The shadowy figures behind the disruptive Kimwolf botnet, which has ensnared over two million devices, have inadvertently provided crucial clues to the identity of the operators of Badbox 2.0, a massive China-based botnet. The Kimwolf cybercriminals recently shared a screenshot from the Badbox 2.0 control panel, revealing their access to this extensive network powered by malicious software often pre-installed on Android TV streaming boxes. This development has drawn the attention of both the FBI and Google, who are actively investigating Badbox 2.0, and the bragging of the Kimwolf operators may have just unmasked key players.

In January 2026, KrebsOnSecurity published an in-depth report titled "The Kimwolf Botnet is Stalking Your Local Network," detailing Kimwolf’s sophisticated and intrusive propagation methods. The report highlighted that the vast majority of Kimwolf-infected systems were unofficial Android TV boxes, frequently marketed as a one-time purchase solution for unlimited pirated movie and TV streaming. These devices, often lacking robust security, represent a prime target for botnet operators.

Further investigations in January 2026, detailed in the article "Who Benefitted from the Aisuru and Kimwolf Botnets?", cited multiple sources indicating that the current administrators of the Kimwolf botnet operate under the pseudonyms "Dort" and "Snow." Earlier this month, a former associate with close ties to Dort and Snow provided what they claimed was a screenshot taken by the Kimwolf botmasters while logged into the Badbox 2.0 botnet’s control panel. This screenshot, a partial view of which is presented here, displays seven authorized users of the control panel. Notably, one account, "ABCD," stands out. According to the source, this account, which was actively logged in and displayed in the top right of the screenshot, belongs to "Dort," who apparently discovered a method to add their email address as a valid user within the Badbox 2.0 botnet infrastructure.

The Badbox botnet has a significant history that predates Kimwolf’s emergence in October 2025. In July 2025, Google initiated a "John Doe" lawsuit against 25 unidentified defendants accused of operating Badbox 2.0. Google described this botnet as encompassing over ten million unsanctioned Android streaming devices engaged in widespread advertising fraud. The company’s legal filing detailed how Badbox 2.0 compromises various devices even before purchase and can also infect devices by compelling users to download malicious applications from unofficial marketplaces.

This legal action by Google followed a June 2025 advisory from the Federal Bureau of Investigation (FBI). The FBI’s warning alerted the public to cybercriminals gaining unauthorized access to home networks. This unauthorized access was achieved either by pre-configuring devices with malware before user purchase or by infecting devices during the download of essential applications that contained backdoors, typically during the initial setup process. The FBI further noted that Badbox 2.0 was identified after the original Badbox campaign, which primarily involved Android operating system devices (TV boxes) compromised with backdoor malware prior to sale, was disrupted in 2024. The original Badbox itself was first identified in 2023.

Who Operates the Badbox 2.0 Botnet?

Initially, KrebsOnSecurity harbored skepticism regarding the claim that the Kimwolf botmasters had successfully infiltrated the Badbox 2.0 botnet. However, this skepticism waned as an investigation into the origins and associations of the QQ.com email addresses visible in the provided screenshot began to yield compelling connections.

CATHEAD

A thorough online search for the email address [email protected], identified in the screenshot as belonging to a user named "Chen," revealed its association with several China-based technology companies. These include Beijing Hong Dake Wang Science & Technology Co Ltd., Beijing Hengchuang Vision Mobile Media Technology Co. Ltd., and Moxin Beijing Science and Technology Co. Ltd. The website for Beijing Hong Dake Wang Science, asmeisvip[.]net, was flagged in a March 2025 report by HUMAN Security as one of numerous sites linked to the distribution and management of the Badbox 2.0 botnet. Similarly, moyix[.]com, a domain associated with Beijing Hengchuang Vision Mobile, also appeared in this report.

An examination of breach tracking service Constella Intelligence uncovered that [email protected] had previously used the password "cdh76111." Further investigation using this password within Constella revealed it was also employed by two other email accounts: [email protected] and [email protected]. Constella’s data indicated that [email protected] registered an account on JD.com, China’s largest online retailer, in 2021 under the name "陈代海," which translates to "Chen Daihai." DomainTools.com records show that the name Chen Daihai is present in the original registration details (dating back to 2008) for moyix[.]com, along with the email address cathead@astrolink[.]cn. It is worth noting that astrolink[.]cn is also among the Badbox 2.0 domains identified in HUMAN Security’s 2025 report. DomainTools further indicates that cathead@astrolink[.]cn was used to register over a dozen domains, including vmud[.]net, another domain linked to Badbox 2.0 by HUMAN Security.

XAVIER

Who Operates the Badbox 2.0 Botnet?

A cached version of astrolink[.]cn, preserved on archive.org, identifies the website as belonging to a mobile app development company named Beijing Astrolink Wireless Digital Technology Co. Ltd. An archived "Contact Us" page from around 2007 reveals a Chen Daihai listed as part of the company’s technology department. The other individual featured on this contact page is Zhu Zhiyu, whose email address is listed as xavier@astrolink[.]cn.

Observant readers will note that the user "Mr.Zhu" in the Badbox 2.0 panel utilized the email address [email protected]. A search for this address within Constella revealed a JD.com account registered under the name Zhu Zhiyu. A distinct password used by this account matches the password associated with [email protected]. DomainTools identifies [email protected] as the original registrant of astrolink[.]cn.

ADMIN

The very first account listed in the Badbox 2.0 control panel, designated as "admin" and registered in November 2020, used the email address [email protected]. DomainTools records show this email address associated with the 2022 registration of the domain guilincloud[.]cn, which lists the registrant name as "Huang Guilin."

Constella’s data links [email protected] to the China-based phone number 18681627767. The open-source intelligence platform osint.industries reveals that this phone number is connected to a Microsoft profile created in 2014 under the name Guilin Huang (黄桂林). The cyber intelligence platform Spycloud reports that this phone number was used in 2017 to create an account on the Chinese social media platform Weibo under the username "h_guilin."

Who Operates the Badbox 2.0 Botnet?

The remaining three users listed in the Badbox 2.0 control panel, along with their corresponding QQ.com email addresses, were all connected to individuals residing in China. However, none of these individuals, nor Mr. Huang, exhibited any apparent connections to the entities established and operated by Chen Daihai and Zhu Zhiyu, nor to any corporate entities. Attempts to solicit comments from these individuals were unsuccessful. The provided mind map visually illustrates the intricate web of connections derived from pivots on email addresses, company names, and phone numbers, strongly suggesting a link between Chen Daihai, Zhu Zhiyu, and the Badbox 2.0 botnet.

The notion that the Kimwolf botmasters possess direct access to the Badbox 2.0 botnet is a significant development. Understanding its implications requires an appreciation of Kimwolf’s propagation methods. The Kimwolf operators devised a strategy to exploit residential proxy services, tricking them into relaying malicious commands to vulnerable devices situated behind the firewall on unsuspecting users’ local networks. The primary targets for Kimwolf are Internet of Things (IoT) devices, particularly unsanctioned Android TV boxes and digital photo frames that lack any discernible security or authentication mechanisms. In essence, any device accessible over a network can be compromised with a single command.

Earlier reports detailed research from proxy-tracking firm Synthient, which alerted eleven residential proxy providers to vulnerabilities in their endpoints that were being abused for local network probing and exploitation. While most of these affected proxy providers have since implemented measures to prevent such upstream access into residential networks, effectively hindering Kimwolf’s rapid spread, the source of the Badbox 2.0 screenshot revealed a crucial advantage held by the Kimwolf operators: clandestine access to the Badbox 2.0 botnet control panel.

"Dort has gotten unauthorized access," the source stated. "So, what happened is normal proxy providers patched this. But Badbox doesn’t sell proxies by itself, so it’s not patched. And as long as Dort has access to Badbox, they would be able to load the Kimwolf malware directly onto TV boxes associated with Badbox 2.0." The exact method by which Dort gained access to the Badbox botnet panel remains unclear. However, it is highly improbable that Dort’s current access will remain undetected for long. Upon sending notifications, including the incriminating screenshot and inquiries about the rogue "ABCD" account, to the QQ.com email addresses listed in the control panel, the operators received a copy of the image, indicating their awareness of the breach.