The €30 attack box: inside the Android TV botnet ecosystem

In October 2025, Nokia Deepfield observed a 33 Tbps DDoS attack against a gaming provider. Terabit-scale attacks are now daily. The botnets behind them no longer scan for exposed IoT devices; they recruit from residential proxy networks with over 100 million consumer endpoints.

Your subscribers bought a €30 streaming box to cut the cord; what they got was a proxy node. Budget Android TV devices ship with proxy software pre-installed, and botnet operators exploit it. They route a request to 0.0.0.0 through the proxy SDK, which resolves to the device's own loopback, where an unauthenticated ADB shell is listening. No scanning, no CVE. The proxy SDK delivers the victim.

Starting from Kimwolf (three million active bots, ENS-based C2), we traced shared code, cryptographic fingerprints, and co-located infrastructure across six botnet families. What looked like independent campaigns turned out to be DDoS-for-hire and residential proxy monetisation running on the same plumbing. CECbot weaponises HDMI-CEC to survive factory resets. Katana ships a C compiler and compiles its own rootkit on-device. The outbound attack traffic from infected subscribers causes CGNAT device failures and congests peering links. Your subscribers are the attack infrastructure, and your network takes the collateral damage.

The presentation walks through how we linked these families, how they turn proxy SDKs into an infection vector, and what C2 signals operators can look for before attacks start.

Based on original lab analysis, reverse engineering of six malware families, and Netflow telemetry from Nokia Deepfield ERT.