{
	"id": "72bde193-b04a-42f9-bad1-9065e46b6384",
	"created_at": "2026-04-06T00:10:21.96892Z",
	"updated_at": "2026-04-10T03:20:55.478836Z",
	"deleted_at": null,
	"sha1_hash": "14e550e656e2bef8509c63025f5db8ee10ef80c7",
	"title": "Unpacking the BADBOX Botnet with Censys",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 715382,
	"plain_text": "Unpacking the BADBOX Botnet with Censys\r\nBy Jean Pierre Ruiz Ocampo\r\nPublished: 2025-02-04 · Archived: 2026-04-05 22:47:29 UTC\r\nExecutive Summary: BADBOX is a newly discovered botnet targeting both off-brand and well-known Android\r\ndevices—often with malware that potentially came pre-installed from the factory or further down in the supply\r\nchain. Over 190,000 infected devices have been observed so far, including higher-end models like Yandex 4K\r\nQLED TVs. Using Censys, I identified a suspicious SSL/TLS certificate common to BADBOX infrastructure,\r\nrevealing five IPs and numerous domains, all using the same certificate and SSH host key. This strongly indicates\r\na single actor controlling a templated environment. The sheer scale and stealthy nature of BADBOX underscore\r\nthe critical need to monitor supply chain integrity and network traffic.\r\nI’ve been watching this emerging threat for a while, and on the surface, it sounds like just another Android\r\nmalware campaign. The twist? BADBOX often comes baked into the firmware, so people are unboxing new\r\ndevices that are already compromised before they even join a network. Researchers from BitSight recently\r\nhighlighted the huge number of devices communicating with BADBOX servers, suggesting a full-blown supply\r\nchain compromise that goes well beyond a typical sideloaded malware incident. Below, I’ll walk you through how\r\nI used Censys to track the certificate in question and map out the associated IPs and domains.\r\nThis scale piqued my curiosity—particularly the part about a common certificate that’s been spotted in the wild.\r\nArmed with this bit of intel on the certificate’s issuer DN, I turned to the Censys Internet Intelligence Platform to\r\nsee if I could track down any additional evidence. The issuer DN in question is: “C=65, ST=singapore,\r\nL=singapore, O=singapre, OU=sall, CN=saee” which I converted into the following Certificate query to find the\r\nexact certificate used by BADBOX operators.\r\nThere was a single result that matched that criteria, which is a strong indicator of a single entity (or a small group)\r\nbehind the widespread malware injection.\r\nhttps://censys.com/unpacking-the-badbox-botnet/\r\nPage 1 of 7\n\nThis made me curious about what hosts this certificate is presented on so I entered the pivot menu.\r\nhttps://censys.com/unpacking-the-badbox-botnet/\r\nPage 2 of 7\n\nThis pivot produced the following query, which searches for the certificate’s SHA-256 fingerprint.\r\nhttps://censys.com/unpacking-the-badbox-botnet/\r\nPage 3 of 7\n\nThis returned five IP addresses that are presenting that certificate, all from Singapore and all from the Akamai\r\nASN. I was curious what other attributes they share and I noticed that they all have port 22 SSH open. Here is one\r\nof those services.\r\nTo track if the same SSH Host Keys are used, we can do a report on the Host Key Fingerprint field\r\n“host.services.ssh.server_host_key.fingerprint_sha256”. To do a report, click the “Report Builder” tab.\r\nhttps://censys.com/unpacking-the-badbox-botnet/\r\nPage 4 of 7\n\nAs you can see, all five IPs share the same SSH Host Key suggesting that these instances were templated. By\r\nclicking on the report’s table I can pivot into that query.\r\nWhich I would clean up to be the following query:\r\nHowever, I was also interested in the number of domains that also present this certificate.\r\nhttps://censys.com/unpacking-the-badbox-botnet/\r\nPage 5 of 7\n\nInterestingly enough, all 25 appear to be running nginx 1.20.1 on CentOS. From here I could either make a\r\ncollection to track all of these indicators or simply extract the current instances. Below is the final query with all\r\nthe above indicators\r\nhost.services.tls.fingerprint_sha256 =\r\n“61609d67762922a390bf4c5ccc2b5ed43c1980a6777a0152e9a49c5b96d0d623”\r\nor host.services.ssh.server_host_key.fingerprint_sha256 =\r\n“a885b892e4820b90fd05e45eda6bdd5983170cba6da23fb3610ed1a61726bd14”\r\nor web.cert.fingerprint_sha256 = “61609d67762922a390bf4c5ccc2b5ed43c1980a6777a0152e9a49c5b96d0d623”\r\nIndicators\r\nIPs\r\n139.162.36[.]224\r\n139.162.40[.]221\r\n143.42.75[.]145\r\n172.104.186[.]191\r\n192.46.227[.]25\r\n172.104.178[.]158\r\nDomains\r\nbluefish[.]work\r\nwww.bluefish[.]work\r\ncool.hbmc[.]net\r\ngiddy[.]cc\r\nwww.giddy[.]cc\r\njolted[.]vip\r\njoyfulxx[.]com\r\nmsohu[.]shop\r\nwww.msohu[.]shop\r\nmtcpuouo[.]com\r\nhttps://censys.com/unpacking-the-badbox-botnet/\r\nPage 6 of 7\n\nwww.mtcpuouo[.]com\r\npasiont[.]com\r\nsg100.idcloudhost[.]com\r\nwww.yydsmb[.]com\r\nwww.yydsmd[.]com\r\nztword[.]com\r\ntvsnapp[.]com\r\npixelscast[.]com\r\nswiftcode[.]work\r\nold.1ztop[.]work\r\ncast.jutux[.]work\r\nhome.1ztop[.]work\r\nwww.jolted[.]vip\r\nAUTHOR\r\nAidan Holland\r\nSenior Security Researcher\r\nAidan Holland is a Senior Security Researcher with Censys ARC, where he specializes in threat intelligence and\r\ninternet-wide security research. His work focuses on identifying and analyzing malicious infrastructure, tracking\r\nthreat actors, and developing tools for security analysis at scale. Aidan is an active contributor to the open source\r\nsecurity community, building and maintaining tools for threat hunting, data analysis, and security automation.\r\nSource: https://censys.com/unpacking-the-badbox-botnet/\r\nhttps://censys.com/unpacking-the-badbox-botnet/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://censys.com/unpacking-the-badbox-botnet/"
	],
	"report_names": [
		"unpacking-the-badbox-botnet"
	],
	"threat_actors": [],
	"ts_created_at": 1775434221,
	"ts_updated_at": 1775791255,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/14e550e656e2bef8509c63025f5db8ee10ef80c7.pdf",
		"text": "https://archive.orkl.eu/14e550e656e2bef8509c63025f5db8ee10ef80c7.txt",
		"img": "https://archive.orkl.eu/14e550e656e2bef8509c63025f5db8ee10ef80c7.jpg"
	}
}