Update: BADBOX 2.0 Botnet Expansion and Ongoing Threats
BADBOX 2.0 is a sophisticated and large-scale cybercrime operation that infects over 1 million consumer devices worldwide, primarily targeting Android-based devices, including smart TVs, tablets, digital projectors, and low-cost connected TV boxes. This botnet leverages pre-installed malware or backdoors on devices, often delivered via compromised supply chains, malicious firmware updates, or trojanized apps from third-party stores. Once infected, these devices become part of a botnet exploited for multiple illicit activities, including ad fraud (click fraud), residential proxy networks, and credential stuffing attacks. These devices, often cheap, uncertified, or "off-brand" IoT devices manufactured in China, are highly vulnerable to attack, especially those not certified by Google Play Protect. The attackers can control the devices remotely, using them to route traffic for other cybercriminals, generate fraudulent ad revenue, and execute various other malicious operations. Despite efforts to mitigate the botnet, including sinkholing domains and removing malicious apps from the Google Play Store, the botnet has continued to evolve, with persistent changes made to evade detection. Hunter’s March 18, 2025 report initially identified the growing threat of BADBOX botnets, focusing on the dangers posed by compromised consumer electronics. In this new article, researchers expand on the complexity of the operation, revealing the involvement of four interconnected threat groups—SalesTracker, MoYu, Lemon, and LongTV. These groups work together within the BADBOX 2.0 framework, using specialized techniques to enhance their malicious activities. MoYu Group has been found to control the residential proxy services, Lemon Group is engaged in HTML5 game-based ad fraud, and LongTV operates media-driven ad fraud tactics. The botnet continues to evolve, utilizing modified Android libraries and exploiting device vulnerabilities to maintain persistence. These malware operations have expanded in scope and incorporated new capabilities, including the potential for DDoS attacks and further data exfiltration. The persistence of BADBOX 2.0 in the face of attempted disruptions highlights the growing risks posed by large-scale botnets and the need for proactive measures to secure consumer devices and the global supply chain.
BladedFeline Targets Iraqi and Kurdish Entities with Sophisticated Malware Campaign
An Iran-linked hacking group, BladedFeline, has been actively targeting Kurdish and Iraqi government officials with custom malware, including Whisper and Spearal, to maintain persistent access and steal sensitive information. First detected in 2017, BladedFeline has a long history of cyber espionage in the region, focusing on gathering diplomatic and financial data. The group exploits vulnerabilities in web-facing applications to infiltrate networks, deploying tools like Flog and using backdoors like Whisper, a [.]NET-based malware that communicates via email attachments, and Spearal, which uses DNS tunneling for command-and-control. These attacks are highly targeted, with specific interest in the Kurdistan Regional Government (KRG) due to its diplomatic ties and oil resources, as well as Iraq's government. BladedFeline has continuously improved its malware arsenal, incorporating new backdoors and tools to expand its reach, with evidence suggesting its connections to the Iranian government’s broader cyber strategies. BladedFeline’s cyber espionage campaign also involves using specialized tools for exfiltration and persistent access, including Laret and Pinar tunneling tools and the PrimeCache backdoor, which uses HTTP requests to maintain communication with compromised networks. Despite using sophisticated techniques, BladedFeline’s use of familiar malware structures, similar to those of OilRig, raises the possibility that it is a subgroup within the larger OilRig APT group. Recent incidents show that the group has expanded its scope, targeting not only Kurdish and Iraqi officials but also regional telecom providers, with a clear intent to monitor and manipulate the region’s political and economic landscape. The most recent reports also reveal the deployment of Python-based implants and other evolving tools, further emphasizing the growing complexity of BladedFeline’s tactics. Given the group’s ties to Iran and its focus on sensitive political and economic data, the attacks represent a serious threat to stability in the Middle East, with global implications if such techniques were to be used against other regions. Organizations in Iraq, the KRG, and similar regions must prioritize robust cybersecurity measures to defend against this persistent and evolving threat.
PathWiper Malware Targets Ukrainian Infrastructure in Sophisticated Cyberattack
Cisco Talos recently uncovered a sophisticated cyberattack targeting critical infrastructure in Ukraine, which involved a new wiper malware named “PathWiper.” The attack is attributed to a Russian-aligned advanced persistent threat (APT) group and is part of ongoing cyberwarfare tactics aimed at destabilizing Ukraine’s infrastructure. The attackers exploited a legitimate administrative framework, likely gaining access to the system’s console to deploy the malware across various connected endpoints. This malware was delivered using a series of commands and scripts, blending seamlessly with normal operations and evading detection. Using common system tools to execute the attack shows the attackers’ understanding of the system and ability to operate covertly. This precise and calculated attack underlines the growing threat of cyberattacks on critical infrastructure, especially in conflict zones like Ukraine. PathWiper has been used in active cyberattacks and was first discovered in early 2025 by Cisco Talos. The malware's capabilities are particularly concerning due to its highly targeted approach to system destruction. Upon activation, PathWiper collects and verifies connected drives before launching an attack that corrupts essential file system structures, including the Master Boot Record (MBR) and NTFS log files. The malware makes the affected systems completely inoperable by overwriting these critical components. Unlike previous wipers like HermeticWiper, which indiscriminately attacked Ukrainian systems, PathWiper uses more refined techniques to verify connected drives, ensuring precise and targeted destruction. This level of sophistication makes it a significant evolution in wiper malware technology. While this campaign has primarily targeted Ukrainian entities in the Energy, Telecommunications, and Government sectors, the broader implications are significant, as the malware could be adapted for other critical infrastructure sectors globally. The attack underlines the growing importance of robust endpoint security, access control, and threat monitoring systems to mitigate the risk of future wiper malware campaigns. Organizations worldwide, particularly those in critical infrastructure sectors, must recognize the evolving tactics of APT groups and implement enhanced defense mechanisms to prevent such highly destructive attacks.
