1 malware family

BadBox 2.0 Enterprise

Also known asbadbox_20_enterprise

BadBox 2.0 Enterprise is the name used by Google (in a July 2025 “John Doe” lawsuit against 25 unidentified defendants) to describe an ecosystem/botnet of over ten million Android streaming devices engaged in advertising fraud. The content describes BADBOX 2.0 as infecting/compromising devices via required downloads of malicious apps from unofficial marketplaces during device setup, and as being associated with residential proxy services used for malicious activity. The FBI (June 2025 advisory) is cited warning that cybercriminals can gain unauthorized access to home networks via IoT devices preloaded with malicious software or infected during setup through required apps containing backdoors; compromised devices can become part of the BADBOX 2.0 botnet and be leveraged as residential proxies. The content further states BADBOX 2.0 was discovered after disruption of the original BADBOX campaign (original identified in 2023 as devices compromised prior to purchase; disrupted in 2024). BadBox 2.0 is also described as being used as a distribution platform for IPidea (described as a China-based entity and a rebrand of 911S5 Proxy), with proxy traffic destinations linked to ad fraud and credential stuffing/account takeover attempts.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

1 distinct technique observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen

BADBOX 2.0"Google filed a 'John Doe' lawsuit ... against ... the 'BadBox 2.0 Enterprise,' which Google described as a botnet of over ten million unsanctioned Android streaming devices engaged in advertising fraud."1Mar 3, 2026

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

krebs on securityNews

Jan 2, 2026

The Kimwolf Botnet is Stalking Your Local Network - Krebs on Security

Botnet/ecosystem involving pre-compromised unsanctioned Android streaming devices and malicious app distribution via unofficial marketplaces; primarily used for advertising fraud and also associated with broader fraud/abuse (e.g., account takeovers, scraping) per investigations referenced.

krebs on securityNews

Nov 24, 2025

Is Your Android TV Streaming Box Part of a Botnet?

BadBox 2.0 Enterprise is a botnet operation leveraging compromised Android streaming devices to conduct advertising fraud and facilitate residential proxy services used for further cybercrime, including account takeovers and credential stuffing.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping1

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.