The invisible warzone: competing botnets fighting over your smart TV

Wednesday 14 October 14:00 - 14:30, Red room     

Asher Davila, Chris Navarrete & Doel Santos (Palo Alto Networks)

Smart TVs and set-top boxes have become a silent battleground. Over the past months we have been tracking what can only be described as a war between at least three different botnet operations, all competing to infect the same pool of Android TV and STB devices through a single shared vector: exposed ADB debugging ports. This talk presents original research into three interconnected pieces of this ongoing conflict.

We start by dissecting the Tuxbot framework, a previously undocumented botnet framework that serves as the initial access and propagation component for the AISURU/Kimwolf botnet ecosystem. It is a self-propagating worm targeting 12 device families through known vulnerabilities and brute-forcing telnet with over 80 credential pairs. We obtained a build of it, giving us unusual visibility into how the whole operation is structured.

Then we get into Kimwolf version 7, a major update to the botnet that has been linked to record-breaking DDoS attacks reaching 30 Tbps. This version introduces HTTP/2 floods that construct full Chrome browser fingerprints so the attack traffic blends in with real users, a Tor hidden service for backup C2, and five Ethereum RPC endpoints for decentralized C2 resolution through ENS. These upgrades came as a direct answer to the takedown efforts documented in late 2025 and early 2026, showing that whoever is behind this is paying close attention.

Finally, we introduce Lorikazz, a previously unreported Android botnet we discovered and named based on our telemetry. Lorikazz goes after the exact same devices but with a different end goal: instead of DDoS it turns infected set-top boxes into residential proxies for monetization. It uses Tor-based C2 and ENS resolution, and ships in multiple APK variants that disguise themselves as Android system components. There is notable code overlap between Lorikazz and Kimwolf, which raises some interesting questions about whether this is the same operator branching into new revenue streams or a separate group that got hold of the codebase.

What really ties all of this together is that these botnets are actively at war with each other. Their dropper scripts contain explicit uninstall routines that target each other's packages. Jackskid removes Lorikazz, Lorikazz removes Jackskid and the Snow botnet, and so on. They clearly know about each other and are all fighting over the same device population. Several of the samples we analysed came exclusively from our own telemetry and were not on VirusTotal at the time, which means we had a front row seat to a conflict that largely goes unnoticed by the broader security community.

We will walk through the technical details of each operation, demonstrate how the competition between them plays out on actual devices, and trace the evolution from basic ADB scanning to sophisticated infrastructure using blockchain-based C2 and onion routing. Attendees will walk away with concrete indicators and detection strategies for spotting these infections in environments where Android TV and STB devices are present.

 

Asher-Davila.jpg

Asher Davila

Asher Davila is a principal security researcher at Palo Alto Networks. Originally from Mexico and now based in Silicon Valley, he specializes in binary analysis, exploitation, reverse engineering, and hardware hacking with a focus on IoT and OT vulnerabilities and malware research. When he is not tearing apart botnet infrastructure or hunting for new threats, you can probably find him messing around with retro hardware, emulators, or building exploits for fun. He has presented his research at multiple security conferences and actively contributes to the global cybersecurity community.

 
Chris-Navarrete.jpg

Chris Navarrete

Chris Navarrete is currently a senior principal security researcher at Palo Alto Networks. He previously worked as an adjunct professor of computer science at San Jose State University. Chris holds an M.S. degree in software engineering with a specialization in cybersecurity from San Jose State University. He has presented at the Threat Intelligence Practitioners' Summit (TIPS), DEF CON (IoT Village), Black Hat Asia (Briefings), and Black Hat USA (Arsenal), where he released the BLACKPHENIX Malware Analysis and Automation Framework.

 
Doel-Santos.jpg

Doel Santos

Doel Santos is a principal threat researcher with Palo Alto Networks' Unit 42, originally from Puerto Rico. He focuses on both cybercrime and nation-state threats, with a particular emphasis on ransomware operations. His work involves hunting, detecting, and tracking threat actors across the global threat landscape, and he has authored investigations on groups such as Prometheus, Medusa, Cl0p, Avos, LockBit, and Stately Taurus. Doel has also contributed to the security community beyond research, previously serving as a organizer for BSidesCharm and participating as a threat hunter in the Black Hat Network Operations Center (NOC).

Back to VB2026 Programme page

Back to VB2026 conference page

Register your interest for VB2026

Other VB2026 papers

Threat intelligence-driven clustering: identifying a new cyber-mercenary intrusion set

VB2026 presentation: Threat intelligence-driven clustering: identifying a new cyber-mercenary intrusion set, Maher Yamout and Fatih Şensoy

From hotel account compromise to guest payment fraud: the reservation hijack attack chain

VB2026 presentation: From hotel account compromise to guest payment fraud: the reservation hijack attack chain, Martin Chlumecký and Luis Corrons

Hunting LANDFALL: from overlooked images to state-linked mobile spyware

VB2026 presentation: Hunting LANDFALL: from overlooked images to state-linked mobile spyware, Itay Cohen

Gorbag: Orcs at the border

VB2026 presentation: Gorbag: Orcs at the border, Damien Schaeffer

Defeating indirect branching obfuscations in malware with Hex-Rays Decompiler

VB2026 presentation: Defeating indirect branching obfuscations in malware with Hex-Rays Decompiler, Georgy Kucherin

Discerning the invisible: a heuristic engine for behavioural inference in nation-state covert networks

VB2026 presentation: Discerning the invisible: a heuristic engine for behavioural inference in nation-state covert networks, Madeline Sedgwick

Kimwolf’s claws loom over 1.8 million firewalled Android devices worldwide

VB2026 presentation: Kimwolf’s claws loom over 1.8 million firewalled Android devices worldwide, Alex Turing

Paying the TOLL: how REF3927 turned 571 IIS servers into an SEO fraud network

VB2026 presentation: Paying the TOLL: how REF3927 turned 571 IIS servers into an SEO fraud network, Salim Bitam and Jia Yu Chan

Leveraging Landlock telemetry for Linux detection engineering

VB2026 presentation: Leveraging Landlock telemetry for Linux detection engineering, Guillaume Couchard and Erwan Chevalier

Targeting the elderly: from spoofing to persistence

VB2026 presentation: Targeting the elderly: from spoofing to persistence, Axelle Apvrille

The invisible warzone: competing botnets fighting over your smart TV

VB2026 presentation: The invisible warzone: competing botnets fighting over your smart TV, Asher Davila, Chris Navarrete & Doel Santos

Mac&Cheese: cooking up the Digit Stealer recipe

VB2026 presentation: Mac&Cheese: cooking up the Digit Stealer recipe, Kseniia Yamburh & Joan Garcia

How real-world malware disables EDR systems

VB2026 presentation: How real-world malware disables EDR systems, Holger Unterbrink

Newsjacking the world: tracking three months of uncovered APT operations disguised as global headlines

VB2026 presentation: Newsjacking the world: tracking three months of uncovered APT operations disguised as global headlines, Darrel Virtusio & Subhajeet Singha

Polling is the vulnerability: a case for event-driven cloud detection

VB2026 paper: Polling is the vulnerability: a case for event-driven cloud detection, Santiago Abastante

The edge is the enemy: hunting Chinese router relay networks

VB2025 presentation: The edge is the enemy: hunting Chinese router relay networks, Ryan Sherstobitoff

Unravelling Lumma Stealer’s protection stack: pushing static deobfuscation to its practical limit

VB2026 presentation: Unraveling Lumma Stealer’s protection stack: pushing static deobfuscation to its practical limit, Yuki Umemura

AI in malware: evolution and predicting the future of AI-driven attacks

VB2026 presentation: AI in malware: evolution and predicting the future of AI-driven attacks, Eli Smadja

The cyber saga: deconstructing the DPRK’s global synthetic IT workforce ecosystem

VB2026 presentation: The cyber saga: deconstructing the DPRK’s global synthetic IT workforce ecosystem, Anastasia Tikhonova

Tracing the bloodline of LLM-driven polymorphic malware: do GHOSTs leave footprints?

VB2026 presentation: Tracing the bloodline of LLM-driven polymorphic malware: do GHOSTs leave footprints? Chanbin Jeon, SeungBeom Lim & SuhMahn Hur

How LOLRMM, LOLDrivers and CertGraveyard map the attacker's favourite kill chain

VB2026 presentation: How LOLRMM, LOLDrivers and CertGraveyard map the attacker's favourite kill chain, Jose Enrique Hernandez & Nasreddine Bencherchali

Agent detection and response: safety on a token budget

VB2026 presentation: Agent detection and response: safety on a token budget, Václav Belák, Jakub Křoustek & Tomáš Ďuriš

Malwaremorphosis - breaking down a global multi-layer malvertising operation

VB2026 presentation: Malwaremorphosis - breaking down a global multi-layer malvertising operation, Ionuț Baltariu

I will find you and I will flag you: hunting malicious packages at scale

VB2026 presentation: I will find you and I will flag you: hunting malicious packages at scale, Christophe Tafani-Dereeper

Otter encyclopaedia: deep analysis of Otter family

VB2026 presentation: Otter encyclopaedia: deep analysis of Otter family, Rintaro Koike, Yuta Sawabe & Masaya Motoda

Break the silence: tracking Silent Lynx through exposed infrastructure

VB2026 presentation: Break the silence: tracking Silent Lynx through exposed infrastructure, Julian Ferdinand Vögele & Chi-en (Ashley) Shen

Operation FalseProof: PoC that bites back

VB2026 presentation: Operation FalseProof: PoC that bites back, Jiho Kim & Minyeop Choi

Transparency wars: exposing hidden biases in testing

VB2026 presentation: Transparency wars: exposing hidden biases in testing, Righard Zwienenberg & Luis Corrons

Snap, trigger, steal: SnappyClient and the art of trigger-based intrusions

VB2026 presentation: Snap, trigger, steal: SnappyClient and the art of trigger-based intrusions, Muhammed Irfan V A, Avinash Kumar & Nirmal Singh

Reverse engineering a multi-stage implant targeted Vietnamese organizations

VB2026 presentation: Reverse engineering a multi-stage implant targeted Vietnamese organizations, Minh Anh Luong

When malware talks back: real-time interaction with a threat actor during the analysis of Kiss Loader

VB2026 presentation: When malware talks back: real-time interaction with a threat actor during the analysis of Kiss Loader, Marvin Castillo & Arvin Jay Bandong

Free games, costly consequences: unravelling PiviGames’ hidden treasure malware

VB2026 presentation: Free games, costly consequences: unravelling PiviGames’ hidden treasure malware, John Rey Dador

Khmer Shadow: uncovering a targeted cyber espionage campaign against Cambodian military intelligence

VB2026 presentation: Khmer Shadow: uncovering a targeted cyber espionage campaign against Cambodian military intelligence, Subhajeet Singha

Practical ransomware detection on macOS (via math, not AI)

VB2026 presentation: Practical ransomware detection on macOS (via math, not AI), Patrick Wardle

From exclusive to widespread: the shifting exploitation dynamics of (zero-day) vulnerabilities before and after their (public) disclosure

VB2026 presentation: From exclusive to widespread: the shifting exploitation dynamics of (zero-day) vulnerabilities before and after their (public) disclosure, Kerstin Zettl-Schabath & Kritika Roy

The other side of the front: hunting Paper Werewolf's operations against Russia

VB2026 presentation: The other side of the front: hunting Paper Werewolf's operations against Russia, Nicole Fishbein

Meet ARES - an agentic reverse engineer that decrypts sophisticated ransomware encrypted files

VB2026 presentation: Meet ARES - an agentic reverse engineer that decrypts sophisticated ransomware encrypted files, Raviv Rachmiel

Disrupting the threat actor mythos: data-based insights into targeting, tooling, and the limits of AI in cybercrime

VB2026 presentation: Disrupting the threat actor mythos: data-based insights into targeting, tooling, and the limits of AI in cybercrime, Selena Larson & Daniel Blackford

Deadline as bait: a comparative analysis of tax-themed smishing campaigns targeting Spain and Portugal

VB2026 presentation: Deadline as bait: a comparative analysis of tax-themed smishing campaigns targeting Spain and Portugal, Natasha Márquez & Ghyorka Kpee

When wipers leave backups: an analysis of ArgonWiper’s encryption workflow

VB2026 presentation: When wipers leave backups: an analysis of ArgonWiper’s encryption workflow, Hyuna Lee & Hyoje Jo

Notoriously reluctant: continuing conversations with FBI and private sector defenders about disrupting cybercriminals through collaboration

VB2026 presentation: Notoriously reluctant: continuing conversations with FBI and private sector defenders about disrupting cybercriminals through collaboration, Sara Eberle & DeLynn Bettencourt Hammell

From dead malware to living adversaries: AI-powered digital twins for adaptive APT modelling

VB2026 presentation: From dead malware to living adversaries: AI-powered digital twins for adaptive APT modelling, Alexander Adamov & Anders Carlsson

The silent threat in your enterprise: SAP security

VB2026 presentation: The silent threat in your enterprise: SAP security, Anita Cwynar

BEAST: binary emulation and analysis simulation technology for advanced malware analysis and anti-forensic countermeasures

VB2026 presentation: BEAST: binary emulation and analysis simulation technology for advanced malware analysis and anti-forensic countermeasures, Bramwell Brizendine, Alexander Wood, Jared Sheldon & William Lochte

Spec-driven malware: turning markdown into threats

VB2026 presentation: Spec-driven malware: turning markdown into threats, Sven Rath

The invisible candidate: tracking the evolution of 'Un-tracked' GRITCASPIAN

VB2026 presentation: The invisible candidate: tracking the evolution of 'Un-tracked' GRITCASPIAN, Asli Koksal

DPRK-aligned threat operations: tradecraft, tooling, and detection patterns

VB2026 presentation: DPRK-aligned threat operations: tradecraft, tooling, and detection patterns, Wonkyeom Kim

Workshop: Collaborative attack modelling across CTI, Red Team, and SOC (MITRE)

VB2026 workshop: Collaborative attack modelling across CTI, Red Team, and SOC (MITRE)

TIPS: The next chapter

VB2026 TIPS presentation: The next chapter, Jiri Sejtko

TIPS: Collaboration in action: turning shared threat intelligence into coordinated defence

VB2026 TIPS presentation: Collaboration in action: turning shared threat intelligence into coordinated defence, Tuna Dabak

TIPS: From signal to shield: rapid collaboration to defend critical infrastructure during crisis

VB2026 TIPS presentation: From signal to shield: rapid collaboration to defend critical infrastructure during crisis, Madeline Sedgwick

TIPS: Harmonizing AI agents and human analysts in CTI - are CTI agents friends or rivals to junior analysts?

VB2026 TIPS presentation: Harmonizing AI agents and human analysts in CTI - are CTI agents friends or rivals to junior analysts? Takahiro Kakumaru

TIPS: Stairway to resilience: cybersecurity in good times, bad times, and everything between

VB2026 TIPS presentation: Stairway to resilience: cybersecurity in good times, bad times, and everything between Selena Larson, Jeannette Jarvis, Kathi Whitbey, Jeanette Miller Osborne

TIPS: Defending (against) the human layer: IoB in the real world

VB2026 TIPS presentation: Defending (against) the human layer: IoB in the real world Righard Zwienenberg, Kathi Whitbey, Samir Mody & Mienke

TIPS: STIX in action: proposed industry collaboration on sharing DigSig metadata

VB2026 TIPS presentation: STIX in action: proposed industry collaboration on sharing DigSig metadata, Samir Mody

TIPS: Ghosts in the chat: tracking GhostPairing from trusted message to linked-device takeover 

VB2026 TIPS presentation: Ghosts in the chat: tracking GhostPairing from trusted message to linked-device takeover, Michal Salat

TIPS: The art of fighting back

VB2026 TIPS presentation: The art of fighting back, Gabor Szappanos

TIPS: Wartime intelligence collection and collaboration

VB2026 TIPS presentation: Wartime intelligence collection and collaboration, Sergey Shykevich

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.