{
	"id": "fa1cdfb7-09ca-46d9-af90-192fd40b7ec5",
	"created_at": "2026-04-06T00:17:19.147275Z",
	"updated_at": "2026-04-10T03:30:32.776429Z",
	"deleted_at": null,
	"sha1_hash": "7ae532f4cbbad727f480ef49481aea8871fc65de",
	"title": "Internet Crime Complaint Center (IC3)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 43440,
	"plain_text": "Internet Crime Complaint Center (IC3)\r\nPublished: 2025-06-05 · Archived: 2026-04-05 17:05:34 UTC\r\nThe Federal Bureau of Investigation (FBI) is issuing this Public Service Announcement to warn the public about\r\ncyber criminals exploiting Internet of Things (IoT)\r\n1\r\n devices connected to home networks to conduct criminal\r\nactivity using the BADBOX 2.0 botnet2. Cyber criminals gain unauthorized access to home networks through\r\ncompromised IoT devices, such as TV streaming devices, digital projectors, aftermarket vehicle infotainment\r\nsystems, digital picture frames and other products. Most of the infected devices were manufactured in China.\r\nCyber criminals gain unauthorized access to home networks by either configuring the product with malicious\r\nsoftware prior to the users purchase or infecting the device as it downloads required applications that contain\r\nbackdoors, usually during the set-up process.3 Once these compromised IoT devices are connected to home\r\nnetworks, the infected devices are susceptible to becoming part of the BADBOX 2.0 botnet and residential proxy\r\nservices4 known to be used for malicious activity.\r\nWhat is BADBOX 2.0 Botnet\r\nBADBOX 2.0 was discovered after the original BADBOX campaign was disrupted in 2024. BADBOX was\r\nidentified in 2023, and primarily consisted of Android operating system devices that were compromised with\r\nbackdoor malware prior to purchase. BADBOX 2.0, in addition to compromising devices prior to purchase, can\r\nalso infect devices by requiring the download of malicious apps from unofficial marketplaces. The BADBOX 2.0\r\nbotnet consists of millions of infected devices and maintains numerous backdoors to proxy services that cyber\r\ncriminal actors exploit by either selling or providing free access to compromised home networks to be used for\r\nvarious criminal activity.\r\nIndicators\r\nThe public is urged to evaluate IoT devices in their home for any indications of compromise and consider\r\ndisconnecting suspicious devices from their networks. The FBI has identified potential indicators that may assist\r\nin detecting malicious devices. An indicator alone does not accurately determine malicious cyber activity or a\r\ncrime. The following suspicious activities/indicators do not relate to any individual, group, or business and should\r\nbe observed in context.\r\nPossible indicators of BADBOX 2.0 botnet activity include:\r\nThe presence of suspicious marketplaces where apps are downloaded.\r\nRequiring Google Play protect settings to be disabled.\r\nGeneric TV streaming devices advertised as unlocked or capable of accessing free content.\r\nIoT devices advertised from unrecognizable brands.\r\nAndroid devices that are not Play Protect certified.\r\nUnexplained or suspicious Internet traffic.\r\nhttps://www.ic3.gov/PSA/2025/PSA250605#fn2\r\nPage 1 of 2\n\nMitigations\r\nThe following mitigation strategies can be effective steps to minimize exposure to unauthorized residential proxy\r\nnetworks.\r\nMaintaining awareness and monitor Internet traffic of home networks.\r\nAssess all IoT devices connected to home networks for suspicious activity.\r\nAvoid downloading apps from unofficial marketplaces advertising free streaming content.\r\nKeeping all operating systems, software, and firmware up to date. Timely patching is one of the most\r\nefficient and cost-effective steps to minimize its exposure to cybersecurity threats. Prioritize patching\r\nfirewall vulnerabilities and known exploited vulnerabilities in internet-facing systems.\r\nAcknowledgements\r\nGoogle, Human Security, Trend Micro, and the Shadowserver Foundation contributed to this product.\r\nVictim Reporting\r\nIf you believe you have been a victim of an intrusion, please file a report with the FBI's Internet Crime Complaint\r\nCenter (IC3) at www.ic3.gov.\r\nSource: https://www.ic3.gov/PSA/2025/PSA250605#fn2\r\nhttps://www.ic3.gov/PSA/2025/PSA250605#fn2\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.ic3.gov/PSA/2025/PSA250605#fn2"
	],
	"report_names": [
		"PSA250605#fn2"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434639,
	"ts_updated_at": 1775791832,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7ae532f4cbbad727f480ef49481aea8871fc65de.pdf",
		"text": "https://archive.orkl.eu/7ae532f4cbbad727f480ef49481aea8871fc65de.txt",
		"img": "https://archive.orkl.eu/7ae532f4cbbad727f480ef49481aea8871fc65de.jpg"
	}
}