The Botnet Merger: Kimwolf Hijacks 10 Million Badbox 2.0 Devices

The cybercriminals orchestrating the Kimwolf botnet appear intent on flaunting a truly monumental acquisition. A screenshot has surfaced online purportedly demonstrating their infiltration of the control panel for Badbox 2.0, one of the world’s most extensive botnets, encompassing millions of infected, Chinese-manufactured Android TV set-top boxes. According to the FBI and Google, Badbox 2.0 has long been a target of pursuit; this leak now illuminates the potential architects behind this sprawling infrastructure.

Kimwolf has already compromised over two million devices, gaining notoriety for its aggressive propagation tactics. Its primary vectors are illicit Android TV boxes marketed as “set-top boxes with free access to movies and series” for a single, one-time payment. The malware is either pre-installed prior to sale or introduced during initial configuration via counterfeit applications and third-party marketplaces.

Researchers have previously identified the Kimwolf administrators by the aliases Dort and Snow. A former associate has now provided journalists with a screenshot allegedly captured from the Badbox 2.0 control panel. The image displays seven authorized accounts; according to the source, one bearing the name “ABCD” belongs to Dort. It is surmised that he successfully added his email as a legitimate user within the botnet’s management system.

Badbox possesses a lengthy lineage. The initial botnet bearing this name was identified in 2023, and its infrastructure was partially disrupted in 2024. However, 2025 witnessed the emergence of a new iteration, Badbox 2.0, which Google estimates comprised over 10 million uncertified Android devices, utilized for ad fraud and home network infections. At the time, the FBI warned that such devices could grant malicious actors direct access to users’ local networks.

An analysis of the email addresses from the leaked screenshot led researchers to several Chinese IT firms and specific individuals linked to mobile application development and domain infrastructure previously cited in Badbox 2.0 reports. Specifically, the names Chen Daihai and Zhu Zhiyu were connected to the registration of domains, companies, and addresses already mentioned in investigations dedicated to this botnet.

The paramount danger lies elsewhere. Kimwolf propagates through vulnerable IoT devices within home networks, utilizing residential proxy services. Following the closure of this loophole by numerous proxy providers, Kimwolf’s rate of spread began to decelerate. However, if Kimwolf’s administrators indeed possess unauthorized access to the Badbox 2.0 control panel, they acquire a direct conduit for installing malware onto the millions of Android TV boxes already ensnared within that botnet.

according to the source, this was precisely the “secret trump card” of the Kimwolf operators: the capacity to directly upload malware onto Badbox 2.0 boxes, circumventing the proxy infrastructure. The precise method by which access to the control panel was obtained remains obscure. Nevertheless, researchers have already notified all account holders listed in the screenshot, implying that Dort’s access may be revoked imminently.

Should this information be corroborated, it would signify a rare intersection of two major botnet ecosystems and a severe escalation of the threat to home networks globally, particularly for those utilizing inexpensive, unofficial Android TV boxes.