engaged in advertising fraud. Their complaint detailed how Badbox 2.0 compromised various devices both before purchase and through the forced download of malicious applications from unofficial marketplaces. This legal action followed a June 2025 advisory from the Federal Bureau of Investigation (FBI), which warned of cybercriminals gaining unauthorized access to home networks by pre-installing malware on devices or infecting them during the setup process through malicious app downloads containing backdoors. The FBI’s discovery of Badbox 2.0 came after the disruption of the original Badbox campaign in 2024. The original Badbox, identified in 2023, primarily involved Android TV boxes compromised with backdoor malware before being sold to consumers.

Initially, there was skepticism regarding the claim that the Kimwolf botmasters had gained access to the Badbox 2.0 botnet. However, a deep dive into the email addresses present in the screenshot began to paint a compelling picture. One email address, "[email protected]," listed under the username "Chen" in the Badbox 2.0 control panel, is linked to several China-based technology companies: Beijing Hong Dake Wang Science & Technology Co Ltd., Beijing Hengchuang Vision Mobile Media Technology Co. Ltd., and Moxin Beijing Science and Technology Co. Ltd. Notably, the website for Beijing Hong Dake Wang Science, asmeisvip[.]net, was flagged in a March 2025 report by HUMAN Security as a distribution and management site for Badbox 2.0. Similarly, moyix[.]com, associated with Beijing Hengchuang Vision Mobile, is also implicated.

Further forensic analysis through the breach tracking service Constella Intelligence revealed that the email address [email protected] had previously used the password "cdh76111." Pivoting on this password in Constella’s database showed it was also used by two other email accounts: [email protected] and [email protected]. Constella’s findings indicated that [email protected] was used to register an account on jd.com (China’s largest online retailer) in 2021 under the name "Chen Daihai." DomainTools.com data corroborates this, showing "Chen Daihai" in the original registration records (dating back to 2008) for moyix[.]com, alongside the email address cathead@astrolink[.]cn. Intriguingly, astrolink[.]cn is another domain identified in HUMAN Security’s 2025 report as being associated with Badbox 2.0. DomainTools further links cathead@astrolink[.]cn to the registration of over a dozen domains, including vmud[.]net, which was also tagged by HUMAN Security as a Badbox 2.0 domain.

The name "Chen Daihai" emerges as a significant figure. An archived version of astrolink[.]cn from archive.org reveals it belongs to a mobile app development company named Beijing Astrolink Wireless Digital Technology Co. Ltd. A "Contact Us" page from around 2007 on this archived website lists a Chen Daihai as part of the company’s technology department. The other individual featured on this page is Zhu Zhiyu, whose email address is provided as xavier@astrolink[.]cn.

The connection between these individuals and Badbox 2.0 strengthens when examining another user in the Badbox 2.0 panel: "Mr.Zhu." This user is associated with the email address [email protected]. A search in Constella for this address reveals a jd.com account registered to Zhu Zhiyu. A distinctive password used for this account matches the password used for [email protected]. DomainTools identifies [email protected] as the original registrant of astrolink[.]cn, further solidifying the link between Zhu Zhiyu and the infrastructure associated with Badbox 2.0.

The first account listed in the Badbox 2.0 panel, "admin," registered in November 2020, used the email address [email protected]. DomainTools data places this email address in the 2022 registration records for the domain guilincloud[.]cn, listing the registrant as "Huang Guilin." Constella Intelligence connects [email protected] to the Chinese phone number 18681627767. Open-source intelligence platform osint.industries links this phone number to a Microsoft profile created in 2014 under the name "Guilin Huang." Cybersecurity intelligence platform Spycloud notes that this phone number was used in 2017 to create a Weibo account under the username "h_guilin."

While the remaining three users and their associated QQ.com email addresses in the Badbox 2.0 control panel screenshot were also linked to individuals in China, they did not exhibit any apparent connections to the entities established and operated by Chen Daihai and Zhu Zhiyu, nor to any discernible corporate structures. Attempts to contact these individuals for comment were unsuccessful. However, the mind map created by correlating search pivots on the email addresses, company names, and phone numbers strongly suggests a direct connection between Chen Daihai, Zhu Zhiyu, and the Badbox 2.0 botnet.

The implication of the Kimwolf operators having direct access to the Badbox 2.0 botnet is profound. Kimwolf’s unique propagation method involves exploiting residential proxy services to relay malicious commands to vulnerable devices within unsuspecting users’ local networks. These targets are primarily Internet of Things (IoT) devices, such as unsanctioned Android TV boxes and digital photo frames, which often lack basic security and authentication. If a device is accessible, it can be compromised with a single command.

Research from proxy-tracking firm Synthient had previously alerted 11 residential proxy providers that their endpoints were vulnerable to such abuse, allowing for local network probing and exploitation. Many of these providers have since implemented patches to prevent their customers from accessing the local networks of proxy endpoints. This measure appeared to hinder Kimwolf’s ability to rapidly infect millions of devices.

However, the source of the Badbox 2.0 screenshot revealed that the Kimwolf botmasters possessed an "ace up their sleeve": clandestine access to the Badbox 2.0 botnet control panel. "Dort has gotten unauthorized access," the source stated. "So, what happened is normal proxy providers patched this. But Badbox doesn’t sell proxies by itself, so it’s not patched. And as long as Dort has access to Badbox, they would be able to load the Kimwolf malware directly onto TV boxes associated with Badbox 2.0." While the exact method of Dort’s infiltration into the Badbox botnet panel remains unclear, it is highly probable that their unauthorized access will be short-lived. All recipients of the screenshot, including the QQ.com email addresses listed in the control panel and the rogue "ABCD" account, were notified of the apparent breach, suggesting that the operators of Badbox 2.0 are now aware of the intrusion. This revelation significantly advances the investigation into who is truly operating the Badbox 2.0 botnet, pointing towards individuals with deep ties to both the Kimwolf and Badbox ecosystems.

Who Operates the Badbox 2.0 Botnet?

Who Operates the Badbox 2.0 Botnet?

Pradipta eManuel

Related Posts

Iran-Backed Hackers Claim Wiper Attack on Medtech Firm Stryker

Patch Tuesday, February 2026 Edition

Leave a Reply Cancel reply

Other Story

Sam Altman Confronted At Oscars Party Over Pentagon Deal

Scientists brew “quantum ink” to power next-gen night vision

Crypto Today: SEC Chair clarifies why NFTs not subject to securities laws

Is It Safe to Inject Gray-Market Chinese Peptides?

A single beam of light runs AI with supercomputer power

After Swarmer’s Soaring Debut, Here Are 12 Other Potential Defense Tech IPOs