The FBI is warning that the Badbox 2.0 Malware Campaign has infected over 1 million home internet equipment, converting consumer electronics into a residential screen that are used for malicious activity.
Badbox botnets are usually found on Chinese Android-based smart TVs, streaming boxes, projector, tablets and other Internet of Things (IOT) devices.
“Badbox 2.0 Botnett contains millions of infected equipment and maintains several backdoor for proxy services that cyber criminal actors exploit or exploit free access to domestic networks used for various criminal activities,” Warns FBI,
These devices are preloaded with Badbox 2.0 Malware Botnet or after installing the firmware update and infected through malicious Android application that silently do Google Play and third-party app store.
“Cyber criminals have unauthorized access to the home network by configuring the product with malicious software before purchasing or infecting cyber criminals, because it downloads the required applications that contain backdoor, usually during the set-up process,” says FBI.
“Once these compromised IOT devices are connected to the home network, the infected device is susceptible to the Badbox 2.0 Botnet and residential proxy services 4, which is used for malicious activity.”
Once infected, the devices attach to the attacker’s command and control (C2) server, where they receive commands to execute on compromised equipment, such as: such: such as:
- Residential Proxy Network: Home IP addresses of malware victims root traffic from other cyber criminals, masking malicious activity.
- Advertisement Fraud: Badbox can load and click advertisements in the background, generating advertising revenue for danger actors.
- Credential Stuffing: The victims try to reach the accounts of other people using the stolen credibility, taking advantage of the IPS.
Badbox 2.0 developed from the original Badbox Malware, which was first recognized in 2023, as it was found pre-installed in the cheap, no-name Android TV box like T95.
Over the years, the malware botnet continued the expansion until 2024, when Germany’s Cyber Security Agency disrupted the botett in the country by syntheling the communication between the infected equipment and the infrastructure of the attacker, effectively rendered the malware useless.
Although it did not stop the danger actors, researchers said that they found the malware installed on 192,000 equipment a week later. More than that, malware was found on more mainstream brands, such as Yandex TV and Hisense smartphones.
Unfortunately, despite the previous disruption, the boatnet continued to grow, with the intelligence information of human beings, stating that more than 1 million consumer equipment had been infected by March 2025.
This new big botnet is now being called Badbox 2.0 to indicate a new trekking of the malware campaign.
“This plan affected More than 1 million consumer equipmentThe equipment associated with the Badbox 2.0 operation includes lower-prince, “off brand”, unirtified tablet, connected TV (CTV) box, digital projector, and more, ” Explains human,
“Infected devices are Android Open Source Project devices, not Android TV OS device or Play protect security certified android devicesAll these devices are constructed in the mainland China and sent globally; In fact, humans observed traffic related to Badbox 2.0 222 countries and regions worldwide,
Human researchers estimate that Badbox 2.0 Botnett spreads 222 countries, which contains the most compromised devices in Brazil (37.6%), United States (18.2%), Mexico (6.3%), and Argentina (5.3%).
Source: Human Satori
In a joint operation led by Human’s bookie team and Google, Trend Micro, The Shadowvers Foundation and other partners, Badbox 2.0 Botnet was re -interrupted to prevent over 500,000 infected equipment from communicating with the attacker’s server.
However, even with that disruption, the botnet keeps growing because consumers buy more compromised products and connect them to the Internet.
A list of equipment affected by Badbox malware is listed below:
| Device model | Device model | Device model | Device model |
| Tv98 | X96Q_max_p | Q96l2 | X96Q2 |
| X96mini | S168 | UMS512_1h10_natv | X96_s400 |
| X96mini_rp | Tx3mini | Hy-001 | Mx10Pro |
| X96mini_plus1 | Longtv_Gn7501e | XTV77 | Netbox_b68 |
| X96Q_Pr01 | AV-M9 | ADT-3 | OCBN |
| X96mate_plus | Km1 | X96Q_Pro | Projector_T6P |
| X96QPro-P | Sp7731e_1h10_native | M8Sprow | Tv008 |
| X96mini_5g | Q96max | Orbsmart_tr43 | Z6 |
| Tvbox | Intelligent | Km9Pro | A15 |
| Torture | Km7 | isinbox | I96 |
| Smart_tv | Fujicom-SmartTV | Mxq9Pro | M box |
| X96q | isinbox | M box | R11 |
| game | Km6 | X96max_plus2 | Tv007 |
| Q9 Stick | Sp7731e | H6 | X88 |
| X98k | Txcz |
Symptoms of Badbox 2.0 infection include suspected app marketplace, disabled Google Play Protect Settings, TV streaming devices, which are being unlocked or free content, capable of accessing devices from unknown brands or capable of using suspected internet traffic.
In addition, this malware is usually found on devices that are not certified the safety of Google Play.
The FBI strongly advises consumers to protect themselves from botnets by following these steps:
- Assess all IOT devices attached to the home network for suspicious activity.
- Never download the apps from the informal marketplace offering “freestyle” apps.
- Monitor internet traffic from home network.
- Keep all the equipment updated in your home with the latest patch and updates.
Finally, if you suspect your device has been compromised, you should separate it from the rest of the network and restrict its internet access, effectively disrupt the malware.
Patching meant complex scripts, long and endless fire drills. No more.
In this new guide, the tines break down how it is leveling with modern organ automation. Patch fast, reduce overhead, and focus on strategic tasks – no complex script is required.
