{ "type": "Domain", "indicator": "bluefish.work", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/bluefish.work", "alexa": "http://www.alexa.com/siteinfo/bluefish.work", "indicator": "bluefish.work", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4013756187, "indicator": "bluefish.work", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "68434df5a7a61c7583cdec3f", "name": "Threat Intelligence Disruption: BADBOX 2.0 Targets Consumer Devices with Multiple Fraud Schemes", "description": "HUMAN's Satori team uncovered and partially disrupted BADBOX 2.0, a complex fraud operation targeting over 1 million low-cost consumer devices worldwide. The scheme involves a backdoor pre-installed on devices or distributed through unofficial app marketplaces, allowing threat actors to conduct various fraudulent activities. These include selling residential proxy services, ad fraud through hidden ads and WebViews, and click fraud. Four main threat actor groups were identified: SalesTracker, MoYu, Lemon, and LongTV. The operation affects Android Open Source Project devices in 222 countries, with Brazil being the most impacted. Disruption efforts involved collaboration with Google and other partners to mitigate the threat's impact.", "modified": "2025-06-06T20:24:01.215000", "created": "2025-06-06T20:22:13.238000", "tags": [ "consumer devices", "iot", "badbox", "vo1d", "ad fraud", "botnet", "residential proxy", "android", "ctv", "bb2door" ], "references": [ "https://www.humansecurity.com/learn/blog/satori-threat-intelligence-disruption-badbox-2-0", "https://www.humansecurity.com/wp-content/uploads/2025/03/BADBOX-2-H5-Domain-List.csv" ], "public": 1, "adversary": "", "targeted_countries": [ "Brazil", "United States of America", "Mexico", "Argentina", "Colombia" ], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [ "Technology", "Telecommunications", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 59, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 800, "hostname": 169 }, "indicator_count": 969, "is_author": false, "is_subscribing": null, "subscriber_count": 386577, "modified_text": "359 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a2ad6770baabe73823f6f8", "name": "Unpacking the BADBOX Botnet", "description": "The BADBOX botnet, a newly discovered threat, targets Android devices, including high-end models like Yandex 4K QLED TVs. Over 190,000 infected devices have been observed, with malware often pre-installed from the factory or further down the supply chain. Using Censys, a suspicious SSL/TLS certificate common to BADBOX infrastructure was identified, revealing five IPs and numerous domains using the same certificate and SSH host key. This indicates a single actor controlling a templated environment. The analysis uncovered shared attributes among the infected hosts, including open SSH ports and nginx 1.20.1 running on CentOS. The scale and stealthy nature of BADBOX highlight the critical need for supply chain integrity monitoring and network traffic analysis.", "modified": "2025-03-15T10:02:34.751000", "created": "2025-02-05T00:14:31.510000", "tags": [ "android", "supply chain", "censys", "ssh host key", "iot", "botnet", "ssl/tls certificate", "badbox", "firmware" ], "references": [ "https://censys.com/unpacking-the-badbox-botnet/" ], "public": 1, "adversary": "BADBOX", "targeted_countries": [ "Singapore" ], "malware_families": [ { "id": "BADBOX", "display_name": "BADBOX", "target": null } ], "attack_ids": [ { "id": "T1588.004", "name": "Digital Certificates", "display_name": "T1588.004 - Digital Certificates" }, { "id": "T1587.003", "name": "Digital Certificates", "display_name": "T1587.003 - Digital Certificates" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1102.003", "name": "One-Way Communication", "display_name": "T1102.003 - One-Way Communication" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1608.003", "name": "Install Digital Certificate", "display_name": "T1608.003 - Install Digital Certificate" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 49, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 9, "hostname": 12 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 386580, "modified_text": "442 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c99587958ded87f3a219f3", "name": "BADBOX 2.0 Targets Consumer Devices with Multiple Fraud Schemes", "description": "HUMAN's Satori Threat Intelligence team uncovered and partially disrupted BADBOX 2.0, a complex fraud operation targeting low-cost consumer devices. This operation, an expansion of the 2023 BADBOX scheme, infected over 1 million Android Open Source Project devices worldwide with a backdoor called BB2DOOR. The infection enabled various fraud schemes, including residential proxy services, ad fraud, and click fraud. Four threat actor groups were identified: SalesTracker Group, MoYu Group, Lemon Group, and LongTV. The operation targeted devices in 222 countries, with Brazil being the most affected. HUMAN collaborated with Google and other partners to disrupt the infrastructure and protect customers from the threat.", "modified": "2025-03-06T15:14:33.559000", "created": "2025-03-06T12:31:03.912000", "tags": [ "vo1d", "ctv", "bb2door", "botnet", "backdoor", "iot", "residential proxy", "ad fraud", "click fraud", "badbox 2.0", "badbox" ], "references": [ "https://www.humansecurity.com/learn/blog/satori-threat-intelligence-disruption-badbox-2-0/" ], "public": 1, "adversary": "BADBOX 2.0", "targeted_countries": [], "malware_families": [ { "id": "BADBOX", "display_name": "BADBOX", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 59 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 386577, "modified_text": "451 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6761f4379704bd484a8e2402", "name": "BADBOX Botnet Is Back", "description": "The BADBOX botnet, previously thought to be contained, has resurfaced with increased scope and sophistication. Recent findings reveal over 192,000 infected devices, including high-end Yandex 4K QLED Smart TVs and Hisense smartphones, expanding beyond the initially targeted off-brand Android devices. The botnet exploits compromised firmware to install malware and secondary payloads without user consent, enabling activities such as residential proxying, remote code installation, and ad fraud. The operation affects multiple countries, with Russia, China, and India being the most impacted. The malware's ability to adapt and spread through global supply chains poses significant challenges for consumers and enterprises alike, emphasizing the importance of trusted vendors and partners in cybersecurity.", "modified": "2025-01-16T21:04:58.311000", "created": "2024-12-17T21:59:19.831000", "tags": [ "firmware", "android", "proxy", "supply chain", "triada", "smart tv", "malware", "botnet", "ad fraud", "badbox" ], "references": [ "https://www.bitsight.com/blog/badbox-botnet-back" ], "public": 1, "adversary": "BADBOX", "targeted_countries": [ "United States of America", "Belarus", "Brazil", "British Indian Ocean Territory", "China", "Czechia", "France", "Germany", "India", "Kazakhstan", "Netherlands", "Russian Federation", "Saudi Arabia", "Ukraine" ], "malware_families": [ { "id": "BADBOX", "display_name": "BADBOX", "target": null }, { "id": "Triada", "display_name": "Triada", "target": null } ], "attack_ids": [ { "id": "T1542.003", "name": "Bootkit", "display_name": "T1542.003 - Bootkit" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1608.005", "name": "Link Target", "display_name": "T1608.005 - Link Target" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [ "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "URL": 2, "domain": 16, "hostname": 3 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 386583, "modified_text": "500 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672f6ed2b564f00b7c5cb13f", "name": "Threatfox Recent Additions", "description": "", "modified": "2025-06-13T19:00:02.811000", "created": "2024-11-09T14:16:50.032000", "tags": [], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 96, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47587, "URL": 18714, "FileHash-SHA256": 36311, "FileHash-MD5": 1630, "FileHash-SHA1": 418, "hostname": 18190 }, "indicator_count": 122850, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "352 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6842ca684b5413baf27aa136", "name": "Satori Threat Intelligence Disruption: BADBOX 2.0 Targets Consumer Devices with Multiple Fraud Schemes - HUMAN Security", "description": "Learn more about HUMAN, the artificial intelligence company designed to prevent bot attacks and fraud on ad tech platforms and digital publishers, from exploiting customers' valuable online accounts and other online services, and from partners.", "modified": "2025-06-06T11:00:56.776000", "created": "2025-06-06T11:00:56.776000", "tags": [], "references": [ "https://humansecurity.com/learn/blog/satori-threat-intelligence-disruption-badbox-2-0/" ], "public": 1, "adversary": "Lemon", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 110, "hostname": 1 }, "indicator_count": 111, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "359 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ca9b25d3c18153af18075d", "name": "IOC&TTP - Satori Threat Intelligence Disruption BADBOX 2.0 Targets Consumer Devices with Multiple Fraud Schemes", "description": "HUMAN Satori \u5a01\u80c1\u60c5\u62a5\u56e2\u961f\u6700\u8fd1\u53d1\u73b0\u5e76\u90e8\u5206\u7834\u574f\u4e86\u4e00\u4e2a\u540d\u4e3a BADBOX 2.0 \u7684\u5927\u89c4\u6a21\u7f51\u7edc\u6b3a\u8bc8\u884c\u52a8\u3002\u8be5\u884c\u52a8\u662f 2023 \u5e74 BADBOX \u64cd\u4f5c\u7684\u5347\u7ea7\u7248\uff0c\u88ab\u8ba4\u4e3a\u662f \u8fc4\u4eca\u53d1\u73b0\u7684\u6700\u5927\u8054\u7f51\u7535\u89c6\uff08CTV\uff09\u50f5\u5c38\u7f51\u7edc\uff0c\u6d89\u53ca \u8d85\u8fc7 100 \u4e07\u53f0\u6d88\u8d39\u7535\u5b50\u8bbe\u5907\u3002BADBOX 2.0 \u901a\u8fc7\u5728\u4f4e\u6210\u672c Android \u5f00\u6e90\u9879\u76ee\uff08AOSP\uff09\u8bbe\u5907\u4e0a\u690d\u5165\u540e\u95e8\uff0c\u5141\u8bb8\u653b\u51fb\u8005\u8fdc\u7a0b\u90e8\u7f72\u6b3a\u8bc8\u6a21\u5757\uff0c\u7528\u4e8e \u5e7f\u544a\u6b3a\u8bc8\u3001\u70b9\u51fb\u6b3a\u8bc8\u3001DDoS \u653b\u51fb\u3001\u6076\u610f\u8f6f\u4ef6\u5206\u53d1\uff0c\u751a\u81f3\u5c06\u8bbe\u5907\u4f5c\u4e3a\u4f4f\u5b85\u4ee3\u7406\uff08Residential Proxy\uff09\u670d\u52a1\u7684\u4e00\u90e8\u5206\u3002", "modified": "2025-03-10T02:49:15.961000", "created": "2025-03-07T07:07:17.807000", "tags": [ "vo1d", "ctv", "bb2door", "botnet", "backdoor", "iot", "residential proxy", "ad fraud", "click fraud", "badbox 2.0", "badbox" ], "references": [ "https://www.humansecurity.com/learn/blog/satori-threat-intelligence-disruption-badbox-2-0/" ], "public": 1, "adversary": "BADBOX 2.0", "targeted_countries": [], "malware_families": [ { "id": "BADBOX", "display_name": "BADBOX", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "67c99587958ded87f3a219f3", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 59 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "447 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a4a203ba3664a273c96f8a", "name": "BADBOX Botnet Infected Over 190,000 Android Devices Including LED TVs", "description": "A newly discovered botnet named BADBOX has been found to have infected over 190,000 Android devices, including high-end models like Yandex 4K QLED TVs.\n\nThis botnet is particularly concerning due to its ability to infect devices potentially through pre-installed malware from the factory or further down the supply chain.", "modified": "2025-03-08T11:04:11.741000", "created": "2025-02-06T11:50:27.404000", "tags": [ "censys", "ssh host", "badbox", "source", "android", "yandex", "qled tvs", "badbox botnet", "censys internet", "stsingapore" ], "references": [ "https://cybersecuritynews.com/badbox-botnet-infected-over-190000-android-devices/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2, "domain": 9, "hostname": 2 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 867, "modified_text": "449 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a491c7f6ec4ea05054b06f", "name": "BADBOX Botnet Infects Android Devices through supply chain malware", "description": "The full list of key data released by the US Department of Defence (DoD) in the wake of the 9/11 attacks, as compiled by Microsoft, has been released:.-.", "modified": "2025-03-08T10:03:51.002000", "created": "2025-02-06T10:41:11.346000", "tags": [ "domains", "cyber", "threat", "february", "time", "crypto cyber", "defence", "classification", "confidential", "hashes" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2, "domain": 9, "hostname": 1 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 503, "modified_text": "449 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6762dbde3930a74843860f4c", "name": "BADBOX Botnet Is Back | Bitsight", "description": "Find out more about Bitsight, a leading cyber risk management company, on the web, at www.btsight.com and on our app and Facebook page, and here are the highlights.", "modified": "2025-01-17T11:00:16.991000", "created": "2024-12-18T14:27:42.647000", "tags": [ "badbox", "android tv", "russia", "badbox malware", "yndx smart", "android", "china", "belarus", "bitsight", "amazon", "triada", "april", "guerrilla", "first", "ukraine", "peachpit", "c2" ], "references": [ "https://www.bitsight.com/blog/badbox-botnet-back" ], "public": 1, "adversary": "", "targeted_countries": [ "Germany", "Saudi Arabia", "Kazakhstan", "Czechia", "United States of America", "France", "Netherlands", "Russian Federation", "China" ], "malware_families": [ { "id": "PEACHPIT", "display_name": "PEACHPIT", "target": null }, { "id": "Bitsight", "display_name": "Bitsight", "target": null }, { "id": "C2", "display_name": "C2", "target": null }, { "id": "BADBOX", "display_name": "BADBOX", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "URL": 2, "domain": 27, "hostname": 4 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "499 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "https://www.bitsight.com/blog/badbox-botnet-back", "https://www.humansecurity.com/learn/blog/satori-threat-intelligence-disruption-badbox-2-0/", "https://cybersecuritynews.com/badbox-botnet-infected-over-190000-android-devices/", "https://threatfox.abuse.ch/export/csv/recent/", "https://censys.com/unpacking-the-badbox-botnet/", "https://humansecurity.com/learn/blog/satori-threat-intelligence-disruption-badbox-2-0/", "https://www.humansecurity.com/wp-content/uploads/2025/03/BADBOX-2-H5-Domain-List.csv", "https://www.humansecurity.com/learn/blog/satori-threat-intelligence-disruption-badbox-2-0" ], "related": { "alienvault": { "adversary": [ "BADBOX", "BADBOX 2.0" ], "malware_families": [ "Badbox", "Triada" ], "industries": [ "Telecommunications", "Media", "Technology" ] }, "other": { "adversary": [ "Lemon", "BADBOX 2.0" ], "malware_families": [ "Peachpit", "Badbox", "C2", "Bitsight" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "68434df5a7a61c7583cdec3f", "name": "Threat Intelligence Disruption: BADBOX 2.0 Targets Consumer Devices with Multiple Fraud Schemes", "description": "HUMAN's Satori team uncovered and partially disrupted BADBOX 2.0, a complex fraud operation targeting over 1 million low-cost consumer devices worldwide. The scheme involves a backdoor pre-installed on devices or distributed through unofficial app marketplaces, allowing threat actors to conduct various fraudulent activities. These include selling residential proxy services, ad fraud through hidden ads and WebViews, and click fraud. Four main threat actor groups were identified: SalesTracker, MoYu, Lemon, and LongTV. The operation affects Android Open Source Project devices in 222 countries, with Brazil being the most impacted. Disruption efforts involved collaboration with Google and other partners to mitigate the threat's impact.", "modified": "2025-06-06T20:24:01.215000", "created": "2025-06-06T20:22:13.238000", "tags": [ "consumer devices", "iot", "badbox", "vo1d", "ad fraud", "botnet", "residential proxy", "android", "ctv", "bb2door" ], "references": [ "https://www.humansecurity.com/learn/blog/satori-threat-intelligence-disruption-badbox-2-0", "https://www.humansecurity.com/wp-content/uploads/2025/03/BADBOX-2-H5-Domain-List.csv" ], "public": 1, "adversary": "", "targeted_countries": [ "Brazil", "United States of America", "Mexico", "Argentina", "Colombia" ], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [ "Technology", "Telecommunications", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 59, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 800, "hostname": 169 }, "indicator_count": 969, "is_author": false, "is_subscribing": null, "subscriber_count": 386577, "modified_text": "359 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a2ad6770baabe73823f6f8", "name": "Unpacking the BADBOX Botnet", "description": "The BADBOX botnet, a newly discovered threat, targets Android devices, including high-end models like Yandex 4K QLED TVs. Over 190,000 infected devices have been observed, with malware often pre-installed from the factory or further down the supply chain. Using Censys, a suspicious SSL/TLS certificate common to BADBOX infrastructure was identified, revealing five IPs and numerous domains using the same certificate and SSH host key. This indicates a single actor controlling a templated environment. The analysis uncovered shared attributes among the infected hosts, including open SSH ports and nginx 1.20.1 running on CentOS. The scale and stealthy nature of BADBOX highlight the critical need for supply chain integrity monitoring and network traffic analysis.", "modified": "2025-03-15T10:02:34.751000", "created": "2025-02-05T00:14:31.510000", "tags": [ "android", "supply chain", "censys", "ssh host key", "iot", "botnet", "ssl/tls certificate", "badbox", "firmware" ], "references": [ "https://censys.com/unpacking-the-badbox-botnet/" ], "public": 1, "adversary": "BADBOX", "targeted_countries": [ "Singapore" ], "malware_families": [ { "id": "BADBOX", "display_name": "BADBOX", "target": null } ], "attack_ids": [ { "id": "T1588.004", "name": "Digital Certificates", "display_name": "T1588.004 - Digital Certificates" }, { "id": "T1587.003", "name": "Digital Certificates", "display_name": "T1587.003 - Digital Certificates" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1102.003", "name": "One-Way Communication", "display_name": "T1102.003 - One-Way Communication" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1608.003", "name": "Install Digital Certificate", "display_name": "T1608.003 - Install Digital Certificate" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 49, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 9, "hostname": 12 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 386580, "modified_text": "442 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c99587958ded87f3a219f3", "name": "BADBOX 2.0 Targets Consumer Devices with Multiple Fraud Schemes", "description": "HUMAN's Satori Threat Intelligence team uncovered and partially disrupted BADBOX 2.0, a complex fraud operation targeting low-cost consumer devices. This operation, an expansion of the 2023 BADBOX scheme, infected over 1 million Android Open Source Project devices worldwide with a backdoor called BB2DOOR. The infection enabled various fraud schemes, including residential proxy services, ad fraud, and click fraud. Four threat actor groups were identified: SalesTracker Group, MoYu Group, Lemon Group, and LongTV. The operation targeted devices in 222 countries, with Brazil being the most affected. HUMAN collaborated with Google and other partners to disrupt the infrastructure and protect customers from the threat.", "modified": "2025-03-06T15:14:33.559000", "created": "2025-03-06T12:31:03.912000", "tags": [ "vo1d", "ctv", "bb2door", "botnet", "backdoor", "iot", "residential proxy", "ad fraud", "click fraud", "badbox 2.0", "badbox" ], "references": [ "https://www.humansecurity.com/learn/blog/satori-threat-intelligence-disruption-badbox-2-0/" ], "public": 1, "adversary": "BADBOX 2.0", "targeted_countries": [], "malware_families": [ { "id": "BADBOX", "display_name": "BADBOX", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 59 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 386577, "modified_text": "451 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6761f4379704bd484a8e2402", "name": "BADBOX Botnet Is Back", "description": "The BADBOX botnet, previously thought to be contained, has resurfaced with increased scope and sophistication. Recent findings reveal over 192,000 infected devices, including high-end Yandex 4K QLED Smart TVs and Hisense smartphones, expanding beyond the initially targeted off-brand Android devices. The botnet exploits compromised firmware to install malware and secondary payloads without user consent, enabling activities such as residential proxying, remote code installation, and ad fraud. The operation affects multiple countries, with Russia, China, and India being the most impacted. The malware's ability to adapt and spread through global supply chains poses significant challenges for consumers and enterprises alike, emphasizing the importance of trusted vendors and partners in cybersecurity.", "modified": "2025-01-16T21:04:58.311000", "created": "2024-12-17T21:59:19.831000", "tags": [ "firmware", "android", "proxy", "supply chain", "triada", "smart tv", "malware", "botnet", "ad fraud", "badbox" ], "references": [ "https://www.bitsight.com/blog/badbox-botnet-back" ], "public": 1, "adversary": "BADBOX", "targeted_countries": [ "United States of America", "Belarus", "Brazil", "British Indian Ocean Territory", "China", "Czechia", "France", "Germany", "India", "Kazakhstan", "Netherlands", "Russian Federation", "Saudi Arabia", "Ukraine" ], "malware_families": [ { "id": "BADBOX", "display_name": "BADBOX", "target": null }, { "id": "Triada", "display_name": "Triada", "target": null } ], "attack_ids": [ { "id": "T1542.003", "name": "Bootkit", "display_name": "T1542.003 - Bootkit" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1608.005", "name": "Link Target", "display_name": "T1608.005 - Link Target" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [ "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "URL": 2, "domain": 16, "hostname": 3 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 386583, "modified_text": "500 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672f6ed2b564f00b7c5cb13f", "name": "Threatfox Recent Additions", "description": "", "modified": "2025-06-13T19:00:02.811000", "created": "2024-11-09T14:16:50.032000", "tags": [], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 96, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47587, "URL": 18714, "FileHash-SHA256": 36311, "FileHash-MD5": 1630, "FileHash-SHA1": 418, "hostname": 18190 }, "indicator_count": 122850, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "352 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6842ca684b5413baf27aa136", "name": "Satori Threat Intelligence Disruption: BADBOX 2.0 Targets Consumer Devices with Multiple Fraud Schemes - HUMAN Security", "description": "Learn more about HUMAN, the artificial intelligence company designed to prevent bot attacks and fraud on ad tech platforms and digital publishers, from exploiting customers' valuable online accounts and other online services, and from partners.", "modified": "2025-06-06T11:00:56.776000", "created": "2025-06-06T11:00:56.776000", "tags": [], "references": [ "https://humansecurity.com/learn/blog/satori-threat-intelligence-disruption-badbox-2-0/" ], "public": 1, "adversary": "Lemon", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 110, "hostname": 1 }, "indicator_count": 111, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "359 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ca9b25d3c18153af18075d", "name": "IOC&TTP - Satori Threat Intelligence Disruption BADBOX 2.0 Targets Consumer Devices with Multiple Fraud Schemes", "description": "HUMAN Satori \u5a01\u80c1\u60c5\u62a5\u56e2\u961f\u6700\u8fd1\u53d1\u73b0\u5e76\u90e8\u5206\u7834\u574f\u4e86\u4e00\u4e2a\u540d\u4e3a BADBOX 2.0 \u7684\u5927\u89c4\u6a21\u7f51\u7edc\u6b3a\u8bc8\u884c\u52a8\u3002\u8be5\u884c\u52a8\u662f 2023 \u5e74 BADBOX \u64cd\u4f5c\u7684\u5347\u7ea7\u7248\uff0c\u88ab\u8ba4\u4e3a\u662f \u8fc4\u4eca\u53d1\u73b0\u7684\u6700\u5927\u8054\u7f51\u7535\u89c6\uff08CTV\uff09\u50f5\u5c38\u7f51\u7edc\uff0c\u6d89\u53ca \u8d85\u8fc7 100 \u4e07\u53f0\u6d88\u8d39\u7535\u5b50\u8bbe\u5907\u3002BADBOX 2.0 \u901a\u8fc7\u5728\u4f4e\u6210\u672c Android \u5f00\u6e90\u9879\u76ee\uff08AOSP\uff09\u8bbe\u5907\u4e0a\u690d\u5165\u540e\u95e8\uff0c\u5141\u8bb8\u653b\u51fb\u8005\u8fdc\u7a0b\u90e8\u7f72\u6b3a\u8bc8\u6a21\u5757\uff0c\u7528\u4e8e \u5e7f\u544a\u6b3a\u8bc8\u3001\u70b9\u51fb\u6b3a\u8bc8\u3001DDoS \u653b\u51fb\u3001\u6076\u610f\u8f6f\u4ef6\u5206\u53d1\uff0c\u751a\u81f3\u5c06\u8bbe\u5907\u4f5c\u4e3a\u4f4f\u5b85\u4ee3\u7406\uff08Residential Proxy\uff09\u670d\u52a1\u7684\u4e00\u90e8\u5206\u3002", "modified": "2025-03-10T02:49:15.961000", "created": "2025-03-07T07:07:17.807000", "tags": [ "vo1d", "ctv", "bb2door", "botnet", "backdoor", "iot", "residential proxy", "ad fraud", "click fraud", "badbox 2.0", "badbox" ], "references": [ "https://www.humansecurity.com/learn/blog/satori-threat-intelligence-disruption-badbox-2-0/" ], "public": 1, "adversary": "BADBOX 2.0", "targeted_countries": [], "malware_families": [ { "id": "BADBOX", "display_name": "BADBOX", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "67c99587958ded87f3a219f3", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 59 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "447 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a4a203ba3664a273c96f8a", "name": "BADBOX Botnet Infected Over 190,000 Android Devices Including LED TVs", "description": "A newly discovered botnet named BADBOX has been found to have infected over 190,000 Android devices, including high-end models like Yandex 4K QLED TVs.\n\nThis botnet is particularly concerning due to its ability to infect devices potentially through pre-installed malware from the factory or further down the supply chain.", "modified": "2025-03-08T11:04:11.741000", "created": "2025-02-06T11:50:27.404000", "tags": [ "censys", "ssh host", "badbox", "source", "android", "yandex", "qled tvs", "badbox botnet", "censys internet", "stsingapore" ], "references": [ "https://cybersecuritynews.com/badbox-botnet-infected-over-190000-android-devices/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2, "domain": 9, "hostname": 2 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 867, "modified_text": "449 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a491c7f6ec4ea05054b06f", "name": "BADBOX Botnet Infects Android Devices through supply chain malware", "description": "The full list of key data released by the US Department of Defence (DoD) in the wake of the 9/11 attacks, as compiled by Microsoft, has been released:.-.", "modified": "2025-03-08T10:03:51.002000", "created": "2025-02-06T10:41:11.346000", "tags": [ "domains", "cyber", "threat", "february", "time", "crypto cyber", "defence", "classification", "confidential", "hashes" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2, "domain": 9, "hostname": 1 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 503, "modified_text": "449 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6762dbde3930a74843860f4c", "name": "BADBOX Botnet Is Back | Bitsight", "description": "Find out more about Bitsight, a leading cyber risk management company, on the web, at www.btsight.com and on our app and Facebook page, and here are the highlights.", "modified": "2025-01-17T11:00:16.991000", "created": "2024-12-18T14:27:42.647000", "tags": [ "badbox", "android tv", "russia", "badbox malware", "yndx smart", "android", "china", "belarus", "bitsight", "amazon", "triada", "april", "guerrilla", "first", "ukraine", "peachpit", "c2" ], "references": [ "https://www.bitsight.com/blog/badbox-botnet-back" ], "public": 1, "adversary": "", "targeted_countries": [ "Germany", "Saudi Arabia", "Kazakhstan", "Czechia", "United States of America", "France", "Netherlands", "Russian Federation", "China" ], "malware_families": [ { "id": "PEACHPIT", "display_name": "PEACHPIT", "target": null }, { "id": "Bitsight", "display_name": "Bitsight", "target": null }, { "id": "C2", "display_name": "C2", "target": null }, { "id": "BADBOX", "display_name": "BADBOX", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "URL": 2, "domain": 27, "hostname": 4 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "499 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "bluefish.work", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "bluefish.work", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780263691.652291 }