Pulse Detail — Threat Intelligence

PULSE NAME

BADBOX 2.0 Targets Consumer Devices with Multiple Fraud Schemes

WHITE BADBOX 2.0 AlienVault 2025-03-06 Modified: 2025-03-06

IOCs

HIGH VOLUME

HUMAN's Satori Threat Intelligence team uncovered and partially disrupted BADBOX 2.0, a complex fraud operation targeting low-cost consumer devices. This operation, an expansion of the 2023 BADBOX scheme, infected over 1 million Android Open Source Project devices worldwide with a backdoor called BB2DOOR. The infection enabled various fraud schemes, including residential proxy services, ad fraud, and click fraud. Four threat actor groups were identified: SalesTracker Group, MoYu Group, Lemon Group, and LongTV. The operation targeted devices in 222 countries, with Brazil being the most affected. HUMAN collaborated with Google and other partners to disrupt the infrastructure and protect customers from the threat.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1071 T1608.001 T1608 T1104 T1059.004 T1001 T1571 T1573 T1071.001

MALWARE FAMILIES

BADBOX

Indicators of Compromise (59)

All domain

TYPE	INDICATOR	DESCRIPTION	CREATED
domain	99soya.shop	—	2025-03-06
domain	admoyu.com	—	2025-03-06
domain	ads-goal.com	—	2025-03-06
domain	ai-goal.com	—	2025-03-06
domain	astrolink.cn	—	2025-03-06
domain	bltproxy.com	—	2025-03-06
domain	bluefish.work	—	2025-03-06
domain	bullet-proxy.com	—	2025-03-06
domain	cpbheback.com	—	2025-03-06
domain	cxlcyy.com	—	2025-03-06
domain	cxzyr.com	—	2025-03-06
domain	dazzl.vip	—	2025-03-06
domain	easyjoy.me	—	2025-03-06
domain	firehub.link	—	2025-03-06
domain	firehub.work	—	2025-03-06
domain	fuhidd.com	—	2025-03-06
domain	giddy.cc	—	2025-03-06
domain	huulog.com	—	2025-03-06
domain	ipforyou.top	—	2025-03-06
domain	jasmine.land	—	2025-03-06
domain	joyfulxx.com	—	2025-03-06
domain	meisvip.com	—	2025-03-06
domain	moonhub.work	—	2025-03-06
domain	motiyu.net	—	2025-03-06
domain	moyix.com	—	2025-03-06
domain	msohu.online	—	2025-03-06
domain	mtcpmpm.com	—	2025-03-06
domain	mtcprogram.com	—	2025-03-06
domain	mtcpuouo.com	—	2025-03-06
domain	net-goal.com	—	2025-03-06
domain	pccyy.com	—	2025-03-06
domain	pcxrlback.com	—	2025-03-06
domain	petrel-ip.com	—	2025-03-06
domain	pixelscast.com	—	2025-03-06
domain	pixlo.cc	—	2025-03-06
domain	pm2za.cc	—	2025-03-06
domain	qulogger.com	—	2025-03-06
domain	retrofitxer.com	—	2025-03-06
domain	rzless.work	—	2025-03-06
domain	shanhulan.cn	—	2025-03-06
domain	simplekds.me	—	2025-03-06
domain	soyatea.online	—	2025-03-06
domain	supportdatainput.top	—	2025-03-06
domain	swiftcode.work	—	2025-03-06
domain	sysbinder.com	—	2025-03-06
domain	tvsnapp.com	—	2025-03-06
domain	veezy.site	—	2025-03-06
domain	vividweb.work	—	2025-03-06
domain	vmud.net	—	2025-03-06
domain	wildpettykiwi.com	—	2025-03-06
domain	wildpettykiwi.xyz	—	2025-03-06
domain	ycxad.com	—	2025-03-06
domain	ycxrldow.com	—	2025-03-06
domain	yeyeyeye.xyz	—	2025-03-06
domain	yxcrl.com	—	2025-03-06
domain	yydsmb.com	—	2025-03-06
domain	yydsmd.com	—	2025-03-06
domain	ztword.com	—	2025-03-06
domain	zxcvbnmasdfghjkl.xyz	—	2025-03-06

References (1)

↗ https://www.humansecurity.com/learn/blog/satori-threat-intelligence-disruption-badbox-2-0/