The €30 attack box: inside the Android TV botnet ecosystem

In October 2025, Nokia Deepfield observed a 33 Tbps DDoS attack against a gaming provider — more traffic than many national backbones can carry. Terabit-scale attacks are now a daily occurrence, and 78% of campaigns wrap up in under five minutes. Scanning for exposed IoT devices looks quaint now: the new model is residential proxy networks with over 100 million consumer endpoints ready to fire on demand.

Your subscribers bought a €30 streaming box to cut the cord; what they got was a proxy node. Budget Android TV devices ship with residential proxy software already installed at the factory, and botnet operators know it. They find these devices through the existing backdoor, layer their own proxy on top, and add DDoS. Three layers of someone else's business model, running on your subscriber's broadband.

This presentation starts with Kimwolf, a botnet we studied in a controlled malware lab and through real-world Netflow telemetry. By tracing shared code, overlapping infrastructure, and reused credentials across samples, we mapped eight botnet families. Five of them form a connected ecosystem, four sharing code, cryptographic material, and infrastructure. What looked like independent campaigns turned out to be DDoS-for-hire and residential proxy monetisation running on the same plumbing, with over five million devices observed.

Both the infrastructure and the targets are close to home. C2 servers are hosted mostly across Europe, from the Netherlands to Eastern Europe, often in networks where abuse reports go unanswered. Targets rotate from telcos to gaming providers to individual gamers, and the traffic never stops. All of it living in your address space, abusing your transit, hiding behind your subscribers' NAT.

CECbot is the first known malware to weaponise HDMI-CEC, the protocol that lets your TV remote control other devices. Your subscribers' TV box can scan the home network and turn itself back on after a power cycle. The standard remediation advice is "factory reset and update the firmware." CECbot survives both. Katana ships a C compiler inside the malware package and compiles its own rootkit on the infected device. When Jackskid had its C2 domains seized, it fell back to blockchain-based domain resolution within hours. Web3 evangelists promised unstoppable applications; a DDoS botnet qualifying was presumably not the pitch deck.

The competition for devices is fierce. One family's first action on a compromised box is to kill rival malware and change the root password; others lock out remote access ports or deploy rootkits to hold their foothold. The reach tends to exceed the grasp: four families share a cipher key that opens with DEADBEEF CAFEBABE, and one shipped an unstripped debug build to production alongside the release payloads. Our analysis benefited from the generosity.

What the research uncovered:

• How we linked four families through shared code, reused infrastructure, and operational fingerprints, and why treating them as separate threats misses the picture
• Bulletproof hosting in the RIPE NCC region: the networks involved and what the abuse response (or lack of it) says about current takedown limitations
• CECbot and its 9 persistence mechanisms, built to survive factory resets and vendor-specific defences
• One campaign stripped all DDoS code from its downloader to deploy proxy software exclusively. Residential bandwidth is the product now; DDoS is a side hustle
• How Kimwolf and Jackskid use blockchain-based domain records to survive takedowns, and what that means for filtering at the edge
• How the ecosystem responds to infrastructure disruption, and what that means for sustained defence
• Netflow signatures and traffic patterns for spotting compromised devices on subscriber networks

The presentation is based on original lab analysis, reverse engineering of eight malware families, and Netflow telemetry analysis from Nokia Deepfield.