Wednesday 14 October 14:00 - 14:30, Red room
Asher Davila, Chris Navarrete & Doel Santos (Palo Alto Networks)
Smart TVs and set-top boxes have emerged as contested ground for botnet operators. Over recent months, we have tracked an ongoing conflict involving multiple botnet operations, each competing to compromise a similar pool of Android TV and set-top box (STB) devices through a shared vector, exposed Android Debug Bridge (ADB) ports.
The investigation began with recovered source code of the complete framework for TuxBot, a previously undocumented modular IoT botnet framework that compiles for 17 architectures. Its source code contains direct evidence of LLM-assisted development, such as raw chain-of-thought reasoning left in comments, a hallucinated Argon2id cryptographic implementation, and bugs that trace to LLM-generated code.
Following TuxBot's infrastructure to the AISURU/Kimwolf operation revealed how the ecosystem responded to takedown pressure. Kimwolf v7, a major update linked to DDoS attacks, introduces HTTP/2 floods that construct full browser fingerprints, a Tor hidden service as a backup C2, and five Ethereum RPC endpoints for decentralized C2 resolution via ENS. Each upgrade was a direct response to the previous takedown.
Monitoring Kimwolf's target devices led us to Lorikazz, a previously unreported Android botnet we discovered and named from our own telemetry. Lorikazz targets the same devices through the same vector, but instead of DDoS it turns compromised set-top boxes into residential proxies. It reuses Kimwolf's C2 architecture, though we cannot determine whether this is the same operator diversifying revenue or a separate group that obtained the codebase.
These botnets, among others, are actively competing with each other, their dropper scripts include explicit uninstall routines that target rival packages. Several samples were observed exclusively in our telemetry and were not present on VirusTotal at the time of analysis. This presentation will detail the technical capabilities of each operation, examine how the competition plays out on actual devices, and trace the evolution from basic ADB scanning to blockchain-based command and control (C2) and onion routing.
![]() |
Asher Davila Asher Davila is a principal security researcher at Palo Alto Networks. Originally from Mexico and now based in Silicon Valley, he specializes in binary analysis, exploitation, reverse engineering, and hardware hacking with a focus on IoT and OT vulnerabilities and malware research. When he is not tearing apart botnet infrastructure or hunting for new threats, you can probably find him messing around with retro hardware, emulators, or building exploits for fun. He has presented his research at multiple security conferences and actively contributes to the global cybersecurity community.
|
![]() |
Chris Navarrete Chris Navarrete is currently a senior principal security researcher at Palo Alto Networks. He previously worked as an adjunct professor of computer science at San Jose State University. Chris holds an M.S. degree in software engineering with a specialization in cybersecurity from San Jose State University. He has presented at the Threat Intelligence Practitioners' Summit (TIPS), DEF CON (IoT Village), Black Hat Asia (Briefings), and Black Hat USA (Arsenal), where he released the BLACKPHENIX Malware Analysis and Automation Framework.
|
![]() |
Doel Santos Doel Santos is a principal threat researcher with Palo Alto Networks' Unit 42, originally from Puerto Rico. He focuses on both cybercrime and nation-state threats, with a particular emphasis on ransomware operations. His work involves hunting, detecting, and tracking threat actors across the global threat landscape, and he has authored investigations on groups such as Prometheus, Medusa, Cl0p, Avos, LockBit, and Stately Taurus. Doel has also contributed to the security community beyond research, previously serving as a organizer for BSidesCharm and participating as a threat hunter in the Black Hat Network Operations Center (NOC). |
Back to VB2026 conference page
Register your interest for VB2026