Article Details

CISO who helped unmask Badbox warns: Version 3 is coming. The botnet’s still alive and evolving. Badbox 2.0, the botnet that infected millions of smart TV boxes and connected devices before private security researchers and law enforcement partially disrupted its infrastructure, is readying for a third round of fraud and digital attacks, according to one of the threat hunters who uncovered the original scheme. "We continue to try and shut them off wherever we can — that hasn't stopped," Human Security CISO Gavin Reid told The Register, referring to his team's ongoing collaboration with the FBI, Google, and others to disrupt the botnet.  Badbox was first identified in 2022 as a malware campaign targeting Android-based devices preloaded with backdoors. Human Security's Satori researchers helped disrupt the operation by taking down its ad-fraud infrastructure and command-and-control servers in late 2022 and early 2023, before the botnet came roaring back even bigger and more sophisticated in early 2025 with Badbox 2.0. This nastier variant infects devices both before and after sale, and is either baked into the firmware or delivered via shady app installs. It targets cheap kits like streaming boxes, projectors, and infotainment systems, mostly made in China with minimal support and short lifespans. The German government seized and sinkholed the botnet's command-and-control servers last December, and in March, Human Security's Satori researchers disclosed details about the Badbox 2.0 operation. Since then, Shadowserver has sinkholed nearly 3 million Badbox 2.0 command-and-control domains, rerouting the malicious traffic to its infrastructure instead of the criminal's servers.  But just last week, the FBI issued a Public Service Announcement warning consumers that cybercriminals continue to exploit these uncertified Android devices to expand the Badbox 2.0 botnet and residential-proxy infrastructure.  "Every couple of years people buy new devices, and we expect there will be a Badbox 3 - we're following up on a number of different leads," Reid said.  Until there's less demand for cheap Android network devices, this is going to be something that the threat actors abuse to continue to make money "I can't give you details on the specifics, but we've seen stuff that we think is linked on a newer version of a hardware platform that we're currently purchasing and getting in the lab," he continued. "Unfortunately, until there's less demand for cheap Android network devices, this is going to be something that the threat actors abuse to continue to make money." Leaning into residential proxy services, vo1d2 backdoors Human's VP of threat intel, Lindsay Kaye, told The Register that since Satori published its research three months ago, the botnet operators seem to have "reduced their support for the ad-fraud portions of the operation and really leaned into residential proxy," she said.  This is especially concerning because it allows the criminals to use real IP addresses ISPs have assigned to residential users, which makes the network traffic appear legitimate. The crims can then use this access to launch distributed denial of service (DDoS) and other attacks from the infected device, or sell access to the device's IP address to other miscreants without the user's knowledge. In its March research, the security outfit observed account takeovers, fake account creations, credential stealing, sensitive information exfiltration, and DDoS attacks, all being perpetrated by downstream criminals who had bought residential proxy services from the Badbox operators. "If I've got one of these Badboxes, 99.9 percent of the traffic going through it is legitimate. It's me doing legitimate stuff," Reid said. "But every now and then they can flip it for a few minutes, use my IP address to do bad stuff, and then flip it again. So 99.9 percent is good traffic, there's only a very small part that's bad, and that bad part often escapes normalized detections." In another new facet of the operation, the Badbox operators have begun using a new variant of the vo1d malware strain, which Satori discusses in its March research, called vo1d2. "That is a different type of backdoor related to vo1d, and the main difference is the domain generation algorithm," Kaye said. "So instead of having one hard-coded c2 that the box would speak into, now that domain regenerates" after a set period of time.  "This shows that the threat actors are reactive," Kaye added. "They're starting to pivot." It also gives network defenders a small glimpse into what's in store with version 3 — and the criminal groups' determination to keep their money-making endeavor afloat. "Originally with Badbox 1: you had one backdoor with some fraud modules that was put on devices one way," Kaye said. "Badbox 2 really upped the sophistication. It was like a veritable fraud ecosystem."