FBI Warns of Widespread BADBOX 2.0 Malware Infections Targeting Home IoT Devices
The FBI has issued an alert regarding BADBOX 2.0, a sophisticated malware campaign compromising over 1 million internet-exposed home devices, primarily manufactured in China. The malware, downloaded during device setup, enables attackers to establish residential proxy networks, conduct credential stuffing attacks, and execute ad fraud.
Compromised devices may exhibit deactivated Google Play Protect settings or unusual internet traffic, prompting the FBI to recommend immediate isolation and restricted network access. Users are advised to monitor network activity, download apps exclusively from official stores, and keep devices updated to mitigate risks.
The advisory follows recent disclosures of other cyber threats, including the New Cosmali Loader, which infects Windows systems via typosquatted Microsoft Activation Scripts domains using malicious PowerShell scripts. Additionally, the Shai Hulud malware campaign has impacted over 25,000 repositories and hundreds of npm packages, automating developer environment compromises.
Efforts to disrupt BADBOX 2.0 involved collaboration between the FBI, Google, Trend Micro, and the Shadowserver Foundation, while tools like Nezha—a post-exploitation remote access trojan—help attackers evade detection by blending with legitimate activity.
Source: https://www.scworld.com/brief/fbi-badbox-2-0-malware-victimization-widespread
The Shadowserver Foundation cybersecurity rating report: https://www.rankiteo.com/company/the-shadowserver-foundation
"id": "THE1766992985",
"linkid": "the-shadowserver-foundation",
"type": "Cyber Attack",
"date": "6/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'location': 'Global (primarily China-manufactured '
'devices)',
'type': 'IoT devices'}],
'attack_vector': ['malicious software downloaded during setup',
'illicit PowerShell scripts via typosquatted domains'],
'data_breach': {'data_exfiltration': 'Yes'},
'description': 'Malicious software downloaded by vulnerable devices during '
'the setup process facilitates infection with BADBOX 2.0, '
'which then executes commands enabling residential proxy '
'networks, credential stuffing intrusions, and ad fraud. Over '
'1 million internet-exposed home devices, mostly manufactured '
'in China, were compromised. The FBI issued an alert urging '
'users to mitigate the threat by evaluating network activity, '
'downloading apps only from official stores, and regularly '
'updating devices. Potential compromise indicators include '
'deactivated Google Play Protect settings and atypical '
'internet traffic.',
'impact': {'systems_affected': 'Over 1 million internet-exposed home devices'},
'motivation': ['residential proxy networks',
'credential stuffing',
'ad fraud',
'data exfiltration'],
'recommendations': ['Evaluate network activity',
'Download apps only from official stores',
'Regularly update devices',
'Isolate compromised devices',
'Restrict internet access for suspicious devices'],
'references': [{'source': 'FBI Alert'},
{'source': "HUMAN's Satori Threat Intelligence team"},
{'source': 'BleepingComputer'},
{'source': 'SiliconANGLE'},
{'source': 'SC Media'}],
'response': {'communication_strategy': 'FBI advisory',
'containment_measures': ['device isolation',
'restricted internet access'],
'law_enforcement_notified': 'FBI',
'remediation_measures': ['evaluating network activity',
'downloading apps only from official '
'stores',
'regularly updating devices'],
'third_party_assistance': ['Google',
'Trend Micro',
'Shadowserver Foundation']},
'stakeholder_advisories': 'FBI advisory on mitigation and compromise '
'indicators',
'title': 'BADBOX 2.0 Malware Campaign',
'type': ['malware', 'botnet']}