HUMAN’s Satori Threat Intelligence and Research Team recently uncovered and partially disrupted BADBOX 2.0 in collaboration with Google, Trend Micro, Shadowserver, and other partners. The threat has been dubbed “the largest botnet of infected connected TV (CTV) devices” uncovered to date.

BADBOX 2.0-infected devices become part of a huge botnet involved in programmatic ad and click fraud; residential proxy service, account takeover (ATO), and distributed denial-of-service (DDoS) attacks; fake account creation; malware distribution; and one-time password (OTP) theft. As of the report’s publishing, the threat has affected more than 1 million consumer devices.

The researchers identified 109 command-and-control (C&C) domains as indicators of compromise (IoCs), which WhoisXML API analyzed and expanded. Our DNS investigation led to the discovery of:

• 915 email-connected domains, eight of which turned out to be malicious
• 50 IP addresses, 34 of which have already been weaponized for attacks
• 211 IP-connected domains
• 2,078 string-connected domains, two of which have already been associated with threats

A sample of the additional artifacts obtained from our analysis is available for download from our website.

A Closer Look at the BADBOX 2.0 IoCs

We kicked off our DNS deep dive by looking into the WHOIS records of the 109 domains tagged as IoCs and found that they all had current WHOIS information based on the results of our Bulk WHOIS API query. We also discovered that:

• The 109 domains were created between 2003 and 2025. Specifically, 30 were created in 2023; 25 in 2024; 14 in 2019; nine in 2025; eight in 2022; seven in 2021; six in 2017; three in 2020; two in 2018; and one each in 2003, 2008, 2011, 2014, and 2016.

  

• The 109 domains were administered by 11 registrars led by GoDaddy, which accounted for 70 of them. Alibaba came in second place with 15 domains. Stichting Registrar of Last Resort Foundation took the third spot with seven domains. NameSilo placed fourth with five domains, followed by Dynadot with four. Cloudflare and Name.com accounted for two domains each. Finally, one domain each was administered by 1API, DNSPod, Gname, and Internet Domain Service.

  

• Only 85 of the 109 domains had registrant countries on record. They were registered in three countries topped by the U.S., which accounted for 68 domains. China took the second spot with 16 domains. One domain was registered in Germany. Finally, 24 domains did not have registrant countries in their current WHOIS records.

  

We also queried the 109 domains identified as IoCs on DNS Chronicle API and discovered that 105 had historical domain-to-IP address resolutions. Four of them (i.e., duoduodev[.]com, flyermobi[.]com, motiyu[.]net, and qazwsxedc[.]xyz) posted the oldest resolution date—4 October 2019.

Inside BADBOX 2.0’s DNS Strongbox

Our search for more artifacts began with a WHOIS History API query for the 109 domains tagged as IoCs. We found that 61 of them had 101 email addresses in their historical WHOIS records after duplicates were filtered out. Upon closer examination, 45 of the email addresses were public.

Next, we queried the 45 public email addresses on Reverse WHOIS API and discovered that 44 of them appeared in the historical WHOIS records of several domains. A total of 19 public email addresses, however, could belong to domainers (given the large number of connected domains) so they were excluded from further analysis. That said, the 25 email addresses left on our list appeared in the current WHOIS records of 915 domains after those already identified as IoCs and duplicates were filtered out.

We then performed a Threat Intelligence API query for the 915 email-connected domains and found that eight have already been associated with various threats.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.