The shadowy operators behind the Kimwolf botnet, a sprawling network that has ensnared over two million devices, have inadvertently shed light on the perpetrators of Badbox 2.0, a massive China-based botnet. The Kimwolf crew recently shared a screenshot, apparently taken while they were logged into Badbox 2.0’s control panel, offering a crucial glimpse into the identities of those behind this extensive network. This development is particularly significant as both the FBI and Google have been actively investigating Badbox 2.0, and the bragging of the Kimwolf botmasters may have just handed them their most promising leads yet.

The Kimwolf botnet, first detailed in a KrebsOnSecurity report in early 2026, is known for its particularly invasive spread methods. It primarily targets unofficial Android TV streaming boxes, often marketed as a one-time purchase for unlimited access to pirated content. These devices, frequently lacking robust security, become fertile ground for Kimwolf’s malicious software. The January 8th report from KrebsOnSecurity, "Who Benefitted from the Aisuru and Kimwolf Botnets?", identified the alleged administrators of Kimwolf as individuals operating under the aliases "Dort" and "Snow." The recently surfaced screenshot, provided by a former associate of Dort and Snow, depicts seven authorized users of the Badbox 2.0 control panel. Notably, one account, listed as "ABCD" and logged in at the top right of the screenshot, is attributed to Dort, who seemingly managed to add their email address as a valid user of the Badbox 2.0 infrastructure.

Badbox 2.0’s history predates Kimwolf’s emergence. In July 2025, Google initiated a "John Doe" lawsuit against 25 unidentified defendants, accusing them of operating Badbox 2.0, a botnet encompassing over ten million unauthorized Android streaming devices involved in advertising fraud. Google outlined that Badbox 2.0 not only compromises devices before purchase but can also infect them through malicious apps downloaded from unofficial marketplaces. This legal action followed a June 2025 advisory from the FBI, warning of cybercriminals gaining unauthorized access to home networks by pre-installing malware on devices or by infecting them during the download of required applications containing backdoors. The FBI’s discovery of Badbox 2.0 stemmed from the disruption of the original Badbox campaign in 2024, which had been identified in 2023 and primarily comprised Android TV boxes compromised with backdoor malware before sale.

Initially, KrebsOnSecurity expressed skepticism regarding the claim of the Kimwolf botmasters hacking the Badbox 2.0 botnet. However, a deeper investigation into the QQ.com email addresses present in the screenshot revealed a compelling connection.

Who Operates the Badbox 2.0 Botnet?

CATHEAD

The email address "[email protected]," listed as "Chen" in the Badbox 2.0 control panel, appears as a contact point for several China-based technology companies, including Beijing Hong Dake Wang Science & Technology Co Ltd., Beijing Hengchuang Vision Mobile Media Technology Co. Ltd., and Moxin Beijing Science and Technology Co. Ltd. The website associated with Beijing Hong Dake Wang, asmeisvip[.]net, was flagged in a March 2025 report by HUMAN Security as a distribution and management site for the Badbox 2.0 botnet. Similarly, moyix[.]com, linked to Beijing Hengchuang Vision Mobile, is also implicated.

Further investigation through the breach tracking service Constella Intelligence revealed that "[email protected]" had previously used the password "cdh76111." This password was also associated with two other email accounts: "[email protected]" and "[email protected]." Constella found that "[email protected]" registered an account on JD.com, China’s largest online retailer, in 2021 under the name "Chen Daihai." DomainTools.com confirms that Chen Daihai is present in the original registration records (dating back to 2008) for moyix[.]com, along with the email address "cathead@astrolink[.]cn." Astrolink[.]cn is also identified as a Badbox 2.0 domain in the HUMAN Security report. DomainTools further links "cathead@astrolink[.]cn" to the registration of over a dozen domains, including "vmud[.]net," another domain flagged by HUMAN Security in connection with Badbox 2.0.

XAVIER

An archived version of astrolink[.]cn from archive.org reveals it belongs to a mobile app development company named Beijing Astrolink Wireless Digital Technology Co. Ltd. A cached "Contact Us" page from 2007 lists Chen Daihai in the company’s technology department. The other individual featured on that page is Zhu Zhiyu, whose email address is "xavier@astrolink[.]cn."

Who Operates the Badbox 2.0 Botnet?

The Badbox 2.0 control panel lists a user named "Mr.Zhu" associated with the email address "[email protected]." A search of this address in Constella reveals a JD.com account registered under the name Zhu Zhiyu. A distinctive password used for this account matches the password used by "[email protected]," which DomainTools identifies as the original registrant of astrolink[.]cn.

ADMIN

The first account listed in the Badbox 2.0 panel, "admin," registered in November 2020, used the email address "[email protected]." DomainTools links this email to the 2022 registration records for the domain guilincloud[.]cn, with the registrant name "Huang Guilin." Constella associates "[email protected]" with the Chinese phone number 18681627767. The open-source intelligence platform osint.industries confirms this phone number is linked to a Microsoft profile created in 2014 under the name Guilin Huang. Spycloud reports that this phone number was used in 2017 to create a Weibo account under the username "h_guilin."

The remaining three users and their associated QQ.com email addresses in the Badbox 2.0 control panel were also connected to individuals in China. However, these individuals, including Mr. Huang, did not exhibit any apparent ties to the entities established by Chen Daihai and Zhu Zhiyu, nor to any other corporate entities. None of these individuals responded to requests for comment. A mind map illustrating search pivots on email addresses, company names, and phone numbers strongly suggests a connection between Chen Daihai, Zhu Zhiyu, and Badbox 2.0.

UNAUTHORIZED ACCESS

Who Operates the Badbox 2.0 Botnet?

The possibility that the Kimwolf botmasters have direct access to the Badbox 2.0 botnet control panel is a significant development. Kimwolf’s unique propagation technique involves tricking residential proxy services into relaying malicious commands to vulnerable devices on unsuspecting users’ local networks. These vulnerable devices are primarily Internet of Things (IoT) devices, such as unofficial Android TV boxes and digital photo frames, often lacking any built-in security or authentication, making them susceptible to compromise with a single command.

A previous research report highlighted that many residential proxy providers had taken steps to prevent their services from being abused for such local network probing. However, the source of the Badbox 2.0 screenshot indicated that the Kimwolf botmasters possessed an "ace up their sleeve": clandestine access to the Badbox 2.0 botnet control panel. The source stated, "Dort has gotten unauthorized access. So, what happened is normal proxy providers patched this. But Badbox doesn’t sell proxies by itself, so it’s not patched. And as long as Dort has access to Badbox, they would be able to load the Kimwolf malware directly onto TV boxes associated with Badbox 2.0."

The exact method by which Dort gained access to the Badbox botnet panel remains unclear. However, it is unlikely that Dort’s current unauthorized access will persist. Notifications sent to the QQ.com email addresses listed in the control panel screenshot, including a copy of the image and inquiries about the rogue "ABCD" account, have been dispatched.