Bigpanzi Cybercrime Group’s Global Impact: Infecting Millions of Devices Since 2015

Smart TV


An unidentified cybercrime group, going by the name ‘Bigpanzi,’ has been quietly making a substantial income by infecting Android TV and eCos set-top boxes worldwide since at least 2015. According to researchers at Qianxin Xlabs in Beijing, this threat group manages a large botnet with around 170,000 active bots every day. However, they’ve identified a staggering 1.3 million unique IP addresses associated with the botnet since August, with the majority located in Brazil.

Methods of Infiltration

Bigpanzi gains access to these devices by exploiting firmware updates or convincing users to install compromised apps unknowingly. A report from September 2023 by Dr. Web shed light on this method.  These cybercriminals profit from these infections by utilizing the devices for various illegal activities, including hosting illegal media streaming platforms, acting as traffic proxy networks, participating in distributed denial of service (DDoS) attacks, and delivering over-the-top (OTT) content. Xlabs’ report zooms in on two malware tools used by Bigpanzi, namely ‘pandoraspear’ and ‘pcdn.’

Bigpanzi infiltration diagram
Source: Xlabs

Analysis of Malware Tools: Pandoraspear and Pcdn

Pandoraspear functions as a backdoor trojan, taking control of DNS settings, establishing communication with a command and control (C2) server, and executing commands received from it. This malware is versatile, capable of manipulating DNS settings, launching DDoS attacks, self-updating, creating reverse shells, managing its C2 communication, and executing various OS commands. Pandoraspear employs advanced techniques like modified UPX shell, dynamic linking, OLLVM compilation, and anti-debugging mechanisms to remain undetected.

Pcdn is another tool used by Bigpanzi, primarily designed to build a peer-to-peer (P2P) Content Distribution Network (CDN) on infected devices, and it possesses DDoS capabilities to weaponize these devices.

Pandoraspear and Pcdn tools
Source: Xlabs

Investigative Insights by Xlabs

Xlabs gained insights into the botnet’s scale by taking control of two C2 domains used by the attackers and observing them for seven days. They found that at peak times, the Bigpanzi botnet consists of 170,000 daily bots, and they’ve identified over 1.3 million distinct IPs since August. However, due to the fact that the compromised TV boxes are not active simultaneously all the time and limitations in the visibility of cybersecurity analysts, it is highly likely that the botnet is even larger.

The Xlabs report reflects on Bigpanzi’s covert operation over the past eight years, accumulating wealth discreetly. They’ve seen a significant increase in samples, domain names, and IP addresses associated with this operation.

While examining the pcdn sample, the Chinese researchers discovered artifacts leading to a suspicious YouTube channel controlled by a company. However, the Xlabs report has not yet revealed any details about attribution, presumably leaving that information for law enforcement authorities to handle.


In conclusion, the case of Bigpanzi is not just a story of technological exploitation but a wake-up call. It highlights the urgent need for stronger cybersecurity defenses, collaboration, and continuous monitoring to safeguard our increasingly connected world. As we await further developments and law enforcement actions, one thing remains certain: the fight against cybercrime is far from over, and we must all play a part in fortifying our digital bastions.

About Purple Shield Security

Purple Shield Security is not your typical cybersecurity consulting firm. We are the guardians of your digital realm, committed to protecting your business from the constantly evolving landscape of cyber threats. With a dedicated team of passionate security professionals by your side, we go above and beyond mere data and system protection – we provide you with peace of mind. Our comprehensive range of services includes Managed Cybersecurity Services, Security Assessments, Penetration Testing, Incident Response, and more. By harnessing cutting-edge solutions and leveraging our expertise, we empower you to fortify your web applications and minimize vulnerability to attacks.

Don’t wait to secure your business. Get in touch with us today and discover how Purple Shield Security can revolutionize your cybersecurity defenses.

#cybersecuritynews #securitynews #hacking #datasecurity #cyberprotection #malware # Malwareprotection