The growth of botnets in Brazil puts companies and users at risk, with devices being used in attacks without the owners realizing it. Recently, a critical alert drew attention to Brazil: of the 1.6 million devices infected globally, around 400,000 are in national territory, placing the country among the epicenters of this new threat.
These devices, mostly pirated TV Boxes, are already being used for denial-of-service (DDoS) attacks, malware distribution and digital fraud, compromising not only home users but also corporate networks.
More than ever, understanding how botnets work, their impact and defense strategies has become essential for companies wishing to protect their operations and maintain business continuity.
Throughout this article, we'll reveal how these silent threats form, what the real impact is on organizations of all sizes and, above all, how it's possible to strengthen digital security to resist this new scenario of risks. Get ready for a strategic immersion into the world of botnets, and discover how to turn threats into an opportunity to shield your digital future.
What is a botnet and why is it so dangerous?
Botnets: when your device becomes a threat without you realizing it
A botnet is a network of devices "hijacked" by cybercriminals. Each infected device, be it a computer, router, TV Box, smartphone or any other IoT device, becomes a remotely controlled "zombie" without the user's knowledge.
These devices are used in a coordinated way to carry out a variety of malicious activities, often operating silently, without raising immediate suspicions.
How botnets turn isolated risks into global threats
Botnets have various purposes, including:
DDoS (Distributed Denial of Service) attacks, in which the overloading of servers, websites and applications with malicious traffic can take services offline, causing financial losses and reputational damage.
They are also used to distribute malware on a large scale, quickly spreading infections across entire networks. Another common use is data theft: credentials, financial information, sensitive corporate and personal data are captured silently.
Finally, botnets drive phishing campaigns, sending fraudulent emails and messages to trick users and gain privileged access to systems and information.
IoT's weak link: how connectivity amplifies the threat
With the explosion of the Internet of Things (IoT), there has been an exponential increase in the number of devices connected to the internet, many of them without any adequate protection.
Devices such as IP cameras, smart TVs, home routers and TV Boxes have become easy targets for cybercriminals, considerably expanding the attack surface available for the formation of increasingly massive botnets that are difficult to contain.
Today, a single compromised IoT device can be the silent gateway to devastating attacks within corporate and home networks.
The BadBox 2.0 case: A wake-up call for Brazil
Inside the machine: How BadBox 2.0 works
After activation, devices compromised by the BadBox 2.0 botnet automatically connect to command and control (C2) servers, allowing malicious agents to take remote control of these machines.
From there, the devices can be used for different criminal purposes, such as:
- Advertising fraud, simulating clicks on ads to generate illicit revenue.
- Residential proxy services, which hide the real origin of malicious traffic.
- Creation of fake accounts and credential stuffing attacks, automating login attempts with leaked passwords.
- Distribution of malware and execution of DDoS attacks targeting companies and online services.
- Password theft and interception of authentication codes (OTP), compromising sensitive accounts with double authentication.
This versatility turns each device into a dynamic attack vector - and invisible at first glance.
Indicators of Commitment (IOCs)
To help identify suspicious behavior associated with the BadBox 2.0 botnet, it is essential to monitor certain malicious domains, IP addresses and hostnames. Below, we list some of the main IOCs identified:
Suspicious domains:
bluefish[.]work, giddy[.]cc, joyfulxx[.]com, mtcpuouo[.]com, pasiont[.]com, ztword[.]com, pixelscast[.]com, swiftcode[.]work, tvsnapp[.]com.
IP addresses monitored:
92.63.197[.]14, 139.162.36[.]224, 172.104.186[.]191, 139.162.40[.]221, 143.42.75[.]145, 192.46.227[.]25.
Compromised hostnames:
cool[.]hbmc[.]net, sg100[.]idcloudhost[.]com, www[.]bluefish[.]work, www[.]giddy[.]cc, www[.]msohu[.]shop, cast[.]jutux[.]work, home[.]1ztop[.]work, old[.]1ztop[.]work.
These IOCs can be used to create blocking rules in firewalls, detection via SIEM or threat hunting actions.
Tactics and techniques used: MITRE ATT&CK mapping
The BadBox 2.0 operation follows internationally recognized technical standards, especially in the MITRE ATT&CK ecosystem. Among the tactics and techniques observed:
- Initial Access: T1200 - Hardware Addition
- Execution: T1129 - Shared Modules
- Persistence: T1053.005 - Scheduled Task
- Command and Control (C2): T1071.001 - Web Protocols
- Defense Evasion: T1027 - Obfuscated Files
- Discovery: T1082 - System Info Discovery
- Impact: T1499 - Endpoint Denial of Service
Mapping these tactics makes it possible to develop responses in line with international frameworks and improve existing controls.
Understanding the threat behind BadBox 2.0
BadBox 2.0 is a massive botnet that emerged from the infection of pirate TV Boxes, many of which had already been contaminated directly at the factory. The operation was uncovered by international investigations published in March 2025, involving cybersecurity experts and intelligence agencies.
The way it works is alarming: by connecting these apparently harmless devices to the network, they silently operate as support points for digital crimes, carrying out malicious tasks without the users' knowledge.
In total, 1.6 million devices were compromised, of which 400,000 were active in Brazil, highlighting the country's prominent position on the global botnet scene.
These devices are used to launch DDoS attacks against critical infrastructures, spread ransomware and banking malware, and create proxy networks to hide illicit activities.
The great thing about BadBox 2.0 is its sophistication. It uses advanced evasion techniques, making it difficult for traditional security solutions to detect it, and it updates itself remotely, adapting to evade security blocks and patches.
How BadBox 2.0 impacts companies and consumers
Although the initial focus seems to be on end consumers, the real impact of BadBox 2.0 is on companies of all sizes.
The massive spread of infected devices increases the attack surface for infiltration of corporate networks by employees working from home. In addition, these devices allow corporate infrastructure to be used to carry out external attacks, compromising reputations and operations. The masked traffic generated by botnets also facilitates the theft of strategic data and intellectual property, exposing companies to severe risks.
Companies that don't control access from external devices run the risk of becoming unwitting victims or vectors in even more far-reaching attacks.
What we learned from the BadBox 2.0 case
The main thing to learn from BadBox 2.0 is that invisible threats are much closer than you might think. It's not just a question of protecting servers and data centers: the challenge now is to control what connects to these environments.
To face this new scenario, organizations need to invest in constant network monitoring, using behavioral analysis solutions to identify connected devices that show suspicious activity. In addition, strict access control policies for corporate environments are essential to limit exposure to risks.
In a world where even a TV box can be used as a digital weapon, continuous vigilance and proactive prevention have become indispensable pillars for building a truly resilient infrastructure against cyber threats.
Risks for companies: When the attack is not direct, but affects you
In a scenario where the proliferation of compromised devices is growing, many companies can be affected without even being the main target of the attacks. Botnets, such as BadBox 2.0, are often used to generate massive malicious traffic that overloads servers, compromises operations and creates loopholes for future invasions.
According to IBM's "Cost of a Data Breach 2024" report, the average cost of a data breach has exceeded US$4.45 million, and corporate networks exposed via compromised devices have an incident response time up to 40% longer than properly monitored environments.
Even without being the direct target, a company can have its infrastructure used to orchestrate attacks against third parties, be held legally responsible for illegal activities originating from its network or even suffer severe reputational losses, especially in regulated sectors such as finance, health and telecommunications.
Another critical point is lateral movement. Recent research indicates that 60% of modern attacks use lateral movement to escalate privileges and target sensitive data. Poorly monitored corporate networks become extremely vulnerable to this type of action, as attackers can reach critical systems from a single compromised device.
Protecting the "perimeter" alone is no longer enough. Strategies such as network segmentation, Zero Trust Architecture and continuous monitoring with anomalous behavior detection tools (UEBA) are indispensable for mitigating indirect risks and preserving business continuity in an increasingly hostile digital landscape.
Reputational risk: The brand in check
Companies involved, even indirectly, in cyber incidents face severe reputational impacts. According to a study by Deloitte, 87% of consumers say they would change supplier if they were suspicious of data security breaches. A damaged reputation can take years to rebuild, affecting customer retention, the conquest of new markets and brand appreciation.
Regulatory fines and sanctions: The burden of non-compliance
With legislation such as the LGPD (General Data Protection Act) in Brazil and the GDPR in Europe, responsibility for information security has become even more critical. Even without being directly targeted, if an organization allows its infrastructure to be used for illicit activities, it can face severe sanctions. Fines can reach 2% of annual turnover, limited to R$50 million per infraction in Brazil, not to mention possible lawsuits and moral damages resulting from the exposure of personal data.
How to protect your company against botnets
Continuous network monitoring
Implementing constant monitoring solutions is essential for identifying anomalous traffic. Using behavior analysis tools and deep packet inspection helps detect suspicious communications coming from compromised devices.
Protecting endpoints and connected devices
Tools such as NGAV (Next Generation Antivirus) and EDR (Endpoint Detection and Response), like those offered by Falcon Complete, guarantee visibility, prevention and response to threats in real time.
Threat Hunting and behavior analysis
Just identifying abnormal behavior is not enough. Active Threat Hunting is key to finding silent threats that are already operating internally.
Security policy and training
Educating employees about the risks of non-approved devices, good remote access practices and device maintenance is essential to prevent initial infections.
Layered action plan: Proactive shielding against botnets
To mitigate risks related to botnets like BadBox 2.0, the recommendation is to adopt a layered approach, also known as Defense in Depth. This strategy allows you to act on different fronts at the same time:
Layer 1 - Network Perimeter
- Blocking malicious IPs and domains via firewall.
- Detection of anomalous traffic with IDS/IPS, especially from IoT devices.
Layer 2 - Endpoint and Connected Devices
- Active monitoring with NGAV and EDR.
- Restriction on the installation of non-approved devices on the corporate network.
Layer 3 - Monitoring and Response
- Use of UEBA to identify suspicious movements.
- Continuous threat hunting with a focus on C2 communication and lateral movement.
- Real-time action by the Threat Intelligence team.
Layer 4 - Education and Governance
- Training employees on the risks of insecure IoT devices.
- Strict application of asset management and access control policies.
This structure strengthens cyber resilience and reduces the time between detection and response to incidents.
The role of Asper and CrowdStrike in defending against botnets
In the fight against modern threats such as botnets, the combination of cutting-edge technology and human intelligence is crucial. It is in this scenario that the partnership between Asper and CrowdStrike stands out, offering an extra layer of protection, visibility and rapid response.
Proactive detection and neutralization with CrowdStrike
The CrowdStrike Falcon Complete platform, adopted by Asper, integrates next-generation antivirus (NGAV), endpoint detection and response (EDR), threat hunting and identity protection, enabling rapid identification of anomalous behavior and suspicious activity typical of zombie devices.
With the continuous action of Falcon OverWatch, hidden threats are hunted down and neutralized before they can cause damage. This is especially relevant for containing botnets, whose main strategy is to operate in a silent and distributed manner.
Monitoring and remediation with Asper's Cyber Fusion Center
Asper's Cyber Fusion Center acts as an extension of CrowdStrike's platform, translating technical detections into strategic actions for clients. When it identifies the presence of activities compatible with botnets, such as anomalous traffic or suspicious connections, Asper intervenes with containment and surgical remediation protocols.
This operating model makes it possible not only to remove threats, but also to correct vulnerabilities, tighten access policies and strengthen organizations' security posture.
Education, strategy and resilience
In addition to technical protection, Asper goes further, raising awareness and educating clients about good security practices, risk management and building cyber resilience. Training programs, attack simulation workshops and Zero Trust architecture consultancies are part of the value package delivered.
By combining real-time detection, coordinated response and strategic support, Asper and CrowdStrike not only defend digital infrastructures, they strengthen companies' ability to withstand and thrive in an increasingly challenging digital environment.
Want to shield your operation from invisible threats like botnets? Learn in detail how Asper's Cyber Fusion Center can protect your critical infrastructure 24/7, with cutting-edge technology and local intelligence.
Click here to access our solutions page and strengthen your digital security with those who understand the subject.
Practical recommendations for avoiding compromised devices
In addition to technical and tactical strategies, prevention begins with good, accessible practices. A few simple actions can prevent insecure devices from entering the network:
- Avoid buying TV Boxes or Android devices from unknown brands or that are not certified by Google.
- Check certification at: https://www.android.com/intl/pt_br/certified/
- Activate Google Play Protect and avoid installing apps outside the official store.
- Monitor the network traffic of all connected devices, looking for anomalous behavior.
These measures increase visibility, reduce risks and contribute to a more efficient and accessible security policy.
From prevention to digital resilience
The exponential increase in botnets, as evidenced by the BadBox 2.0 case, makes it clear that the threat is not just to individual users, but to the entire digital ecosystem, including companies of all sizes and sectors.
In this scenario, simply implementing one-off solutions is no longer enough. We need to integrate continuous monitoring, behavioral analysis, proactive response and strategic intelligence, which is exactly how Asper and CrowdStrike work in a complementary way.
Preventing attacks today depends as much on technology as on human preparation. The ability to anticipate attackers' movements, detect anomalous behavior and react with agility is what separates resilient companies from vulnerable ones.
With the right strategies, it is possible not only to mitigate risks, but to build a robust security posture, capable of adapting and evolving in the face of the new threats that emerge every day.
Protecting the present is fundamental. But strengthening resilience for the future is what guarantees continuity, competitiveness and trust in the digital environment.
In times of invisible threats and attacks on a global scale, those who anticipate, protect. Those who protect, lead.
