{
	"id": "930091d7-21c9-423c-91c5-e22dec3ebd1f",
	"created_at": "2026-04-06T01:29:17.12383Z",
	"updated_at": "2026-04-10T03:22:11.679496Z",
	"deleted_at": null,
	"sha1_hash": "25422f7772cd9437d8a987f36dd93a96f6f9657d",
	"title": "BADBOX Botnet Is Back",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1144163,
	"plain_text": "BADBOX Botnet Is Back\r\nBy Pedro Falé\r\nPublished: 2024-12-17 · Archived: 2026-04-06 01:02:06 UTC\r\nImagine this: you're at home, eagerly waiting for the new device you ordered from Amazon. The package arrives,\r\nyou power it on, and start enjoying all the benefits of 21st century technology—unaware that, as soon as you\r\npowered it on, a scheme was unfolding within this device. Welcome to the world of BADBOX.\r\nBADBOX is a large-scale cybercriminal operation selling off-brand Android TV boxes, smartphones, and other\r\nAndroid electronics with preinstalled malware. What does this mean? It means the device is infected before it\r\neven reaches your hands.\r\nThese devices fall victim to a complex criminal scheme, where they are either tampered with during the supply\r\nchain or sold by the manufacturer with the ability to install APKs without the user's consent. They are then sold\r\nthrough reputable/popular retailers, such as Amazon, eBay, AliExpress, and others. This supply chain attack\r\nmakes it extremely difficult for consumers to detect the threat.\r\nAt its peak, the BADBOX botnet was thought to consist of about 74,000 compromised Android-based devices.\r\nThis botnet was presumed dead, after a push to stop its spread. However, not only is it still active, but it also\r\nappears to be larger and more versatile than previously anticipated.\r\nBitsight TRACE uncovered new BADBOX infrastructure. Telemetry shows over 192,000 BADBOX\r\ninfected devices — a number that keeps increasing\r\nOf the overall infected devices: 160,000 infected devices belong to unique models not seen before, in\r\nparticular a Yandex 4K QLED Smart TV and a T963 Hisense Smartphone\r\nThe top affected countries: Russia, China, India, Belarus, Brazil and Ukraine\r\nThis operation came to light in April 2023, when researcher Daniel Milisic became suspicious of a 'T95' Android\r\nTV box he purchased, which was performing unusual communications with unknown websites.\r\nhttps://www.bitsight.com/blog/badbox-botnet-back\r\nPage 1 of 12\n\nAt the core of the BADBOX malware lies resemblances to a malware family known as Triada. This malware\r\nfamily emerged around 2016, and it’s known for its stealthiness as a firmware backdoor—a secret access someone\r\nhas to your device. BADBOX malware seems to be an adaptation of that.\r\nA few months after its initial discovery, in October 2023, HUMAN’s Satori Threat Intelligence and Research\r\nTeam’s published a comprehensive report on BADBOX and PEACHPIT botnet operations, further corroborating\r\ninitial findings on the malware and botnet size. We will be focusing on BADBOX devices, which are alarmingly\r\nsold to consumers already compromised.\r\nHow does BADBOX work?\r\nBADBOX exploits devices for activities such as residential proxying (using backdoored devices as exit points),\r\nremote code installation, account abuse, and ad fraud. One of its most dangerous features is the ability to\r\ninstall additional code/modules without the user's consent, enabling threat actors to deploy new schemes.\r\nResearchers' discovery of BADBOX infections out-of-the-box suggests either a manufacturing intention, where\r\ncustomizable system images allow remote code installation by malicious actors, or a supply chain attack where\r\nmalware is embedded sometime during the development, manufacturing, shipping, and/or sales processes. We\r\ncannot determine if these vectors are mutually exclusive in the case of BADBOX.\r\nAs explained in a previous post about OEM infection, “The peril of neglecting mobile apps”, infection at this level\r\nis exceptionally difficult to remove. These methods share similarities with past attacks like Triada and Guerrilla,\r\nwhich compromised Android libraries or system firmware. For now, we’re moving on to how the BADBOX\r\nbackdoor operates, before diving into Bitsight’s findings.\r\nBelow you can see a high-level overview of the activity flow behind the process of BADBOX deployment:\r\nhttps://www.bitsight.com/blog/badbox-botnet-back\r\nPage 2 of 12\n\nThe compromised firmware on the device ensures that, upon booting, it will immediately try to connect to the\r\nmalicious infrastructure in an attempt to load its backdoor. The backdoor itself is capable of downloading\r\nsecondary payloads that allow further remote module installation without permissions.\r\nMeaning that entirely new payloads could be constructed by the threat actors, downloaded and executed, to\r\nperform new schemes beyond what we have visibility as of now.\r\nIf you wish to further understand the underlying technical aspects of the backdoor, take a look at HUMAN’s\r\nTechnical Report, as it provides a more extensive view of this process.\r\nhttps://www.bitsight.com/blog/badbox-botnet-back\r\nPage 3 of 12\n\nThis was the last update on BADBOX at the time of writing. Now, let’s examine currently active BADBOX\r\noperations in 2024.\r\nIs BADBOX Dangerous in 2024?\r\nVery much so. Countries should proactively pursue efforts to disrupt the botnet, such as German authorities have\r\nrecently, in the operation that affected 30,000 devices. Despite such efforts, it did not affect our telemetry, due to\r\nthe action being contained to Germany. The reality is that BADBOX still seems to be very much alive and\r\nspreading. This was evident when Bitsight managed to sinkhole a BADBOX domain, registering more than\r\n160,000 unique IPs in a 24 hour period. A number that has been steadily growing.\r\nUntil now, most research on the topic covers off-brand devices, on the principle that “low-cost devices come at a\r\ndifferent cost”. What if that wasn’t always the case? Bitsight saw over 100,000 unique IPs from Yandex 4K\r\nQLED Smart TVs in 24 hours, and these devices aren’t necessarily cheap. Yandex is a well established brand in\r\nRussia—think of it as their own Google enterprise.\r\nHow and why so many of these high-end devices became infected is still unknown to us. What we do know, is that\r\nthe devices are compromised, as evidenced in the findings detailed below.\r\nBADBOX Infections: Yandex\r\nAn investigation on the domain coslogdydy[.]in revealed the following:\r\nBADBOX infected devices upon booting and would immediately POST telemetry to try and contact a C2 server,\r\nawaiting further instructions. The coslogdydy[.]in url received several communications matching that of\r\nBADBOX:\r\n POST /terminal/client/apiInfo\r\n(i.e: The Yandex TV model: YNDX-00091 and Instawall_T963)\r\nhttps://www.bitsight.com/blog/badbox-botnet-back\r\nPage 4 of 12\n\nPOST /terminal/client/register\r\nhttps://www.bitsight.com/blog/badbox-botnet-back\r\nPage 5 of 12\n\nThis quickly indicated two things:\r\nFirst, the models ranging from YNDX-00091 to YNDX-000102 are 4K Smart TVs from a well-known brand, not\r\ncheap Android TV boxes. It’s the first time a major brand Smart TV is seen directly communicating at such\r\nvolume with a BADBOX command and control (C2) domain, broadening the scope of affected devices beyond\r\nAndroid TV boxes, tablets, and smartphones.\r\nThese YNDX Smart TV models weren't the only ones compromised. We saw communications from the following\r\ndevices:\r\nhttps://www.bitsight.com/blog/badbox-botnet-back\r\nPage 6 of 12\n\nOS: Android\r\nOver 98% of traffic comes from both the YNDX Smart TV models and the T963 smartphone:\r\nTraffic distribution of the 85% (~160,000 IPs in 24h)\r\nLooking at the Yandex models, they are registered to a Yandex branch in Switzerland registered in 2022. That\r\nname changed on November 21, 2023.\r\nhttps://www.bitsight.com/blog/badbox-botnet-back\r\nPage 7 of 12\n\nModels are disclosed here and here via mac address.\r\nSecond, let's talk volume. Telemetry collected indicates that more than 160,000 unique IPs communicate daily, a\r\nnumber that has been steadily growing.\r\nThe majority of communications originate from Russia with the YNDX Smart TV model, followed by China with\r\nits Hisense Instwall_T963 smartphone model. Less popular locations include India, Ukraine, and Belarus.\r\nResidual traffic (\u003c1300 daily IPs) was also seen from Saudi Arabia, Kazakhstan, Czech Republic, United States,\r\nFrance, and Netherlands.\r\nAccording to the official website of alice yandex, the manufacturer of the YNDX Smart TVs is actually “LLC\r\nAlice Laboratory” with the production site of “Higher Industry Rus LLC” and not the Swiss branch “Intertech\r\nServices AG”, this discrepancy is curious. On the same website, the users can buy directly to Russia, Belarus, and\r\nKazakhstan or through market.yandex[.]ru and other official partner Russian vendor markets. This and brand\r\npopularity alone could explain the lower visibility in other countries including Yandex recent split.\r\nHunting of BADBOX Domains\r\nhttps://www.bitsight.com/blog/badbox-botnet-back\r\nPage 8 of 12\n\nBefore packing our bags, we decided to see if we could uncover more BADBOX infrastructure actively\r\ncommunicating, as this would be a strong indication that the botnet is very much alive.\r\nThere were several pivot points here: previous IP assignment, URI paths, SSL certificates. The latter produced\r\nmore results but, nonetheless, we will go through the results of each phase.\r\nIP and URI Pathing\r\nLooking into the IPs pointing to coslogdydy[.]in (e.g., 170.187.159[.]173 and 103.145.58[.]236 ), and\r\npivoting on the URI path of previously known BADBOX C2 domains such as yxcrl[.]com led to the discovery\r\nof the following domains:\r\ncxlcyy[.]com\r\ncxzyr[.]com\r\ngoologer[.]com\r\nhuuww[.]com\r\nlogcer[.]com\r\npccyy[.]com\r\npcxrl[.]com\r\npcxrlback[.]com\r\nsoyatea[.]online\r\nycxad[.]com\r\nyydsmr[.]com\r\nWe can see some indicators: domains are added around the same day, they share naming similarities to previous\r\nBADBOX domains. Domains contain ‘log’ wording and variants of the known C2 domain ‘ycxrl[.]com’ named\r\nwith a one letter difference.\r\nBoth mentioned IPs, also show direct communications with the files ”/uploads/apk/20*_en.zip”, a path known as\r\nthe C2 backdoor payload:\r\nThis further confirms its employment in the BADBOX operation.\r\nSSL Thumbprint\r\nLastly the ssl thumbprinting creates a fingerprint for a ssl certificate, through a hash function. This is great,\r\nbecause it enables us to easily query any domains that use this certificate, especially relevant when the certificate\r\nis self-signed. Which is the case.\r\nThe ssl_thumbprint generated from the certificate used by the domain coslogdydy[.]in allows us to pivot:\r\n5b3aa659cb8dece5c9a14d605c68a432b773969c (saae)\r\nhttps://www.bitsight.com/blog/badbox-botnet-back\r\nPage 9 of 12\n\n36 domains share this self-signed ssl: Domain list here\r\nMost of these domains seem to be missing A record IP, meaning we are unable to communicate with those\r\ndomains for further confirmation. This does mean that operations could resume whenever by assigning an IP back\r\nto it.\r\nHowever 2 domains were active: yydsmr[.]com and logcer[.]com by making a http request to the known paths\r\nof BADBOX, we confirm their involvement. Both domains responded with an encrypted string.\r\nPerhaps the most shocking factor was the domain yydsmr[.]com having over 2 Million pDNS requests resolved\r\nin less than 3 months between 12-2023 and 03-2024. With another 620,000 between 03-2024 and 10-2024. This is\r\na clear indication of the large volume of this botnet.\r\nOther interesting domains utilizing this self-signed certificate ( saae ) are domains such as yydsmd[.]com . Not\r\nsimilar at all to yydsmr[.]com . From this list, some shared the same IP (e.g., 172.105.119[.]17 and\r\n139.162.40[.]221 ). The interesting aspect is that they mostly communicate via the following type of request:\r\n yydsmd.com/ota/api/conf/v1?m=bd6cb71c8046af6d0851276af7120e50\u0026n=WIFI(1)\u0026syn=1\u0026t=1726327696455\r\n yydsmd.com/ota/api/tasks/v2?m=bd6cb71c8046af6d0851276af7120e50\u0026n=WIFI(1)\u0026syn=1\u0026t=172632771700\r\n \r\nThis definitely looks like a malware check-in, and the response to this request is an encrypted string. With\r\nsomewhat similar entropy levels between the known BADBOX domains that utilize the /terminal/client/\r\npath.\r\n/terminal/client/ path\r\nhttps://www.bitsight.com/blog/badbox-botnet-back\r\nPage 10 of 12\n\nAnd the new domains with the /ota/api/ path\r\nWe also know that BADBOX utilizes different custom encryption schemes depending on the endpoint/uri path.\r\nCurrently active domains (respond with an encrypted string to the URI request) are:\r\nswiftcode[.]work\r\nhome[.]1ztop[.]work\r\nveezy[.]sitev\r\nbluefish[.]work\r\ncast[.]jutux[.]work\r\nechojoy[.]xyz\r\ngiddy[.]cc\r\njolted[.]vip\r\njutux[.]work\r\nmsohu[.]shop\r\nmtcpmpm[.]com\r\nold[.]1ztop[.]work\r\npixelscast[.]com\r\npixlo[.]cc\r\ntvsnapp[.]com\r\nwww[.]jolted[.]vip\r\nztword[.]com\r\nThis could be a new adaptation from the BADBOX threat actors, or a new avenue for their schemes—an entirely\r\nnew investigation is required to explore this further. For now, we will classify the following domains as\r\nunconfirmed to be BADBOX malware, but nonetheless, malicious and somewhat related.\r\nThe BADBOX operation showcases how cyber criminals are further mastering the art of using global supply\r\nchains to spread their malware far and wide. While this blog post focused on infected devices with higher density\r\nin Russia and China, BADBOX malware is an epidemic affecting all countries and most types of android devices.\r\nNevertheless, it's crucial to expose how threat actors are slowly creeping their scope to not only off-brand bargain\r\ndevices, but also diversifying its victim ecosystem to some well-known brands, such as Yandex and Hisense.\r\nChoosing trusted vendors becomes increasingly important for the consumer. Likewise, choosing trusted partners\r\nbecomes a priority for enterprises. Not only is your data at risk, you might also be used for profit and cover of\r\nmalicious operations. While the crackdown on cyber crime intensifies, selling cover to other cyber criminal\r\ngroups via ‘compromised’ proxies also gains appeal.\r\nhttps://www.bitsight.com/blog/badbox-botnet-back\r\nPage 11 of 12\n\nC2 Domains\r\ncoslogdydy[.]in\r\nyydsmr[.]com\r\nlogcer[.]com\r\nSSL Certificate\r\n5b3aa659cb8dece5c9a14d605c68a432b773969c\r\nAPKs\r\ncom.yandex.tv.home\r\ncom.instwall.launch\r\ncom.mk.ifpd.digitalsignage\r\ncom.mk.ifpd.setup.guide\r\ncom.android.launcher3\r\nSource: https://www.bitsight.com/blog/badbox-botnet-back\r\nhttps://www.bitsight.com/blog/badbox-botnet-back\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bitsight.com/blog/badbox-botnet-back"
	],
	"report_names": [
		"badbox-botnet-back"
	],
	"threat_actors": [],
	"ts_created_at": 1775438957,
	"ts_updated_at": 1775791331,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/25422f7772cd9437d8a987f36dd93a96f6f9657d.pdf",
		"text": "https://archive.orkl.eu/25422f7772cd9437d8a987f36dd93a96f6f9657d.txt",
		"img": "https://archive.orkl.eu/25422f7772cd9437d8a987f36dd93a96f6f9657d.jpg"
	}
}