Cybersecurity researchers have uncovered a large scale distributed denial of service botnet named Kimwolf that has compromised approximately 1.8 million Android based devices, including smart TVs, set top boxes, and tablets. The findings were published by researchers at QiAnXin XLab, who noted possible links between Kimwolf and another notorious botnet known as AISURU.
According to the researchers, Kimwolf is developed using the Android NDK [Native Development Kit]. Beyond conventional DDoS functionality, the malware also supports proxy forwarding, reverse shell access, and remote file management, making it a highly versatile threat platform.
The scale of the operation is significant. Between November 19 and November 22, 2025, the botnet is estimated to have issued nearly 1.7 billion DDoS commands. During the same period, one of its command and control domains unexpectedly appeared among the top 100 most queried domains listed by Cloudflare, temporarily even surpassing Google in traffic rankings.
Kimwolf primarily targets Android TV boxes operating within residential networks. Affected device models include TV BOX, SuperBOX, HiDPTAndroid, P200, X96Q, XBOX, SmartTV, and MX10. Infections have been observed worldwide, with higher concentrations reported in Brazil, India, the United States, Argentina, South Africa, and the Philippines. At present, the exact infection vector used to compromise these devices remains unclear.
XLab stated that its investigation began after receiving a version 4 sample of the malware from a trusted partner on October 24, 2025. Subsequent analysis led to the discovery of eight additional samples in the following month.
Researchers also observed that Kimwolf’s command and control infrastructure has been disrupted multiple times by unknown entities. In response, the operators adapted by shifting to decentralized technologies, including the use of Ethereum Name Service to strengthen resilience against takedown efforts. Earlier this month, XLab was able to temporarily seize control of one C2 domain, allowing analysts to directly assess the botnet’s size and behavior.
An important finding links Kimwolf to the AISURU botnet, which has been associated with some of the largest DDoS attacks recorded in recent years. Evidence suggests that the attackers initially reused AISURU code before transitioning to a standalone Kimwolf framework to evade detection. Analysis revealed that both botnets spread using the same infection scripts and, in some cases, coexisted on the same compromised devices, pointing to a shared threat actor.
This assessment is supported by similarities found in Android application packages uploaded to VirusTotal, including the reuse of an identical code signing certificate. Further confirmation emerged on December 8, 2025, when an active downloader server was identified hosting scripts that referenced payloads for both Kimwolf and AISURU.
From a technical perspective, the malware ensures only a single instance runs on an infected device. It then decrypts its embedded C2 domain, resolves the address using DNS over TLS, and connects to receive instructions. Newer variants detected in mid December 2025 introduced a technique referred to as EtherHiding. This approach leverages ENS domains and blockchain smart contracts to dynamically retrieve C2 addresses, significantly complicating disruption efforts.
Kimwolf encrypts sensitive configuration data and uses TLS for network communications. It supports 13 distinct DDoS attack methods across UDP, TCP, and ICMP protocols. Observed targets include systems located in the United States, China, France, Germany, and Canada.
Further analysis showed that more than 96 percent of issued commands were related to proxy services rather than direct DDoS activity. This indicates a monetization strategy focused on abusing the bandwidth of infected devices. To support this, the attackers deploy a Rust based command client to establish a large proxy network, along with the ByteConnect software development kit, which enables traffic monetization on compromised IoT hardware.
Researchers concluded that while early large botnets such as Mirai primarily targeted routers and cameras, modern campaigns increasingly focus on smart TVs and TV boxes. The emergence of multi million node botnets like Kimwolf highlights a growing and evolving threat to consumer connected devices.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
