{ "type": "Domain", "indicator": "pcxrlback.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/pcxrlback.com", "alexa": "http://www.alexa.com/siteinfo/pcxrlback.com", "indicator": "pcxrlback.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4013756191, "indicator": "pcxrlback.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "68434df5a7a61c7583cdec3f", "name": "Threat Intelligence Disruption: BADBOX 2.0 Targets Consumer Devices with Multiple Fraud Schemes", "description": "HUMAN's Satori team uncovered and partially disrupted BADBOX 2.0, a complex fraud operation targeting over 1 million low-cost consumer devices worldwide. The scheme involves a backdoor pre-installed on devices or distributed through unofficial app marketplaces, allowing threat actors to conduct various fraudulent activities. These include selling residential proxy services, ad fraud through hidden ads and WebViews, and click fraud. Four main threat actor groups were identified: SalesTracker, MoYu, Lemon, and LongTV. The operation affects Android Open Source Project devices in 222 countries, with Brazil being the most impacted. Disruption efforts involved collaboration with Google and other partners to mitigate the threat's impact.", "modified": "2025-06-06T20:24:01.215000", "created": "2025-06-06T20:22:13.238000", "tags": [ "consumer devices", "iot", "badbox", "vo1d", "ad fraud", "botnet", "residential proxy", "android", "ctv", "bb2door" ], "references": [ "https://www.humansecurity.com/learn/blog/satori-threat-intelligence-disruption-badbox-2-0", "https://www.humansecurity.com/wp-content/uploads/2025/03/BADBOX-2-H5-Domain-List.csv" ], "public": 1, "adversary": "", "targeted_countries": [ "Brazil", "United States of America", "Mexico", "Argentina", "Colombia" ], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [ "Technology", "Telecommunications", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 59, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 800, "hostname": 169 }, "indicator_count": 969, "is_author": false, "is_subscribing": null, "subscriber_count": 386583, "modified_text": "359 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c99587958ded87f3a219f3", "name": "BADBOX 2.0 Targets Consumer Devices with Multiple Fraud Schemes", "description": "HUMAN's Satori Threat Intelligence team uncovered and partially disrupted BADBOX 2.0, a complex fraud operation targeting low-cost consumer devices. This operation, an expansion of the 2023 BADBOX scheme, infected over 1 million Android Open Source Project devices worldwide with a backdoor called BB2DOOR. The infection enabled various fraud schemes, including residential proxy services, ad fraud, and click fraud. Four threat actor groups were identified: SalesTracker Group, MoYu Group, Lemon Group, and LongTV. The operation targeted devices in 222 countries, with Brazil being the most affected. HUMAN collaborated with Google and other partners to disrupt the infrastructure and protect customers from the threat.", "modified": "2025-03-06T15:14:33.559000", "created": "2025-03-06T12:31:03.912000", "tags": [ "vo1d", "ctv", "bb2door", "botnet", "backdoor", "iot", "residential proxy", "ad fraud", "click fraud", "badbox 2.0", "badbox" ], "references": [ "https://www.humansecurity.com/learn/blog/satori-threat-intelligence-disruption-badbox-2-0/" ], "public": 1, "adversary": "BADBOX 2.0", "targeted_countries": [], "malware_families": [ { "id": "BADBOX", "display_name": "BADBOX", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 59 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 386583, "modified_text": "451 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6761f4379704bd484a8e2402", "name": "BADBOX Botnet Is Back", "description": "The BADBOX botnet, previously thought to be contained, has resurfaced with increased scope and sophistication. Recent findings reveal over 192,000 infected devices, including high-end Yandex 4K QLED Smart TVs and Hisense smartphones, expanding beyond the initially targeted off-brand Android devices. The botnet exploits compromised firmware to install malware and secondary payloads without user consent, enabling activities such as residential proxying, remote code installation, and ad fraud. The operation affects multiple countries, with Russia, China, and India being the most impacted. The malware's ability to adapt and spread through global supply chains poses significant challenges for consumers and enterprises alike, emphasizing the importance of trusted vendors and partners in cybersecurity.", "modified": "2025-01-16T21:04:58.311000", "created": "2024-12-17T21:59:19.831000", "tags": [ "firmware", "android", "proxy", "supply chain", "triada", "smart tv", "malware", "botnet", "ad fraud", "badbox" ], "references": [ "https://www.bitsight.com/blog/badbox-botnet-back" ], "public": 1, "adversary": "BADBOX", "targeted_countries": [ "United States of America", "Belarus", "Brazil", "British Indian Ocean Territory", "China", "Czechia", "France", "Germany", "India", "Kazakhstan", "Netherlands", "Russian Federation", "Saudi Arabia", "Ukraine" ], "malware_families": [ { "id": "BADBOX", "display_name": "BADBOX", "target": null }, { "id": "Triada", "display_name": "Triada", "target": null } ], "attack_ids": [ { "id": "T1542.003", "name": "Bootkit", "display_name": "T1542.003 - Bootkit" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1608.005", "name": "Link Target", "display_name": "T1608.005 - Link Target" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [ "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "URL": 2, "domain": 16, "hostname": 3 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 386589, "modified_text": "500 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672f6ed2b564f00b7c5cb13f", "name": "Threatfox Recent Additions", "description": "", "modified": "2025-06-13T19:00:02.811000", "created": "2024-11-09T14:16:50.032000", "tags": [], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 96, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47587, "URL": 18714, "FileHash-SHA256": 36311, "FileHash-MD5": 1630, "FileHash-SHA1": 418, "hostname": 18190 }, "indicator_count": 122850, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "352 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6842ca684b5413baf27aa136", "name": "Satori Threat Intelligence Disruption: BADBOX 2.0 Targets Consumer Devices with Multiple Fraud Schemes - HUMAN Security", "description": "Learn more about HUMAN, the artificial intelligence company designed to prevent bot attacks and fraud on ad tech platforms and digital publishers, from exploiting customers' valuable online accounts and other online services, and from partners.", "modified": "2025-06-06T11:00:56.776000", "created": "2025-06-06T11:00:56.776000", "tags": [], "references": [ "https://humansecurity.com/learn/blog/satori-threat-intelligence-disruption-badbox-2-0/" ], "public": 1, "adversary": "Lemon", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 110, "hostname": 1 }, "indicator_count": 111, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "359 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ca9b25d3c18153af18075d", "name": "IOC&TTP - Satori Threat Intelligence Disruption BADBOX 2.0 Targets Consumer Devices with Multiple Fraud Schemes", "description": "HUMAN Satori \u5a01\u80c1\u60c5\u62a5\u56e2\u961f\u6700\u8fd1\u53d1\u73b0\u5e76\u90e8\u5206\u7834\u574f\u4e86\u4e00\u4e2a\u540d\u4e3a BADBOX 2.0 \u7684\u5927\u89c4\u6a21\u7f51\u7edc\u6b3a\u8bc8\u884c\u52a8\u3002\u8be5\u884c\u52a8\u662f 2023 \u5e74 BADBOX \u64cd\u4f5c\u7684\u5347\u7ea7\u7248\uff0c\u88ab\u8ba4\u4e3a\u662f \u8fc4\u4eca\u53d1\u73b0\u7684\u6700\u5927\u8054\u7f51\u7535\u89c6\uff08CTV\uff09\u50f5\u5c38\u7f51\u7edc\uff0c\u6d89\u53ca \u8d85\u8fc7 100 \u4e07\u53f0\u6d88\u8d39\u7535\u5b50\u8bbe\u5907\u3002BADBOX 2.0 \u901a\u8fc7\u5728\u4f4e\u6210\u672c Android \u5f00\u6e90\u9879\u76ee\uff08AOSP\uff09\u8bbe\u5907\u4e0a\u690d\u5165\u540e\u95e8\uff0c\u5141\u8bb8\u653b\u51fb\u8005\u8fdc\u7a0b\u90e8\u7f72\u6b3a\u8bc8\u6a21\u5757\uff0c\u7528\u4e8e \u5e7f\u544a\u6b3a\u8bc8\u3001\u70b9\u51fb\u6b3a\u8bc8\u3001DDoS \u653b\u51fb\u3001\u6076\u610f\u8f6f\u4ef6\u5206\u53d1\uff0c\u751a\u81f3\u5c06\u8bbe\u5907\u4f5c\u4e3a\u4f4f\u5b85\u4ee3\u7406\uff08Residential Proxy\uff09\u670d\u52a1\u7684\u4e00\u90e8\u5206\u3002", "modified": "2025-03-10T02:49:15.961000", "created": "2025-03-07T07:07:17.807000", "tags": [ "vo1d", "ctv", "bb2door", "botnet", "backdoor", "iot", "residential proxy", "ad fraud", "click fraud", "badbox 2.0", "badbox" ], "references": [ "https://www.humansecurity.com/learn/blog/satori-threat-intelligence-disruption-badbox-2-0/" ], "public": 1, "adversary": "BADBOX 2.0", "targeted_countries": [], "malware_families": [ { "id": "BADBOX", "display_name": "BADBOX", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "67c99587958ded87f3a219f3", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 59 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "447 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6762dbde3930a74843860f4c", "name": "BADBOX Botnet Is Back | Bitsight", "description": "Find out more about Bitsight, a leading cyber risk management company, on the web, at www.btsight.com and on our app and Facebook page, and here are the highlights.", "modified": "2025-01-17T11:00:16.991000", "created": "2024-12-18T14:27:42.647000", "tags": [ "badbox", "android tv", "russia", "badbox malware", "yndx smart", "android", "china", "belarus", "bitsight", "amazon", "triada", "april", "guerrilla", "first", "ukraine", "peachpit", "c2" ], "references": [ "https://www.bitsight.com/blog/badbox-botnet-back" ], "public": 1, "adversary": "", "targeted_countries": [ "Germany", "Saudi Arabia", "Kazakhstan", "Czechia", "United States of America", "France", "Netherlands", "Russian Federation", "China" ], "malware_families": [ { "id": "PEACHPIT", "display_name": "PEACHPIT", "target": null }, { "id": "Bitsight", "display_name": "Bitsight", "target": null }, { "id": "C2", "display_name": "C2", "target": null }, { "id": "BADBOX", "display_name": "BADBOX", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "URL": 2, "domain": 27, "hostname": 4 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "499 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "https://www.bitsight.com/blog/badbox-botnet-back", "https://www.humansecurity.com/learn/blog/satori-threat-intelligence-disruption-badbox-2-0/", "https://threatfox.abuse.ch/export/csv/recent/", "https://humansecurity.com/learn/blog/satori-threat-intelligence-disruption-badbox-2-0/", "https://www.humansecurity.com/wp-content/uploads/2025/03/BADBOX-2-H5-Domain-List.csv", "https://www.humansecurity.com/learn/blog/satori-threat-intelligence-disruption-badbox-2-0" ], "related": { "alienvault": { "adversary": [ "BADBOX", "BADBOX 2.0" ], "malware_families": [ "Badbox", "Triada" ], "industries": [ "Telecommunications", "Media", "Technology" ] }, "other": { "adversary": [ "Lemon", "BADBOX 2.0" ], "malware_families": [ "Peachpit", "Badbox", "C2", "Bitsight" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "68434df5a7a61c7583cdec3f", "name": "Threat Intelligence Disruption: BADBOX 2.0 Targets Consumer Devices with Multiple Fraud Schemes", "description": "HUMAN's Satori team uncovered and partially disrupted BADBOX 2.0, a complex fraud operation targeting over 1 million low-cost consumer devices worldwide. The scheme involves a backdoor pre-installed on devices or distributed through unofficial app marketplaces, allowing threat actors to conduct various fraudulent activities. These include selling residential proxy services, ad fraud through hidden ads and WebViews, and click fraud. Four main threat actor groups were identified: SalesTracker, MoYu, Lemon, and LongTV. The operation affects Android Open Source Project devices in 222 countries, with Brazil being the most impacted. Disruption efforts involved collaboration with Google and other partners to mitigate the threat's impact.", "modified": "2025-06-06T20:24:01.215000", "created": "2025-06-06T20:22:13.238000", "tags": [ "consumer devices", "iot", "badbox", "vo1d", "ad fraud", "botnet", "residential proxy", "android", "ctv", "bb2door" ], "references": [ "https://www.humansecurity.com/learn/blog/satori-threat-intelligence-disruption-badbox-2-0", "https://www.humansecurity.com/wp-content/uploads/2025/03/BADBOX-2-H5-Domain-List.csv" ], "public": 1, "adversary": "", "targeted_countries": [ "Brazil", "United States of America", "Mexico", "Argentina", "Colombia" ], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [ "Technology", "Telecommunications", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 59, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 800, "hostname": 169 }, "indicator_count": 969, "is_author": false, "is_subscribing": null, "subscriber_count": 386583, "modified_text": "359 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c99587958ded87f3a219f3", "name": "BADBOX 2.0 Targets Consumer Devices with Multiple Fraud Schemes", "description": "HUMAN's Satori Threat Intelligence team uncovered and partially disrupted BADBOX 2.0, a complex fraud operation targeting low-cost consumer devices. This operation, an expansion of the 2023 BADBOX scheme, infected over 1 million Android Open Source Project devices worldwide with a backdoor called BB2DOOR. The infection enabled various fraud schemes, including residential proxy services, ad fraud, and click fraud. Four threat actor groups were identified: SalesTracker Group, MoYu Group, Lemon Group, and LongTV. The operation targeted devices in 222 countries, with Brazil being the most affected. HUMAN collaborated with Google and other partners to disrupt the infrastructure and protect customers from the threat.", "modified": "2025-03-06T15:14:33.559000", "created": "2025-03-06T12:31:03.912000", "tags": [ "vo1d", "ctv", "bb2door", "botnet", "backdoor", "iot", "residential proxy", "ad fraud", "click fraud", "badbox 2.0", "badbox" ], "references": [ "https://www.humansecurity.com/learn/blog/satori-threat-intelligence-disruption-badbox-2-0/" ], "public": 1, "adversary": "BADBOX 2.0", "targeted_countries": [], "malware_families": [ { "id": "BADBOX", "display_name": "BADBOX", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 59 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 386583, "modified_text": "451 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6761f4379704bd484a8e2402", "name": "BADBOX Botnet Is Back", "description": "The BADBOX botnet, previously thought to be contained, has resurfaced with increased scope and sophistication. Recent findings reveal over 192,000 infected devices, including high-end Yandex 4K QLED Smart TVs and Hisense smartphones, expanding beyond the initially targeted off-brand Android devices. The botnet exploits compromised firmware to install malware and secondary payloads without user consent, enabling activities such as residential proxying, remote code installation, and ad fraud. The operation affects multiple countries, with Russia, China, and India being the most impacted. The malware's ability to adapt and spread through global supply chains poses significant challenges for consumers and enterprises alike, emphasizing the importance of trusted vendors and partners in cybersecurity.", "modified": "2025-01-16T21:04:58.311000", "created": "2024-12-17T21:59:19.831000", "tags": [ "firmware", "android", "proxy", "supply chain", "triada", "smart tv", "malware", "botnet", "ad fraud", "badbox" ], "references": [ "https://www.bitsight.com/blog/badbox-botnet-back" ], "public": 1, "adversary": "BADBOX", "targeted_countries": [ "United States of America", "Belarus", "Brazil", "British Indian Ocean Territory", "China", "Czechia", "France", "Germany", "India", "Kazakhstan", "Netherlands", "Russian Federation", "Saudi Arabia", "Ukraine" ], "malware_families": [ { "id": "BADBOX", "display_name": "BADBOX", "target": null }, { "id": "Triada", "display_name": "Triada", "target": null } ], "attack_ids": [ { "id": "T1542.003", "name": "Bootkit", "display_name": "T1542.003 - Bootkit" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1608.005", "name": "Link Target", "display_name": "T1608.005 - Link Target" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [ "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "URL": 2, "domain": 16, "hostname": 3 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 386589, "modified_text": "500 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672f6ed2b564f00b7c5cb13f", "name": "Threatfox Recent Additions", "description": "", "modified": "2025-06-13T19:00:02.811000", "created": "2024-11-09T14:16:50.032000", "tags": [], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 96, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47587, "URL": 18714, "FileHash-SHA256": 36311, "FileHash-MD5": 1630, "FileHash-SHA1": 418, "hostname": 18190 }, "indicator_count": 122850, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "352 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6842ca684b5413baf27aa136", "name": "Satori Threat Intelligence Disruption: BADBOX 2.0 Targets Consumer Devices with Multiple Fraud Schemes - HUMAN Security", "description": "Learn more about HUMAN, the artificial intelligence company designed to prevent bot attacks and fraud on ad tech platforms and digital publishers, from exploiting customers' valuable online accounts and other online services, and from partners.", "modified": "2025-06-06T11:00:56.776000", "created": "2025-06-06T11:00:56.776000", "tags": [], "references": [ "https://humansecurity.com/learn/blog/satori-threat-intelligence-disruption-badbox-2-0/" ], "public": 1, "adversary": "Lemon", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 110, "hostname": 1 }, "indicator_count": 111, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "359 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ca9b25d3c18153af18075d", "name": "IOC&TTP - Satori Threat Intelligence Disruption BADBOX 2.0 Targets Consumer Devices with Multiple Fraud Schemes", "description": "HUMAN Satori \u5a01\u80c1\u60c5\u62a5\u56e2\u961f\u6700\u8fd1\u53d1\u73b0\u5e76\u90e8\u5206\u7834\u574f\u4e86\u4e00\u4e2a\u540d\u4e3a BADBOX 2.0 \u7684\u5927\u89c4\u6a21\u7f51\u7edc\u6b3a\u8bc8\u884c\u52a8\u3002\u8be5\u884c\u52a8\u662f 2023 \u5e74 BADBOX \u64cd\u4f5c\u7684\u5347\u7ea7\u7248\uff0c\u88ab\u8ba4\u4e3a\u662f \u8fc4\u4eca\u53d1\u73b0\u7684\u6700\u5927\u8054\u7f51\u7535\u89c6\uff08CTV\uff09\u50f5\u5c38\u7f51\u7edc\uff0c\u6d89\u53ca \u8d85\u8fc7 100 \u4e07\u53f0\u6d88\u8d39\u7535\u5b50\u8bbe\u5907\u3002BADBOX 2.0 \u901a\u8fc7\u5728\u4f4e\u6210\u672c Android \u5f00\u6e90\u9879\u76ee\uff08AOSP\uff09\u8bbe\u5907\u4e0a\u690d\u5165\u540e\u95e8\uff0c\u5141\u8bb8\u653b\u51fb\u8005\u8fdc\u7a0b\u90e8\u7f72\u6b3a\u8bc8\u6a21\u5757\uff0c\u7528\u4e8e \u5e7f\u544a\u6b3a\u8bc8\u3001\u70b9\u51fb\u6b3a\u8bc8\u3001DDoS \u653b\u51fb\u3001\u6076\u610f\u8f6f\u4ef6\u5206\u53d1\uff0c\u751a\u81f3\u5c06\u8bbe\u5907\u4f5c\u4e3a\u4f4f\u5b85\u4ee3\u7406\uff08Residential Proxy\uff09\u670d\u52a1\u7684\u4e00\u90e8\u5206\u3002", "modified": "2025-03-10T02:49:15.961000", "created": "2025-03-07T07:07:17.807000", "tags": [ "vo1d", "ctv", "bb2door", "botnet", "backdoor", "iot", "residential proxy", "ad fraud", "click fraud", "badbox 2.0", "badbox" ], "references": [ "https://www.humansecurity.com/learn/blog/satori-threat-intelligence-disruption-badbox-2-0/" ], "public": 1, "adversary": "BADBOX 2.0", "targeted_countries": [], "malware_families": [ { "id": "BADBOX", "display_name": "BADBOX", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "67c99587958ded87f3a219f3", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 59 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "447 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6762dbde3930a74843860f4c", "name": "BADBOX Botnet Is Back | Bitsight", "description": "Find out more about Bitsight, a leading cyber risk management company, on the web, at www.btsight.com and on our app and Facebook page, and here are the highlights.", "modified": "2025-01-17T11:00:16.991000", "created": "2024-12-18T14:27:42.647000", "tags": [ "badbox", "android tv", "russia", "badbox malware", "yndx smart", "android", "china", "belarus", "bitsight", "amazon", "triada", "april", "guerrilla", "first", "ukraine", "peachpit", "c2" ], "references": [ "https://www.bitsight.com/blog/badbox-botnet-back" ], "public": 1, "adversary": "", "targeted_countries": [ "Germany", "Saudi Arabia", "Kazakhstan", "Czechia", "United States of America", "France", "Netherlands", "Russian Federation", "China" ], "malware_families": [ { "id": "PEACHPIT", "display_name": "PEACHPIT", "target": null }, { "id": "Bitsight", "display_name": "Bitsight", "target": null }, { "id": "C2", "display_name": "C2", "target": null }, { "id": "BADBOX", "display_name": "BADBOX", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "URL": 2, "domain": 27, "hostname": 4 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "499 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "pcxrlback.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "pcxrlback.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780268366.9724185 }