FBI Warns of BADBOX 2.0 Botnet: Millions of Smart Devices at Risk

Trenton, N.J. — On June 5th, The Federal Bureau of Investigation (FBI) released a public service announcement that a new wave of cyberattacks, dubbed BADBOX 2.0, has compromised millions of Internet of Things (IoT) devices worldwide. The warning stated that this sophisticated botnet campaign has already affected a wide range of smart devices, from streaming TV boxes and projectors to digital photo frames and aftermarket vehicle infotainment systems. The alert follows a months-long investigation and partnership with cybersecurity firms, which uncovered that many of the compromised devices were distributed through popular online retailers and third-party marketplaces.

BADBOX 2.0 is an evolution of the original BADBOX operation, which was disrupted in 2024. The new variant has expanded its reach, targeting a broad array of consumer electronics. The FBI reports that cybercriminals exploit these devices by pre-installing malicious software before they reach consumers or by infecting them during setup via the installation of apps containing hidden backdoors. Once compromised, these devices are integrated into a botnet—a network of infected devices controlled remotely by threat actors. BADBOX 2.0 enables attackers to execute a range of criminal activities, such as creating residential proxy networks, conducting credential stuffing attacks, perpetrating ad fraud, and exfiltrating sensitive data.

Global Impact and Threat Actor Collaboration
The scale of BADBOX 2.0 is unprecedented, with confirmed infections observed in over 222 countries and territories. Satori Threat Intelligence and research team have identified at least four distinct but cooperative threat actor groups orchestrating the campaign, sharing infrastructure and resources to maximize the botnet’s reach and capabilities.

• SalesTracker Group—is the group researchers believe is responsible for the operation and managed the C2 infrastructure for botnet
• MoYu Group— threat actors that developed the backdoor for BADBOX 2.0 and operated a click fraud campaign.
• Lemon Group, is a threat actor group connected to the residential proxy services created through the BADBOX operation.
• LongTV is a Malaysian internet and media company, that operates and develops apps for connected TV (CTV) devices.

The operation is notable for its adaptability; after initial disruptions, the attackers quickly modified their tactics to evade detection and resume their activities.

Indicators of Compromise
The FBI and its partners, including Human Security, Google, Trend Micro, and the Shadowserver Foundation, have outlined several indicators that may signal BADBOX 2.0 infection:

• Presence of suspicious or unofficial app marketplaces on devices.
• Requests to disable Google Play Protect settings.
• Use of generic or “unlocked” streaming devices, often from unrecognized brands.
• Android devices lacking Play Protect certification.
• The infected devices are directed to fraudulent HTML5 gaming sites that do not offer actual gameplay. Instead, these sites display high-value in-game advertisements to generate illicit ad revenue, all without the users’ knowledge.

To minimize exposure, the FBI recommends the following measures for consumers and businesses:

• Regularly monitor and assess all IoT devices for unusual activity.
• Download apps exclusively from official app stores.
• Keep all device software and firmware up to date.
• Immediately disconnect any device exhibiting suspicious behavior from the network.

The FBI urges anyone who suspects their devices may have been compromised to file a report with the Internet Crime Complaint Center (IC3).