Cybercriminals managing Kimwolf, a disruptive botnet that has compromised over 2 million devices, recently shared evidence suggesting they had gained access to the control panel for Badbox 2.0. Badbox 2.0 is a vast, China-based botnet powered by malicious software often pre-installed on Android TV streaming boxes. Both the FBI and Google are actively pursuing those responsible for Badbox 2.0, and the Kimwolf botmasters’ claims may provide significant clues.
Previous reports detailed Kimwolf’s unique and highly invasive methods of spreading, primarily infecting unofficial Android TV boxes marketed for unlimited (pirated) movie and TV streaming services. The current administrators of Kimwolf are reportedly known by the nicknames “Dort” and “Snow.” A former associate of Dort and Snow recently provided a screenshot, allegedly taken by the Kimwolf botmasters, showing their access to the Badbox 2.0 botnet control panel.
A portion of that screenshot reveals seven authorized users of the control panel. According to the source, the account “ABCD,” shown as logged in, belongs to Dort, who seemingly managed to add their email address as a valid user of the Badbox 2.0 botnet.
The Badbox botnet has a history that predates Kimwolf’s emergence in October 2025. In July 2025, Google filed a “John Doe” lawsuit (PDF) against 25 unidentified defendants accused of operating Badbox 2.0. Google described it as a botnet of over ten million unauthorized Android streaming devices engaged in advertising fraud. The company stated that Badbox 2.0 compromises various devices prior to purchase and can also infect them by requiring downloads of malicious apps from unofficial marketplaces.
Google’s lawsuit followed a June 2025 advisory from the Federal Bureau of Investigation (FBI). The FBI warned that cybercriminals were gaining unauthorized access to home networks by either pre-configuring products with malware or infecting devices during the setup process when required applications containing backdoors were downloaded.
The FBI indicated that Badbox 2.0 was discovered after the original Badbox campaign was disrupted in 2024. The original Badbox, identified in 2023, primarily consisted of Android operating system devices (TV boxes) compromised with backdoor malware before purchase.
Initial skepticism regarding the Kimwolf botmasters’ claim of hacking the Badbox 2.0 botnet diminished after investigating the history of the qq.com email addresses visible in the screenshot.
CATHEAD
An online search for the address [email protected] (listed in the screenshot as user “Chen”) reveals its association as a contact for several China-based technology companies, including:
- Beijing Hong Dake Wang Science & Technology Co Ltd.
- Beijing Hengchuang Vision Mobile Media Technology Co. Ltd.
- Moxin Beijing Science and Technology Co. Ltd.
The website for Beijing Hong Dake Wang Science, asmeisvip[.]net, was flagged in a March 2025 report by HUMAN Security as one of many sites linked to the distribution and management of the Badbox 2.0 botnet. Similarly, moyix[.]com, a domain associated with Beijing Hengchuang Vision Mobile, was also identified.
A search using the breach tracking service Constella Intelligence found that [email protected] once used the password “cdh76111.” Pivoting on this password in Constella showed it was also used by two other email accounts: [email protected] and [email protected].
Constella indicated that [email protected] registered an account at jd.com (China’s largest online retailer) in 2021 under the name “陈代海,” which translates to “Chen Daihai.” According to DomainTools.com, the name Chen Daihai appears in the original 2008 registration records for moyix[.]com, along with the email address cathead@astrolink[.]cn.
Notably, astrolink[.]cn is also among the Badbox 2.0 domains identified in HUMAN Security’s 2025 report. DomainTools found that cathead@astrolink[.]cn was used to register over a dozen domains, including vmud[.]net, another Badbox 2.0 domain tagged by HUMAN Security.
XAVIER
An archived copy of astrolink[.]cn at archive.org shows the website belongs to a mobile app development company named Beijing Astrolink Wireless Digital Technology Co. Ltd. The archived site’s “Contact Us” page lists Chen Daihai as part of the technology department and Zhu Zhiyu, whose email address is xavier@astrolink[.]cn.
The user Mr.Zhu in the Badbox 2.0 panel utilized the email address [email protected]. Searching this address in Constella reveals a jd.com account registered under the name Zhu Zhiyu. A unique password associated with this account matches the password used by [email protected], which DomainTools identified as the original registrant of astrolink[.]cn.
ADMIN
The first account listed in the Badbox 2.0 panel, “admin,” registered in November 2020, used the email address [email protected]. DomainTools indicates this email is found in the 2022 registration records for the domain guilincloud[.]cn, which lists the registrant name “Huang Guilin.”
Constella found [email protected] is linked to the China phone number 18681627767. The open-source intelligence platform osint.industries shows this phone number is connected to a Microsoft profile created in 2014 under the name Guilin Huang (桂林 黄). The cyber intelligence platform Spycloud reported that this phone number was used in 2017 to create an account on the Chinese social media platform Weibo under the username “h_guilin.”
The remaining three users and their corresponding qq.com email addresses were all connected to individuals in China. However, none of these individuals (nor Mr. Huang) showed any clear connection to the entities established and operated by Chen Daihai and Zhu Zhiyu, or to any corporate entities. None of these individuals responded to requests for comment.
The mind map below illustrates search pivots on the email addresses, company names, and phone numbers that suggest a connection between Chen Daihai, Zhu Zhiyu, and Badbox 2.0.
UNAUTHORIZED ACCESS
The possibility of the Kimwolf botmasters gaining direct access to the Badbox 2.0 botnet is a significant development. This is particularly important given how Kimwolf spreads: its operators discovered they could manipulate residential proxy services to relay malicious commands to vulnerable devices behind the firewalls of unsuspecting users’ local networks.
The vulnerable systems targeted by Kimwolf are primarily Internet of Things (IoT) devices, such as unauthorized Android TV boxes and digital photo frames, which often lack discernible security or authentication. Essentially, if communication can be established with these devices, they can be compromised with a single command.
Previous reports highlighted research from the proxy-tracking firm Synthient, which notified 11 different residential proxy providers about their proxy endpoints being vulnerable to this type of local network probing and exploitation.
Most of these vulnerable proxy providers have since implemented measures to prevent customers from accessing the local networks of residential proxy endpoints, suggesting that Kimwolf’s rapid spread to millions of devices via residential proxy exploitation might be curtailed.
However, the source of the Badbox 2.0 screenshot indicated that the Kimwolf botmasters had a hidden advantage: secret access to the Badbox 2.0 botnet control panel.
“Dort has gotten unauthorized access,” the source stated. “So, what happened is normal proxy providers patched this. But Badbox doesn’t sell proxies by itself, so it’s not patched. And as long as Dort has access to Badbox, they would be able to load” the Kimwolf malware directly onto TV boxes associated with Badbox 2.0.
The source did not clarify how Dort gained access to the Badbox botnet panel. However, it is unlikely that Dort’s current access will remain undetected for long, as notifications sent to the qq.com email addresses listed in the control panel screenshot, inquiring about the apparently rogue ABCD account, included a copy of that image.
