@briankrebs note that you can run Armbian on some of these. Be sure to look at the Armbian forums for unofficial builds if there's no official build.
Discussion
Loading...
Discussion
Page won't load for me. archive.org to the rescue : https://web.archive.org/web/20251221132941/https://blog.xlab.qianxin.com/kimwolf-botnet-en/
"Investigations found that the author of Kimwolf shows an almost "obsessive" fixation on the well-known cybersecurity investigative journalist Brian Krebs, leaving easter eggs related to him in multiple samples.
For example, in sample 2078af54891b32ea0b1d1bf08b552fe8, the domain fuckbriankrebs[.]com is embedded in both its udp_dns and mc_enc attack methods, used to generate DNS request payloads."
😂🤣
@briankrebs I looked through the article, but I don't see how China-produced products are related to this botnet. Doesn't the malware focus on Android streaming boxes regardless of where they were produced? As far as I can see, the article didn't link the botnet to China either. (There are genuine questions btw.)
telling people to waste perfectly good TV boxes that can run Linux is absolutely the wrong takeaway
@burnoutqueen ok. that's fine. I recognize there are some people who think piracy is a right and anyone saying otherwise is ill-informed, a tech noob, or a fear monger.
You should stick to something safe, like an Amazon Firestick.
They're made in...
China!
https://www.accio.com/supplier/amazon-fire-stick-manufacturer
@briankrebs Krebs is on mastodon! Awesome! Following.
@briankrebs How do those devices (along with all the fridges and IOT cameras that make up most botnets) get infected? Aren't most of them behind NAT? I understand "default passwords", but for that to be a problem, there has to be a way for the attacker to connect to a device in the first place, and that is the part I don't get.
@miki this is the subject of my reporting in the New Year. Stay tuned.
@briankrebs I don't think China is a country. I think it's a stateless territory infested by a criminal communist terrorist organization whose kingpin is Xi Jin Ping.
@briankrebs I don’t own one but my understanding is that these Android TV boxes are typically used for watching pirated content. I can’t see any company putting heavy efforts into the security of their product when it’s used for this purpose. Whether they’re intended to be a Trojan horse or not, the risk their use brings is too high in my humble opinion and I agree with Brian, they should be binned.
@briankrebs Evidence that "these things are responsible for building out a botnet that currently has ~2M devices and is growing rapidly"?
@clock are you asking for evidence? Read the story I linked from XLAB.
@briankrebs You seem to be implying this violates some chinese security regulations and isn't approved for domestic sale, but the much more likely explanation is that these boxes are banned in China due to state media control concerns: https://www.ibtimes.com/china-cracks-down-set-top-box-market-bans-popular-streaming-apps-2189776
@briankrebs note that you can run Armbian on some of these. Be sure to look at the Armbian forums for unofficial builds if there's no official build.
@jschwart AFAIK, there's no way to use these devices securely.
@briankrebs it's not clear to me why replacing the entire software wouldn't make them secure.
It might possibly even work to simply kill the offending applications. I have a very cheap box (was around $25) which became quiet with regards to traffic after I stopped various applications (mainly a torrent one that was there with a preconfigured torrent was establishing a lot of connections).
When I insert an SD card with Armbian, it just boots that instead of Android.
@briankrebs the XLAB article mentions the X96Q which matches the model on my box (there are different boxes with that model though).
It also mentions that the culprit is in some so files from a particular apk. This means running Armbian should be fine if you have an affected box:
Working images can be found on the forums: https://forum.armbian.com/search/?q=X96Q
I'll check if my box has those apk/so files when I get an opportunity.
Generally the hardware itself should be fine though, wasteful to just bin it.
@briankrebs @jschwart How about not hooking it to the Internet and just using it at a display device? (Honest question.)
@machinaecrire @jschwart If I told you a certain brand of Christmas tree lights could burn your house down, would you then pull out all the lights from the strand and use it as an extension cord?
It could be the other way around: less spying for foreigners? After all, China spies on its own citizens more than anyone else.
Meant to link to my previous reporting on this topic, which briefly touches on some of the challenges w/ the ubiquity and sheer insecurity-by-design of most of these Android TV/movie streaming devices
https://krebsonsecurity.com/2025/11/is-your-android-tv-streaming-box-part-of-a-botnet/
@briankrebs I switched to Roku...I hope thats good. I haven't heard anything about Roku yet
@briankrebs I think you're reading too much into this one Brian. This is most likely because of the different voltage, the US uses 120v, China uses 240v like Europe.
@briankrebs Feels weird that they write "overseas use only" in English...seems like Mandarin might be a better choice perhaps? 🤣🤷🏼♂️
Bonfire community
This is a bonfire demo instance for testing purposes
Automatic federation enabled