Kimwolf Botnet Infects 1.8 Million Android TVs for Massive DDoS Assaults

QiAnXin XLab has found that a new distributed denial-of-service (DDoS) botnet called Kimwolf has recruited a huge army of at least 1.8 million infected devices, including Android-based TVs, set-top boxes, and tablets. It may also be linked to another botnet called AISURU.

The company said in a report released today that "Kimwolf is a botnet made with the NDK [Native Development Kit]." "It has proxy forwarding, reverse shell, and file management functions in addition to the usual DDoS attack features."

The hyper-scale botnet is thought to have sent out 1.7 billion DDoS attack commands in just three days, from November 19 to 22, 2025. This was around the same time that one of its command-and-control (C2) domains, 14emeliaterracewestroxburyma02132[.]su, was at the top of Cloudflare's list of the top 100 domains, even beating Google for a short time.

Kimwolf's main targets for infection are TV boxes that are used in home networks. Some of the devices that are affected are the TV BOX, SuperBOX, HiDPTAndroid, P200, X96Q, XBOX, SmartTV, and MX10. Infections are spread out all over the world, but Brazil, India, the U.S., Argentina, South Africa, and the Philippines have the highest numbers. That being said, it's not clear how the malware gets to these devices right now.

Cybersecurity XLab said it started looking into the botnet after getting a "version 4" artifact of Kimwolf from a trusted community partner on October 24, 2025. Last month, eight more samples were found.

"We observed that Kimwolf's C2 domains have been successfully taken down by unknown parties at least three times [in December], forcing it to upgrade its tactics and turn to using ENS (Ethereum Name Service) to harden its infrastructure, demonstrating its powerful evolutionary capability," XLab researchers said. 

That's not all there is. Earlier this month, XLab was able to take over one of the C2 domains, which let it see how big the botnet was.

One interesting thing about Kimwolf is that it is linked to the well-known AISURU botnet, which has been responsible for some of the biggest DDoS attacks in the past year. People think that the attackers used code from AISURU at first, but then they decided to make the Kimwolf botnet so they wouldn't be found.

XLab said that Kimwolf may be involved in or even in charge of some of these attacks, and that they may not have all come from AISURU.

The company said, "These two big botnets spread through the same infection scripts from September to November, living on the same group of devices." "These people are part of the same group of hackers."

This evaluation is predicated on the similarities observed in APK packages uploaded to the VirusTotal platform, occasionally utilizing the identical code signing certificate ("John Dinglebert Dinglenut VIII VanSack Smith"). On December 8, 2025, more conclusive proof came in the form of an active downloader server ("93.95.112[.]59") that had a script that mentioned APKs for both Kimwolf and AISURU.

The malware itself isn't too complicated. Once it starts, it makes sure that only one instance of the process runs on the infected device. Then it decrypts the embedded C2 domain, uses DNS-over-TLS to get the C2 IP address, and connects to it to get and carry out commands.

Recent versions of the botnet malware, which were found as recently as December 12, 2025, have added a method called EtherHiding that uses an ENS domain ("pawsatyou[.]eth") to get the real C2 IP from the smart contract (0xde569B825877c47fE637913eCE5216C644dE081F) that goes with it. This is done to make the infrastructure harder to take down.

To get the real IP address, you need to take the last four bytes of the IPv6 address from the "lol" field of the transaction and do an XOR operation with the key "0x93141715."

Kimwolf uses TLS encryption for network communications to get DDoS commands. It also encrypts sensitive information about C2 servers and DNS resolvers. The malware can launch 13 different types of DDoS attacks using UDP, TCP, and ICMP. According to XLab, the targets of the attack are in the U.S., China, France, Germany, and Canada.

More research has shown that more than 96% of the commands are about using the bot nodes to offer proxy services. This shows that the attackers are trying to use the bandwidth of hacked devices to make as much money as possible. A Rust-based Command Client module is used to make a proxy network as part of the effort.

A ByteConnect software development kit (SDK) is also sent to the nodes. This is a way for app developers and IoT device owners to make money from their traffic.

XLab said, "Giant botnets started with Mirai in 2016, and their main targets were IoT devices like home broadband routers and cameras." "However, in the last few years, information about giant botnets with millions of members, like Badbox, Bigpanzi, Vo1d, and Kimwolf, has been made public. This shows that some attackers have begun to focus on different smart TVs and TV boxes."