BADBOX 2.0 and the Kimwolf Nexus: Pre-Installed Malware in Consumer Hardware as Systemic Enterprise Threat Infrastructure

Key Takeaways

Two converging Android botnet campaigns—BADBOX 2.0 and Kimwolf—have established what Google has characterized as the largest known botnet of internet-connected TVs ever documented [13], collectively reaching tens of millions of Android streaming boxes, tablets, digital projectors, and connected displays across 222 countries and territories [5]. What distinguishes these campaigns from conventional malware outbreaks is their supply chain origin: BADBOX 2.0 embeds the Triada modular backdoor directly in device firmware before devices leave Chinese manufacturing facilities, making infection invisible to users and irremovable through standard means. Kimwolf, a structurally separate botnet traced to operators using the handles “Dort” and “Snow,” subsequently compromised the BADBOX 2.0 control panel to leverage the existing infected fleet for its own operations—an adversary-against-adversary dynamic this note terms the “Kimwolf Nexus.”

The enterprise implications extend well beyond ad fraud and click abuse. Researchers at Infoblox found that approximately 25 percent of their enterprise customers had queried Kimwolf-associated command-and-control domains since October 2025 [1], spanning healthcare, finance, government, and education sectors. Kimwolf’s residential proxy exploitation model allows attackers to emerge from within corporate network perimeters by tunneling through infected devices present on guest networks or connected home environments, enabling lateral movement into otherwise protected internal infrastructure. Organizations that have assumed network perimeter controls provide meaningful isolation must now contend with the possibility that consumer devices within or adjacent to their networks serve as persistent footholds for further network access.

Background

The BADBOX Lineage and the Triada Connection

The BADBOX campaign was first documented in 2023, when researchers discovered that low-cost Android TV streaming boxes sold through mainstream retail channels arrived pre-infected with firmware-level backdoors. The core malicious component was the Triada modular backdoor, a sophisticated Android malware family capable of intercepting SMS messages, installing additional payloads, and providing persistent administrative access to remote operators. The distinguishing feature of the original BADBOX operation was its supply chain insertion mechanism: Triada was embedded in the read-only firmware partition before devices were packaged and shipped, meaning that standard factory resets and user-level interventions could not remove it.

BADBOX 2.0, disclosed in March 2025 by HUMAN Security’s Satori Threat Intelligence team in coordination with Google, Trend Micro, and Shadowserver [2], expanded the original campaign to an estimated one million devices worldwide at disclosure—with some estimates subsequently reaching ten million following Google’s July 2025 lawsuit against 25 unnamed Chinese entities [3]. The upgraded campaign retained the pre-installation vector while adding two additional infection pathways: backdoor delivery orchestrated from C2 servers contacted by vulnerable devices on first boot, and installation through malicious applications distributed by unofficial app marketplaces. The result is a multi-vector infection ecosystem in which a device can be compromised at the factory, at first network contact, or at the application layer—any one of which is sufficient to achieve persistent, irremovable control.

The device categories implicated in BADBOX 2.0 span a wide range of consumer hardware: generic Android TV streaming boxes, budget AOSP tablets and smartphones, digital projectors, connected vehicle infotainment systems, and digital picture frames [2]. These are not obscure or hard-to-find devices. Many appear for sale on Amazon, Walmart, Newegg, and BestBuy under non-certified branding, marketed to cost-conscious consumers seeking inexpensive streaming alternatives [4][11]. The FBI’s June 2025 Public Service Announcement (I-060525) specifically warned consumers about this retail distribution channel [4].

BADBOX 2.0 Operational Architecture

Infection analysis by HUMAN Security and Xlab researchers identified a layered execution model. The primary bootloader component, com.hs.app, loads a native library (libanl.so) that decrypts and executes two secondary payload archives (p.jar and q.jar) responsible for establishing C2 communications. Identified C2 domains include catmore88[.]com and ipmoyu[.]com [5]. The four operational groups identified in Google’s lawsuit—an infrastructure group managing C2 systems, a backdoor group responsible for firmware-level pre-installation, an “evil twin” group creating fraudulent application replicas, and an “ad games” group deploying fake gaming applications to generate hidden ad impressions—illustrate the operational maturity of the campaign [3].

Monetization follows several parallel streams. Infected devices serve as nodes in a residential proxy network whose operators sell access to third parties, enabling customers to route traffic through what appear to be legitimate home and business IP addresses. The botnet simultaneously conducts click fraud by navigating infected devices to attacker-controlled domains and clicking ads, and ad fraud through hidden WebViews that load advertisements without user awareness. Researchers also documented payloads capable of programmatically creating accounts, collecting credentials, and executing arbitrary code on command [2].

The Kimwolf Botnet and Its Emergence

Kimwolf entered public documentation when Xlab’s threat intelligence team published their analysis following receipt of a version 4 artifact on October 24, 2025 [6]. By early December 2025, the botnet had established approximately 1.8 million active infected devices [6][10], with peak daily activity reaching 1.83 million unique IP addresses on December 4, 2025 [6]. Geographic distribution skewed toward Brazil (14.63%), India (12.71%), the United States (9.58%), and Argentina (7.19%), with representation across five continents [6]. By January 2026, independent reporting tracked the infected count above 2 million devices [7].

Kimwolf’s technical architecture draws heavily from the Mirai botnet codebase while adding considerable operational sophistication. The malware achieves persistence through a malicious Android boot receiver that ensures execution on every device startup, with root privilege acquisition via the su command providing unrestricted device control [6]. Command-and-control communication employs DNS-over-TLS to conceal C2 domain lookups from network inspection tools, XOR-encodes resolved IP addresses using hardcoded keys, and—in a notable infrastructure evolution—migrated to Ethereum Name Service (ENS) blockchain domains to store C2 addressing in a system immune to traditional takedown requests [6]. The botnet’s bidirectional authentication uses Elliptic Curve Digital Signature verification requiring a three-stage handshake before devices accept commands, reducing the risk of rival operators issuing competing instructions.

The attack capabilities documented by researchers include 13 distinct DDoS attack methods, TCP and UDP proxy forwarding (accounting for 96.5% of observed command traffic), reverse shell access, and file management operations [6]. Between November 19 and 22, 2025, Kimwolf issued approximately 1.7 billion DDoS commands over three days [6]. Cloudflare’s Q4 2025 DDoS Threat Report documented attack volumes attributed to the Aisuru-Kimwolf infrastructure reaching a peak of 31.4 Tbps on December 19, 2025—among the largest volumetric attacks recorded to date [14].

Security Analysis

The Kimwolf Nexus: Adversarial Cross-Contamination

The relationship between BADBOX 2.0 and Kimwolf introduces a threat dynamic that merits specific attention: the unauthorized co-option of one criminal infrastructure by another. Krebs on Security’s investigation of the BADBOX 2.0 operator network identified Chen Daihai and Zhu Zhiyu as key figures, with a third operator, Huang Guilin, connected to the initial administrative account creation in November 2020 [8]. Krebs on Security’s investigation further established that the Kimwolf operators—operating under the handles “Dort” and “Snow”—had obtained unauthorized access to the BADBOX 2.0 control panel [8]. The specific access mechanism was not publicly confirmed; researchers inferred credential compromise from earlier breaches as the probable vector. With panel access established, Dort and Snow were positioned to push Kimwolf malware directly to the ten-million-device BADBOX 2.0 fleet [8].

This adversarial layering creates compounded risk for defenders. A device enrolled in BADBOX 2.0 represents a known threat model: ad fraud, proxy abuse, and credential collection. A device subsequently loaded with Kimwolf becomes a participant in massive volumetric DDoS attacks and a proxy pivot point for network-level intrusion. The control plane compromise also demonstrates that large-scale botnet infrastructure, once established, attracts secondary exploitation by other threat actors who recognize the value of a pre-built, pre-distributed, pre-authenticated device fleet. Organizations monitoring for known BADBOX indicators may have no visibility into Kimwolf’s subsequent loading, and vice versa.

Enterprise Infiltration Through the Residential Proxy Vector

The mechanism through which consumer IoT botnets become enterprise threats is more direct than organizations typically appreciate. Kimwolf’s residential proxy exploitation model functions as follows: infected devices join proxy networks and are made available for rent, allowing paying customers to route their traffic through those devices’ network connections. An attacker who selects a proxy endpoint located within a corporate network—which occurs when an employee brings an infected device to the office, or when an infected device is on a guest wireless network—can route intrusion activity through a source IP address that resolves to a trusted internal network range.

Riley Kilmer, co-founder of Spur Intelligence Corporation, described this precisely: if proxy infections exist within a corporate network, an attacker can select that network as a traffic exit point and then locally pivot to other internal systems [1]. By early December 2025, Kimwolf had established a near-complete overlap with IP addresses offered for rent by the IPIDEA China-based residential proxy service, which itself had routed traffic through approximately 8,000 addresses associated with U.S. and foreign government networks [1]. Spur’s analysis found that Kimwolf-associated addresses had touched 298 government networks, 318 utility companies, 166 healthcare organizations, and 141 financial institutions [1].

The Android Debug Bridge (ADB) vulnerability compounds this risk. Many unofficial Android TV boxes ship with ADB mode enabled by default. An attacker who has established a network-level presence through a residential proxy foothold can issue adb connect [IP]:5555 to any device on that network with ADB exposed, gaining unrestricted administrative access without authentication [9]. This creates a lateral movement pathway from a single infected streaming device to other consumer-grade IoT equipment on the same network segment.

Supply Chain Persistence and the Limits of Disruption

The March 2025 HUMAN Security disruption sinkholed beaconing traffic from approximately 500,000 devices—an estimated 5 percent of the total infected population—while leaving the underlying supply chain mechanism intact [2][12]. HUMAN’s own researchers acknowledged that disruption efforts “cannot dismantle the supply chain that enables these threat actors to implant the backdoor into devices destined for consumer hands” [2]. The Triada backdoor’s placement in the non-writable firmware partition means that, absent a manufacturer-issued firmware replacement, the physical device population already in circulation cannot be remediated through standard software updates. Affected devices remain compromised unless their firmware is manually reflashed—a process requiring technical expertise and specialized tools that most affected consumers are unlikely to undertake—or the device is physically replaced.

The supply chain insertion mechanism itself has not been publicly attributed to a specific point in the manufacturing process. Devices implicated in BADBOX 2.0 are manufactured in mainland China and distributed globally, but the firmware modification may occur at the component supplier level, the assembly level, or the distribution level. This ambiguity makes audit-based prevention difficult: a device purchased through an established retail channel may have transited multiple custody points at which malicious firmware could have been introduced. The FBI noted that BADBOX and BADBOX 2.0 threat actors exploit “software or hardware supply chains or distribute seemingly benign applications that contain ‘loader’ functionality” [4], but the specific factory or intermediary responsible for firmware pre-installation has not been publicly identified.

Monetization, Capability Escalation, and Future Risk

The BADBOX 2.0 and Kimwolf campaigns operate on a dual monetization model that combines relatively low-risk fraud operations with high-capability-but-higher-risk attack infrastructure. The ByteConnect SDK component identified in Kimwolf deployments generates advertising revenue across the infected fleet—researchers projected approximately $88,200 monthly from 1.8 million devices [6]—while the DDoS and proxy forwarding capabilities provide a separate revenue stream through attack-as-a-service and bandwidth resale. This financial diversification makes the operations resilient: even if one monetization channel is disrupted, others continue generating revenue.

Among the documented capabilities, arbitrary code execution presents the broadest potential for future harm, as it is not constrained to the threat actors’ current commercial priorities. The current operational focus on fraud reflects the threat actors’ present commercial objectives, but the same infrastructure that today delivers hidden ads could tomorrow deliver ransomware, network reconnaissance tools, or persistent access utilities. The scale of ten million or more pre-positioned devices across 222 countries and territories represents an attack infrastructure whose full destructive potential has not been exercised. Defenders should not assess risk based on observed behavior alone; the gap between current usage and maximum capability is substantial.

Recommendations

Immediate Actions

Organizations should audit their guest wireless networks and any consumer IoT devices—including streaming boxes, smart displays, digital signage, and connected projectors—connected to corporate infrastructure. Any Android-based device from an unrecognized or budget manufacturer, particularly those purchased through third-party marketplace listings, should be treated as potentially compromised pending verification. Where network segmentation permits, such devices should be isolated from production networks and internal systems.

Security operations teams should add BADBOX 2.0 and Kimwolf indicators of compromise to detection rulesets, including the identified C2 domains (catmore88[.]com, ipmoyu[.]com), DNS-over-TLS queries to unusual resolvers, and network traffic patterns consistent with proxy forwarding to RFC-1918 address ranges. The Shadowserver Foundation and HUMAN Security have published sinkhole data and indicator lists that can supplement commercial threat intelligence feeds.

Network administrators should audit for exposed ADB interfaces (TCP port 5555) across all network segments, including guest and IoT VLANs. ADB should be disabled or firewalled on any device where it is not operationally required, as an exposed ADB port on any device co-located with an infected proxy node creates a direct lateral movement pathway.

Short-Term Mitigations

Procurement policies should be updated to require Android device certification through Google’s Android TV certification program or equivalent vendor certification for any connected device introduced to organizational environments. Uncertified AOSP devices cannot receive security patches through standard update mechanisms and are the specific device category targeted by BADBOX 2.0 supply chain compromise.

Organizations relying on residential proxy services for legitimate purposes—network testing, geographic content verification, or similar—should evaluate whether the proxy providers they use maintain adequate controls over their device pools. Infoblox’s finding that IPIDEA proxy infrastructure was substantially co-opted by Kimwolf suggests that residential proxy services warrant specific vetting before use in corporate contexts.

Employee-owned devices that connect to corporate guest networks should be subject to posture assessment where feasible, particularly Android TV boxes and similar consumer streaming hardware. Security awareness communications should inform employees of the risk and advise against connecting unverified streaming devices to any network that touches organizational infrastructure.

Strategic Considerations

The BADBOX 2.0 campaign illustrates that supply chain security in the IoT space requires a fundamentally different posture than software supply chain security. While software packages are amenable to pre-deployment scanning for known signatures, hardware firmware is typically distributed without independent verification mechanisms—and even software supply chain controls have proven insufficient against sophisticated build-time compromise, as post-SolarWinds experience has demonstrated. Organizations with significant IoT footprints—whether managed devices or devices present in employee home environments that connect to corporate VPNs—should assess whether their current supply chain assurance processes are adequate for hardware-level threat models.

The Kimwolf Nexus dynamic—where one criminal group co-opts another’s compromised device fleet—points to a broader systemic concern: large-scale consumer IoT compromise does not remain under the control of its original operators. As botnet infrastructure becomes more valuable, it attracts secondary exploitation by actors with different capabilities and objectives. An enterprise that assesses BADBOX 2.0 risk based solely on the fraud-focused operations of its known operators may not adequately account for the DDoS and intrusion capabilities layered on by secondary actors like Kimwolf. Threat intelligence programs should track not only known botnet operators but the transfer and co-option of botnet infrastructure as an indicator of capability escalation.

CSA Resource Alignment

The threat infrastructure described in this note maps directly to several Cloud Security Alliance frameworks and guidance documents. The supply chain compromise vector—malware pre-installed in firmware before consumer delivery—is addressed within CCM (Cloud Controls Matrix) control domain STA (Supply Chain Management, Transparency, and Accountability), specifically controls STA-09 (Supply Chain Inventory) and STA-12 (Supply Chain Risk Management), which call for vendor risk assessment and contractual security requirements extending to hardware suppliers and component manufacturers. Organizations procuring connected devices for enterprise use should incorporate CCM STA controls into their IoT procurement standards.

The residential proxy lateral movement threat is relevant to CSA’s Zero Trust guidance, which emphasizes that network perimeter controls alone cannot provide adequate security assurance. The premise that internal network IP addresses are inherently trustworthy—which Kimwolf’s proxy exploitation directly invalidates—is precisely the assumption Zero Trust architecture is designed to eliminate. Organizations implementing Zero Trust should extend device identity and posture validation requirements to IoT and consumer-grade devices present on any network segment that could reach internal resources.

CCM’s Infrastructure and Virtualization Security (IVS) domain, particularly IVS-07 (Network Security), and the Threat and Vulnerability Management (TVM) domain are directly applicable to the ADB exploitation pathway. TVM controls require organizations to identify and remediate exposed services; ADB on port 5555 represents exactly the kind of unintended service exposure these controls target.

The MAESTRO framework for agentic AI threat modeling is relevant in a forward-looking sense: as AI agents gain the ability to interact with IoT endpoints for automation and management purposes, the presence of compromised proxy infrastructure on the same network segments as AI orchestration systems creates a theoretical pathway for adversarial manipulation of agent behavior. This threat vector has not yet been documented in practice, but organizations deploying AI agents in environments where consumer IoT devices are present should evaluate whether agent isolation from those network segments is warranted as a precautionary measure.

STAR (Security Trust Assurance and Risk) program submissions from IoT device manufacturers and cloud-connected device platforms should be evaluated for supply chain attestation—specifically whether manufacturers conduct firmware integrity verification prior to device distribution.

References

1. Infoblox / Krebs on Security, “Kimwolf Botnet Lurking in Corporate, Govt. Networks,” Krebs on Security, January 2026. https://krebsonsecurity.com/2026/01/kimwolf-botnet-lurking-in-corporate-govt-networks/

2. HUMAN Security Satori Threat Intelligence Team, “Satori Threat Intelligence Disruption: BADBOX 2.0 Targets Consumer Devices with Multiple Fraud Schemes,” HUMAN Security, March 2025. https://www.humansecurity.com/learn/blog/satori-threat-intelligence-disruption-badbox-2-0/

3. Google / The Hacker News, “Google Sues 25 Chinese Entities Over BADBOX 2.0 Botnet Affecting 10M Android Devices,” The Hacker News, July 2025. https://thehackernews.com/2025/07/google-sues-25-chinese-entities-over.html

4. Federal Bureau of Investigation, “Home Internet Connected Devices Facilitate Criminal Activity,” FBI Internet Crime Complaint Center Public Service Announcement I-060525, June 5, 2025. https://www.ic3.gov/PSA/2025/PSA250605

5. Point Wild Threat Intelligence, “BADBOX 2.0: A Global IoT Botnet Threat,” Point Wild, 2025. https://www.pointwild.com/threat-intelligence/badbox-2-0-a-global-iot-botnet-threat/

6. Xlab / QiAnXin, “Kimwolf Exposed: The Massive Android Botnet with 1.8 Million Infected Devices,” Xlab Blog, December 2025. https://blog.xlab.qianxin.com/kimwolf-botnet-en/

7. The Hacker News, “Kimwolf Android Botnet Infects Over 2 Million Devices via Exposed ADB and Proxy Networks,” The Hacker News, January 2026. https://thehackernews.com/2026/01/kimwolf-android-botnet-infects-over-2.html

8. Krebs on Security, “Who Operates the Badbox 2.0 Botnet?” Krebs on Security, January 2026. https://krebsonsecurity.com/2026/01/who-operates-the-badbox-2-0-botnet/

9. Krebs on Security, “The Kimwolf Botnet is Stalking Your Local Network,” Krebs on Security, January 2026. https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/

10. SecurityWeek, “‘Kimwolf’ Android Botnet Ensnares 1.8 Million Devices,” SecurityWeek, December 2025. https://www.securityweek.com/kimwolf-android-botnet-ensnares-1-8-million-devices/

11. Help Net Security, “Millions of Android Devices Roped into Badbox 2.0 Botnet,” Help Net Security, June 6, 2025. https://www.helpnetsecurity.com/2025/06/06/millions-of-android-devices-roped-into-badbox-2-0-botnet-is-yours-among-them/

12. HUMAN Security, “HUMAN, FBI, and Partners Take Action Against BADBOX 2.0,” HUMAN Security, March 2025. https://www.humansecurity.com/learn/blog/badbox-2-fbi-psa/

13. Inland Cyber Defense Clinic, “BADBOX 2.0 Case Study: Google’s July 2025 Lawsuit Against the Botnet Infecting 10 Million Residential Android Open-Source IoT Devices,” Claremont Graduate University ICDC, July 19, 2025. https://research.cgu.edu/icdc/2025/07/19/badbox-2-0-case-study/

14. Cloudflare, “DDoS Threat Report for 2025 Q4,” Cloudflare Blog, January 2026. https://blog.cloudflare.com/ddos-threat-report-2025-q4/