Kimwolf Botnet Hacks Badbox 2.0 Control Panel: Who’s Behind the Botnet

February 8, 2026 Rachel Kim – Technology Editor Technology

Okay, here’s a breakdown of the key individuals and connections identified in the provided text, based on the KrebsOnSecurity article excerpt:

Key Individuals:

* chen daihai: Linked to the astrolink[.]cn domain and possibly involved with Badbox 2.0.His email address is chendaihai@astrolink[.]cn.
* Zhu Zhiyu: Also linked to astrolink[.]cn and Badbox 2.0. He’s identified through multiple email addresses:
* xavier@astrolink[.]cn (listed on the Astrolink contact page)
* [email protected] (used in the Badbox 2.0 panel, linked to a jd.com account)
* [email protected] (original registrant of astrolink[.]cn)
* Huang Guilin: The “admin” user in the Badbox 2.0 panel. Linked to:
* [email protected] (email used for the “admin” account)
* 18681627767 (China phone number)
* Guilin Huang (桂林 黄) (name associated with a Microsoft profile and Weibo account “h_guilin”)

Key Connections & Findings:

* Astrolink & Badbox 2.0: Chen Daihai and Zhu Zhiyu are both connected to the astrolink[.]cn domain and were users within the Badbox 2.0 panel. This suggests a strong link between the two.
* Email Address Reuse/Linking: The use of the same password across multiple email accounts ([email protected] and [email protected]) strengthens the connection to Zhu Zhiyu.
* Domain Registrations: The email address [email protected] is linked to the registration of guilincloud[.]cn, and to Huang Guilin.
* Phone Number & Social Media: The phone number associated with Huang Guilin is also tied to a microsoft profile and a Weibo account, providing further corroborating data.
* Other Badbox users: Three other users were identified, but they don’t appear to have any direct connection to Chen Daihai, Zhu Zhiyu, or any corporate entities.

Domains Mentioned:

* astrolink[.]cn
* guilincloud[.]cn

Tools Used in the Investigation (as mentioned in the text):

* Constella: Used to find jd.com accounts associated with email addresses.
* DomainTools: Used to find domain registration information.
* osint.industries: Used for breach tracking and connecting phone numbers to profiles.
* Spycloud: Used to find social media accounts associated with phone numbers.
* archive.org: Used to view historical versions of websites.

In essence, the article is building a case linking Chen Daihai and Zhu Zhiyu to the operation of Astrolink and their involvement with the Badbox 2.0 panel, while also identifying a third individual, Huang Guilin, as the initial administrator of the panel.