New, from me: Who Operates the Badbox 2.0 Botnet?

The cybercriminals in control of Kimwolf -- a disruptive botnet that has infected more than 2 million devices -- recently shared a screenshot indicating they'd compromised the control panel for Badbox 2.0, a vast China-based botnet powered by malicious software that comes pre-installed on many Android TV streaming boxes. Both the FBI and Google say they are hunting for the people behind Badbox 2.0, and thanks to bragging by the Kimwolf botmasters we may now have a much clearer idea about that.

https://krebsonsecurity.com/2026/01/who-operates-the-badbox-2-0-botnet/

#infosec #botnet #IoT #Android #Google #threatresearch

The latest evidence that broadcasting people’s movements and intimate data in the Real-Time Bidding online advertising system is truly dangerous.

https://www.wired.com/story/ice-asks-companies-about-ad-tech-and-big-data-tools/

NEW, by me: A hacking campaign targeted high-profile Gmail and WhatsApp users across the Middle East this week, sent as a phishing lure over WhatsApp.

I obtained a copy of the phishing page and analyzed it with the help of experts. The attack aimed to steal passwords, hijack WhatsApp accounts, and grab victims' location data.

But a bug in the code also *exposed* victims' data, allowing us to see dozens of people who had fallen victim.

More: https://techcrunch.com/2026/01/16/how-a-hacking-campaign-targeted-high-profile-gmail-and-whatsapp-users-across-the-middle-east/

🚨 Last call for our survey! 🚨 Are you a security researcher or journalist? We want to hear from you — please take this survey!

Dissent Doe at DataBreaches, and I, are running this survey to better understand the state of legal demands and criminal threats in cybersecurity.

Please help us by filling out this survey (and please share!)

https://forms.gle/yAiNNq2gTqE6ctWU8

A nice post breaking junk hardware 🙂

https://blog.quarkslab.com/modern-tale-blinkenlights.html

As a person who has followed Iranian cyberespionage operations for more than a decade, this story is crazypants and you should read it:

https://www.theatlantic.com/magazine/2026/01/mohammad-tajik-iran-cyber-intelligence/684954/?gift=kPTlqn0J1iP9IBZcsdI5IUTLJcsVKq12m0EyVlSYJBQ&utm_source=copy-link&utm_medium=social&utm_campaign=share

I've seen a number of people (including some well-respected people in the infosec sphere) promoting a particular blog post/writeup recently about the macOS secure boot chain. As someone who has done a fair bit of research and reverse engineering of iBoot and Apple's secure boot chain over the years, this naturally piqued my interest so I decided to take a look, at minimum to see how much it lined up with my RE of iBoot over the years.

Unfortunately after reading the blog post thoroughly, I can pretty confidently say this: the writeup is almost certainly a pile of AI slop. Let's dive into it and discover some major red flags that I found.

Let's talk about something that I think a lot of the people reposting this post haven't realized yet: this post was very factually wrong when it was first posted. (Here is a link to the earliest version on the Wayback Machine, very good resource btw ) Shoutouts to @nicolas17 btw for making archives once he noticed the article rapidly changing, he puts in a lot of work in the archival side of things that imo goes very unnoticed, but his work helps Apple security research in the long run.

This original version of the post has several factual errors (there are too many to list but some of the VERY obvious ones include Apple silicon chips starting at EL3 when no M-series Mac chip has implemented EL3 (which is optional per ARM spec) In addition there is contradictory info about the ECID, incorrect info on security fuses, etc, there's a LOT of slop to digest here along with tons and tons of jargon that makes no sense.)

The fact the post gets stuff wrong in and of itself is not the issue (a mistake here and there is completely understandable and in fact quite human), the issue is with the magnitude of how many factual errors were posted publicly, seemingly without any fact checking or sourcing, it really is quite egregious just how wrong this post is (even the current version of the post still has many of these errors), especially to any person who has even took a cursory glance at iBoot or the secure boot chain.

The syntax, per people I discussed this with, screams that it was based on prompting Claude (an LLM that seems to have more natural writing style than some of the others.)

However, what really is super insidious is the history behind this post. This is a link to diffs of the post over time, and it's pretty damning. The post had very very large chunks changed in very short amounts of time across multiple parts of the very long post, and with how long the post is, this is probably outright infeasible for a human to do in that short time frame (especially when incorporating time to fact-check the updated parts, which any writeup worth their salt imo should be doing.)

Per these two comments on HackerNews, along with the drastic changes mentioned before (especially considering that the post changed quite drastically between revisions, saved versions of which you can find here), it's pretty clear that what's been happening here is the person used AI to churn out this "writeup", then used the fact it was blatantly wrong to get people who knew how these systems actually worked to correct the post, and then told the AI to incorporate said corrections into the original post.

Let's be clear what's happening: the person is outright baiting people using this AI slop into correcting the post, incorporating said corrections without attribution to the people who corrected the post and then took the credit for said corrections silently. This isn't okay, this is a blatant abuse of community goodwill and the benefit of the doubt to fraudulently boost your own credibility and platform, without even a legitimate effort or attempt at doing proper research or fact-checking. (Not even diving into how LLMs are plagiarism laundering machines that yoink real human work and mash it together without any attribution.)

This "writeup" is nothing but of AI slop, and I strongly advise avoiding giving it attention. I'm very disappointed that people, even people I respect quite a bit, are promoting this like it's legitimate without reading it deeper and realizing this is AI slop.

Here are some writeups I strongly recommend reading, that have real, human, legitimate research placed into them:

• This fantastic writeup/thesis by Mortiz Steffin and Dr. Jiska Classen on the GXF-protected portions of iOS (SPTM, TXM, Exclaves/SecureKernel) and how it all makes XNU closer to a true microkernel architecture.
• JJTech's writeup on iMessage and how it worked as of 2023 (yes, 2023 was two years ago, but this writeup is still worth reading regardless)
• Snoolie's writeup on an Apple Archive vulnerability, this is a great writeup that goes further in depth on CVE-2024-27876.

I just published the slides of my #OBTS v8.0 talk about Apple's #C1 baseband. Our C1 #binja loader is now available on GitHub, and you can find a recording on YouTube.

https://lukasarnold.de/posts/obtsv8-talk/