Issue: SuperBox / BadBox 2.0 | Source: Darknet Diaries Episode 172
The most dangerous device in your house might not be your phone or your laptop. It might be a $300 streaming box sitting next to your TV.
And if you work in oil and gas, utilities, or any critical infrastructure sector, that box might already be looking for your industrial network.
The Story: SuperBox and the BadBox 2.0 Botnet
It started with a researcher's father. D3ada55 is a security researcher at CENSUS, with previous stints at Palo Alto Networks, Google, and Apple. Her father, an oil and gas executive, bought several SuperBox streaming devices for his home TVs. They were cheap, well-reviewed, and easy to find on Amazon, Walmart, and Best Buy. Then her sister noticed the home network slowing to a crawl.
That slowdown was not a coincidence. When D3ada55 put the device on her analysis network, the picture got ugly fast.
What the Device Actually Does
Immediately beacons to China. The box called out to qq.com (Tencent) within seconds of connecting to a network.
ARP floods the network. It scanned aggressively, knocked other devices offline, and impersonated them on the network.
Actively probes for SCADA systems. Her firewall flagged a known industrial control system (SCADA) vulnerability exploit attempt originating from the box. The device was not just spying. It was hunting for industrial infrastructure.
Runs deliberately outdated Android (2021 security patches), leaving it riddled with known, exploitable vulnerabilities.
Ships with TeamViewer pre-installed for persistent remote access, and Android Debug Bridge (ADB) left open with zero authentication. She got root access immediately.
Has 27 partitions, only 15 visible. The rest are hidden from the user.
How It Spreads
The supply chain is deliberate and sophisticated. The manufacturer, "GBS Labs," is a shell company with fake LinkedIn profiles and stock photo executives. The FCC certification printed on the box is counterfeit.
Sold openly on Amazon, Walmart, and Best Buy.
Influencers paid 50% commission to promote the devices, creating a wave of trusted recommendations.
SEO manipulation ensures negative reviews don't surface in search. Reddit accounts were created years in advance just to post a single glowing review when needed.
Unsolicited shipments to oil and gas workers. People in the industry were receiving these boxes at their homes without ordering them. That is not a marketing strategy. That is targeting.
The FBI Knows. The Devices Are Still for Sale.
The FBI issued a Public Service Announcement titled "Home Internet Connected Devices Facilitate Criminal Activity" specifically warning about these devices. The Department of Defense became interested in the investigation. And yet, as of this writing, variants of these boxes remain available on major retail platforms.
D3ada55 also found additional variants: the vSeeBox (which also beacons to China via Tencent) and something called the MagaBox. When placed on the same network, these devices start communicating with each other. They recognize each other. They coordinate.
People who bought these boxes reported bank accounts being compromised and ISPs flagging malicious outbound connections from their home networks. The damage is real and ongoing.
Why This Matters for OT/ICS Security
Here is what should stop every OT security professional cold: the attack vector is the employee's home network.
Think about the model. An oil and gas executive buys a cheap streaming box. It beacons to China, floods the local network, and actively scans for SCADA vulnerabilities. It does not need to breach the corporate perimeter to start gathering intelligence. It is already inside the perimeter where the executive's work laptop, VPN client, and personal devices all live.
This is a bottom-up intelligence operation. Compromise the homes of workers who have access to critical infrastructure. Map what they connect to. Wait. Then use that access when the moment is right.
The convergence of consumer IoT and industrial networks is not a future problem. It is already here, and the home network is the seam nobody is watching.
OT security has always focused on the plant floor, the control room, the historian. We have hardened those environments significantly over the past decade. But the remote access era created a direct tunnel from the corporate network to the employee's home, and nobody is auditing what else is on that home network.
3 Things You Should Do Right Now
Check your home network for unknown devices. Especially cheap streaming boxes. Log into your router, pull the device list, and look at everything connected. If you see a device you don't recognize, especially one with a Chinese manufacturer address, disconnect it immediately.
Segment your home network. Put IoT devices, smart TVs, and streaming boxes on a separate VLAN or guest network, isolated from your work laptop, VPN, and anything else that touches your employer's systems. Most modern routers support this. It takes 20 minutes to set up and it matters.
Talk to your family about what they're plugging in. Your kids, your spouse, your parents. Cheap streaming devices are an easy gift and an appealing purchase. They need to know that "cheap and well-reviewed" is not the same as "safe." Before any new device goes on your home network, someone with security awareness should look at it first.
If this story connects to things you've been thinking about, these episodes go deeper on the underlying issues:
Ep 91: OT Remote Access After COVID - The remote access explosion that opened the home network as an attack surface.
Ep 96: Poland's Power Grid Cyberattack - What a real attack on critical infrastructure looks like from the inside.
Ep 92: Pen Testing Reality Check - Why the weakest link is almost never where you expect it.
Aaron's Take
I've spent years in OT security watching the same pattern play out: attackers don't break through the hardened front door. They find the door nobody knew existed. The home network of the OT professional is that door right now, and most organizations have zero visibility into it.
This story from Darknet Diaries is not a hypothetical threat model. It is documented, active, and ongoing. Devices are still for sale. Targeting of oil and gas workers is confirmed. The SCADA probing is confirmed. The FBI has issued a warning. None of that has stopped the boxes from shipping.
Every OT security professional who reads this should forward it to their HR team, their IT team, and their workforce. The plant floor is not where this attack starts. It starts in the living room.
Has This Happened to You?
Have you found a suspicious device on your network? Or does someone in your family use one of these streaming boxes? Hit reply and tell me about it. I read every response, and your story might help protect someone else in this community.
Aaron Crow
Source
Darknet Diaries Episode 172: SuperBox, https://darknetdiaries.com/episode/172/
PrOTect It All Ep 91: OT Remote Access After COVID, https://protectitallpod.com/ep091/
PrOTect It All Ep 96: Poland's Power Grid Cyberattack, https://protectitallpod.com/ep096/
PrOTect It All Ep 92: Pen Testing Reality Check, https://protectitallpod.com/ep092/