(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

Get questions like this:

1. what do you know about badbox 2.0 ?
2. Which threat actor groups or intrusion sets are linked to the development and deployment of BADBOX 2.0, and what are their likely motivations?

Does it take a chunks out of your day? Would you like help with the research?

This baseline report was thoughtfully researched and took 10 minutes.. It's meant to be a rough draft for you to enhance with the unique insights that make you an invaluable analyst.

We just did the initial grunt work..

Are you ready to level up your skillset? Get Started Here!

Did this help you? Forward it to a friend!

Suggested Pivot

What specific supply chain vulnerabilities enable pre-installation of BADBOX 2.0 backdoors in off-brand AOSP devices, and which data sources—such as import/export records, device teardown analyses, firmware reverse engineering, and interviews with supply chain security experts—can be leveraged to systematically identify and mitigate these weaknesses?

TL;DR

Key Points

1. • BADBOX 2.0 is a large-scale, China-based botnet infecting over 1 million off-brand Android Open Source Project (AOSP) devices globally, leveraging pre-installed firmware backdoors and malicious apps.
   • Organizations and consumers should avoid uncertified devices, implement advanced network monitoring, and prioritize firmware integrity checks.
2. • The operation is financially motivated, focusing on ad fraud, click fraud, and residential proxy services, with infected devices used for credential stuffing, account takeovers, and DDoS attacks.
   • Enterprises must segment IoT/consumer devices from critical networks and monitor for proxy-based anomalies.
3. • BADBOX 2.0 is enabled by a collaborative ecosystem of Chinese cybercriminal groups (SalesTracker, MoYu, Lemon Group, LongTV), exploiting global supply chains and weak device security standards.
   • Manufacturers and distributors should enforce supply chain security controls and adopt IoT security certification frameworks.
4. • The botnet’s persistence is achieved via firmware-level modifications, disabling security features (e.g., Google Play Protect), and obfuscation, mapped to multiple MITRE ATT&CK techniques (e.g., T1195.002, T1542.001, T1562).
   • Security teams should deploy EDR solutions for Android/IoT, monitor for known IoCs, and update detection signatures regularly.
5. • Geopolitically, BADBOX 2.0 undermines supply chain trust and may prompt regulatory, diplomatic, and industry responses, especially in high-risk regions (Brazil, U.S., Latin America).
   • Policymakers should accelerate IoT security regulations, import controls, and international intelligence sharing.

Executive Summary

BADBOX 2.0 represents a significant escalation in global supply chain cyber threats, infecting over 1 million off-brand AOSP devices—including TVs, smartphones, tablets, and car infotainment systems—via pre-installed firmware backdoors and malicious apps. The operation is attributed to a consortium of Chinese cybercriminal groups (SalesTracker, MoYu, Lemon Group, LongTV) that share infrastructure and fraud modules, enabling a resilient and adaptive botnet ecosystem.

The primary motivation is financial, with BADBOX 2.0 facilitating programmatic ad fraud, click fraud, and the operation of residential proxy networks. These proxies are then leveraged for credential stuffing, account takeovers, and large-scale DDoS attacks, targeting sectors such as consumer electronics, telecommunications, e-commerce, and home networks. The infection is most prevalent in Brazil, the United States, Mexico, Argentina, and Colombia, driven by the popularity of low-cost, uncertified devices and high rates of app sideloading.

BADBOX 2.0 employs advanced persistence and evasion techniques, including firmware-level modifications (T1542.001), disabling of Google Play Protect (T1562), and obfuscation (T1070), making detection and remediation challenging. The operation’s scale and sophistication raise concerns about indirect state enablement and highlight the urgent need for improved supply chain security, device certification, and international regulatory frameworks.

Immediate recommendations include deploying network intrusion prevention systems (NIPS) tuned for BADBOX C2 traffic, implementing EDR solutions for Android/IoT, enforcing supply chain security controls, and educating users about the risks of uncertified devices and unofficial app stores. Strategic initiatives should focus on international intelligence sharing, regulatory harmonization, and public-private partnerships to disrupt botnet infrastructure and enhance global cybersecurity resilience.

The BADBOX 2.0 threat landscape is rapidly evolving, necessitating continuous source validation, signature updates, and adaptive mitigation strategies to counter emerging variants and tactics.

Research & Attribution

Historical Context

BADBOX 2.0 is a sophisticated evolution of the original BADBOX campaign first identified in 2023. This China-based cyber operation targets off-brand Android Open Source Project (AOSP) consumer devices, including connected TVs, smartphones, tablets, digital projectors, and aftermarket car infotainment systems. The original BADBOX campaign was partially disrupted in late 2024 by coordinated efforts from cybersecurity firms and government agencies, but BADBOX 2.0 emerged in early 2025 with enhanced capabilities, infecting over 1 million devices globally across 222 countries and territories. It represents the largest botnet of infected connected TV devices discovered to date.

Timeline

• 2023: Discovery of the original BADBOX campaign targeting off-brand AOSP devices with pre-installed backdoors.
• Late 2024: Disruption of the original BADBOX botnet by German BSI and partners, temporarily interrupting C2 communications.
• Early 2025: Emergence of BADBOX 2.0 with new deployment mechanisms, fraud types, and obfuscation techniques.
• 2025-06: FBI and cybersecurity firms issue public warnings and advisories about BADBOX 2.0 infections and risks.

Origin

BADBOX 2.0 is attributed to multiple Chinese cybercriminal groups operating collaboratively. The infected devices are predominantly low-cost, uncertified consumer electronics manufactured in mainland China and shipped worldwide. The operation involves several cooperating groups sharing infrastructure and fraud modules, indicating a complex criminal ecosystem rather than a single entity. The supply chain compromise at manufacturing or distribution stages enables pre-installation of persistent backdoors in device firmware.

Countries Targeted

1. Brazil – Highest infection rate, driven by popularity of low-cost AOSP devices.
2. United States – Significant infections, reflecting large consumer base.
3. Mexico – Notable infection levels contributing to botnet scale.
4. Argentina – Targeted for device infections and fraud operations.
5. Colombia – Part of the broader Latin American infection footprint.

Sectors Targeted

1. Consumer Electronics – Primary sector, focusing on off-brand Android devices.
2. Telecommunications – Indirectly targeted via infected devices on networks.
3. Advertising and Marketing – Targeted through programmatic ad fraud and click fraud.
4. E-commerce and Online Services – Targeted via residential proxy services facilitating account takeovers and credential theft.
5. Home and Smart Home Networks – Devices within home networks infected, posing risks to connected infrastructure.

Motivation

The primary motivation behind BADBOX 2.0 is financial gain through large-scale fraud operations. These include programmatic ad fraud, click fraud, and the creation of residential proxy nodes sold or rented to other cybercriminals. The botnet infrastructure also facilitates downstream attacks such as account takeovers, fake account creation, credential theft, sensitive data exfiltration, and distributed denial-of-service (DDoS) attacks.

Attack Types and MITRE ATT&CK Mapping

BADBOX 2.0 employs a range of attack types mapped to MITRE ATT&CK techniques:

• T1071.001: Application Layer Protocol: Web Protocols – C2 communication.
• T1195.002: Supply Chain Compromise: Compromise Software Supply Chain – Pre-installed backdoors in device firmware.
• T1204.003: User Execution: Malicious File – Infection via malicious apps downloaded by users.
• T1542.001: Pre-OS Boot: Modify Existing Service – Persistence via firmware modifications.
• T1547.001: Boot or Logon Autostart Execution – Persistence mechanisms.
• T1566: Phishing – Distribution via malicious apps and unofficial marketplaces.
• T1090: Proxy – Use of residential proxy nodes.
• T1110: Brute Force – Credential stuffing facilitated by proxy services.
• T1041: Exfiltration Over C2 Channel – Data theft.
• T1499: Endpoint Denial of Service – DDoS attacks.
• T1562: Impair Defenses – Disabling Google Play Protect.
• T1070: Indicator Removal on Host – Obfuscation and anti-analysis.
• T1036: Masquerading – Use of decoy and fake twin apps.
• T1560: Archive Collected Data – Data staging for exfiltration.
• T1609: Container Administration Command – Firmware manipulation.

Links to Other APT Groups

1. SalesTracker Group

   • Chinese origin; responsible for the original BADBOX operation; manages C2 infrastructure for BADBOX 2.0.
   • Motivated by financial fraud including ad fraud and proxy services.
   • Shares infrastructure and operational overlap with BADBOX 2.0.

2. MoYu Group

   • Chinese threat actor group; developed BADBOX 2.0 backdoors; operates botnets, residential proxy services, click fraud, and programmatic ad fraud campaigns.
   • Collaborates with SalesTracker and Lemon Group, sharing C2 infrastructure.

3. Lemon Group

   • China-based; known for Triada-inspired malware; involved in residential proxy services and ad fraud via HTML5 game websites.
   • Aliases include Joy Meng, Joy More, JoyeTV.
   • Shares infrastructure and business ties with MoYu and SalesTracker Groups.

4. LongTV

   • Malaysian internet and media company; develops apps for AOSP devices; involved in ad fraud campaigns via preinstalled apps.
   • Connected through shared targets and infrastructure in BADBOX 2.0.

These groups appear to be distinct entities but operate collaboratively within the BADBOX 2.0 ecosystem, sharing infrastructure, fraud modules, and operational roles. SalesTracker and MoYu are core operators managing C2 and botnet functions, Lemon Group focuses on malware development and proxy services, while LongTV contributes via app development and ad fraud.

Similar Threat Actor Groups

• Triada Malware Operators – Use Triada-based backdoors targeting Android devices; Chinese financially motivated cybercriminals.
• Konfety Operation Actors – Use "evil twin" apps and ad fraud techniques similar to LongTV.
• Vo1d Malware Operators – Russian cybercriminals using modified Android native libraries for persistence, similar to BADBOX 2.0 backdoors.

Geopolitical Implications and Strategic Context

BADBOX 2.0 exemplifies the intersection of cybercrime and geopolitics through its exploitation of global supply chains and consumer electronics markets. The operation leverages manufacturing and distribution networks in China to implant persistent backdoors in low-cost devices shipped worldwide, undermining supply chain trust and consumer confidence. This large-scale compromise of consumer devices poses risks to national cybersecurity, privacy, and critical infrastructure, especially as infected devices serve as proxies for further cyberattacks.

The scale and sophistication of BADBOX 2.0 suggest potential indirect state enablement or at least a permissive environment within China for cybercriminal groups to operate with impunity. While direct state sponsorship is not confirmed, the operation aligns with broader trends of China-linked cyber operations exploiting global markets for financial and strategic advantage.

Affected governments and international bodies may respond with increased regulation of IoT device supply chains, enhanced import controls, and international cooperation to disrupt botnet infrastructure. BADBOX 2.0 also highlights the need for global standards on device certification and security to mitigate risks from off-brand electronics.

Recommendations, Actions, Suggested Pivots, Forecasts and Next Steps..

(Subscribers Only)