BadBox
BADBOX, also referred to as BADBOX 2.0, is an Android/IoT botnet and malware operation centered on off-brand, uncertified, China-made devices, especially Android TV boxes and other Android Open Source Project-based devices. The original BADBOX was identified in 2023 and primarily involved Android devices that were compromised with backdoor malware prior to purchase, indicating supply-chain preinstallation. Subsequent reporting states BADBOX 2.0 was discovered after disruption of the original campaign in 2024. The operation has been described as compromising millions of devices; Google said BADBOX 2.0 compromised more than 10 million uncertified devices, and the FBI warned that millions of smart-TV boxes and other IoT devices were affected. Devices were reportedly enrolled either before purchase or through backdoored applications during setup. Reporting also links BADBOX 2.0 to residential proxy monetization, including use of compromised residential gateways for fraud and other criminal activity. Google stated that IPIDEA SDKs played a key role in adding devices to the BADBOX 2.0 botnet, and that trojanized applications and preinstalled components were used to turn devices into residential proxy exit nodes, often without user knowledge. Google filed a lawsuit in July 2025 against the operators of the BADBOX 2.0 botnet. BADBOX 2.0 has also been referenced in adjacent fraud research: HUMAN noted that HTML5-based cashout site patterns seen in the Trapdoor Android ad-fraud operation had previously been observed in clusters tracked as SlopAds, Low5, and BADBOX 2.0. Additional reporting places BADBOX among competing criminal Android TV botnet ecosystems alongside Bigpanzi, Kimwolf/Aisuru, and Vo1d, collectively affecting more than 15 million compromised Android TV devices globally. The content includes references describing BADBOX 2.0 as a Chinese-nexus botnet/family, but does not provide high-confidence attribution to a specific state sponsor. Known aliases in the provided content are badbox and badbox_20.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
4 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Prior threat cluster associated with HTML5-based cashout sites in ad fraud and malvertising activity.
Android device botnet/malware operation relying on supply-chain compromise through pre-installed malware in factory firmware, with ad fraud as a stated focus.
Botnet operation leveraging uncertified Android Open Source Project (AOSP) devices at scale; IPIDEA residential proxy SDKs were used to help add devices and enable proxying/abuse of victim IPs.
Botnet family associated in the content with a Chinese nexus; described in the context of being managed via a control panel and used in the broader shift from DDoS-style botnets to monetized residential proxy networks; reportedly had its control infrastructure taken over by Kimwolf operators.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.