ZadeNor AI
Back to Blog
Cybersecurity

Who Operates the Badbox 2.0 Botnet?

January 30, 2026
5 min
1,680 views
By ZadeNor AI Team
Who Operates the Badbox 2.0 Botnet?

Who Operates the Badbox 2.0 Botnet?

The Kimwolf Botnet's Secret Access to Badbox 2.0

A recent screenshot shared by the Kimwolf botmasters has revealed a shocking connection between the two botnets: Kimwolf has compromised the control panel for Badbox 2.0, a vast China-based botnet powered by malicious software that comes pre-installed on many Android TV streaming boxes. This discovery has significant implications for the cybersecurity community, as it highlights the potential for botnets to collaborate and share resources.

Who Are the Masterminds Behind Badbox 2.0?

The control panel for Badbox 2.0 lists seven authorized users, including one that doesn't quite match the others: "ABCD," which belongs to Dort, a known Kimwolf botmaster. According to our source, Dort somehow figured out how to add their email address as a valid user of the Badbox 2.0 botnet. This raises questions about how Dort gained access to the Badbox botnet panel and what this means for the security of devices associated with Badbox 2.0.

A History of Badbox 2.0

Badbox 2.0 has a storied history that predates Kimwolf's rise in October 2025. In July 2025, Google filed a "John Doe" lawsuit against 25 unidentified defendants accused of operating Badbox 2.0, which Google described as a botnet of over ten million unsanctioned Android streaming devices engaged in advertising fraud. Google said Badbox 2.0 can infect devices by requiring the download of malicious apps from unofficial marketplaces.

The FBI's Warning

The Federal Bureau of Investigation (FBI) warned in June 2025 that cybercriminals were gaining unauthorized access to home networks by either configuring the products with malware prior to the user's purchase or infecting the device as it downloads required applications that contain backdoors. The FBI said Badbox 2.0 was discovered after the original Badbox campaign was disrupted in 2024.

Chen Daihai and Zhu Zhiyu: The Faces Behind Badbox 2.0

A search for the address [email protected] shows it is listed as a point of contact for a number of China-based technology companies, including Beijing Hong Dake Wang Science & Technology Co Ltd. and Beijing Hengchuang Vision Mobile Media Technology Co. Ltd. The website for Beijing Hong Dake Wang Science is asmeisvip[.]net, a domain that was flagged in a March 2025 report by HUMAN Security as one of several dozen sites tied to the distribution and management of the Badbox 2.0 botnet.

The Mind Map

This mind map includes search pivots on the email addresses, company names, and phone numbers that suggest a connection between Chen Daihai, Zhu Zhiyu, and Badbox 2.0.

Unauthorized Access

The idea that the Kimwolf botmasters could have direct access to the Badbox 2.0 botnet is a big deal, but explaining exactly why that is requires some background on how Kimwolf spreads to new devices. The botmasters figured out they could trick residential proxy services into relaying malicious commands to vulnerable devices behind the firewall on the unsuspecting user's local network.

Implications

This discovery has significant implications for the cybersecurity community, as it highlights the potential for botnets to collaborate and share resources. It also raises questions about how Dort gained access to the Badbox botnet panel and what this means for the security of devices associated with Badbox 2.0. The fact that Kimwolf has compromised the control panel for Badbox 2.0 suggests that the botnet may be more powerful and widespread than previously thought.

Forward-Looking Thoughts

The discovery of Kimwolf's access to Badbox 2.0 highlights the need for continued vigilance and cooperation between cybersecurity professionals, law enforcement, and industry stakeholders. As the breakneck pace of technological innovation continues to accelerate, it is essential that we stay ahead of the threats and work together to protect the global digital ecosystem. The implications of this discovery are far-reaching and will likely have a significant impact on the cybersecurity landscape in the months and years to come.

Source: https://krebsonsecurity.com/2026/01/who-operates-the-badbox-2-0-botnet/

Source: https://krebsonsecurity.com/2026/01/who-operates-the-badbox-2-0-botnet/

About the Author

ZadeNor AI Team is a leading expert in CYBERSECURITY, contributing to cutting-edge research and development in the field.

Share this article

TwitterLinkedInFacebookWhatsAppRedditEmail

Related Posts

Alleged Kimwolf Botmaster 'Dort' Arrested, Charged in U.S. and Canada

Alleged Kimwolf Botmaster 'Dort' Arrested, Charged in U.S. and Canada

Canadian authorities on Wednesday arrested a 23-year-old Ottawa man on suspicion of building and operating Kimwolf, a fast spreading Internet-of-Things botnet that enslaved millions of devices for use in a series of massive distributed denial-of-service (DDoS) attacks over the past six months. KrebsOnSecurity publicly named the suspect in February 2026 after the accused launched a volley of DDoS, doxing and swatting campaigns against this author and a security researcher. He now faces criminal hacking charges in both Canada and the United States.

419
5 min
CISA Admin Leaked AWS GovCloud Keys on Github

CISA Admin Leaked AWS GovCloud Keys on Github

Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public archive included files detailing how CISA builds, tests and deploys software internally, and that it represents one of the most egregious government data leaks in recent history.

411
5 min
'Scattered Spider' Member 'Tylerb' Pleads Guilty

'Scattered Spider' Member 'Tylerb' Pleads Guilty

A 24-year-old British national and senior member of the cybercrime group "Scattered Spider" has pleaded guilty to wire fraud conspiracy and aggravated identity theft. Tyler Robert Buchanan admitted his role in a series of text-message phishing attacks in the summer of 2022 that allowed the group to hack into at least a dozen major technology companies and steal tens of millions of dollars worth of cryptocurrency from investors.

589
5 min