A newly identified distributed denial-of-service (DDoS) botnet known as Kimwolf has assembled a massive army of at least 1.8 million compromised devices, including Android-based TVs, set-top boxes, and tablets. Researchers from QiAnXin XLab report that the operation may also connect to another botnet called AISURU.
“Kimwolf is a botnet compiled using the NDK [Native Development Kit],” the company said in a report. “In addition to typical DDoS attack capabilities, it integrates proxy forwarding, reverse shell, and file management functions.”
Unprecedented DDoS Activity and Domain Abuse
Notably, the hyper-scale botnet issued an estimated 1.7 billion DDoS attack commands over just three days, from November 19 to 22, 2025. During the same period, one of Kimwolf’s command-and-control (C2) domains — 14emeliaterracewestroxburyma02132[.]su — surged to the top of Cloudflare’s list of the 100 most-accessed domains, briefly surpassing Google.
Kimwolf primarily targets Android TV boxes operating within residential networks. Affected models include TV BOX, SuperBOX, HiDPTAndroid, P200, X96Q, XBOX, SmartTV, and MX10.
Meanwhile, infections span the globe. Brazil, India, the United States, Argentina, South Africa, and the Philippines show the highest concentrations. However, researchers have yet to identify the precise infection vector responsible for compromising these devices.
XLab began investigating Kimwolf after receiving a “version 4” malware artifact from a trusted community partner on October 24, 2025. Since then, analysts uncovered eight additional samples during November.
“We observed that Kimwolf’s C2 domains have been successfully taken down by unknown parties at least three times [in December], forcing it to upgrade its tactics and turn to using ENS (Ethereum Name Service) to harden its infrastructure, demonstrating its powerful evolutionary capability,” XLab researchers said.
Moreover, earlier this month, XLab successfully seized control of one of Kimwolf’s C2 domains. This access allowed researchers to directly evaluate the botnet’s size and operational scope.
Links to the AISURU Botnet
One of Kimwolf’s most notable characteristics involves its connection to the notorious AISURU botnet, which has driven several record-breaking DDoS attacks over the past year. Researchers suspect that attackers initially reused AISURU code before transitioning to Kimwolf to avoid detection.
XLab noted that some attacks previously attributed solely to AISURU may actually involve Kimwolf, either as a participant or as the primary operator.
“These two major botnets propagated through the same infection scripts between September and November, coexisting in the same batch of devices,” the company said. “They actually belong to the same hacker group.”
Researchers based this assessment on similarities among APK packages uploaded to the VirusTotal platform. In several cases, the attackers even reused the same code-signing certificate, labeled “John Dinglebert Dinglenut VIII VanSack Smith.”
Further confirmation emerged on December 8, 2025, when investigators discovered an active downloader server at 93.95.112[.]59. The server hosted a script referencing APK files associated with both Kimwolf and AISURU.
From a technical standpoint, the malware follows a relatively straightforward execution flow. Once launched, it ensures that only a single instance runs on the infected device. It then decrypts an embedded C2 domain, retrieves the C2 IP address via DNS-over-TLS, and establishes a connection to receive and execute commands.
EtherHiding and ENS-Based Resilience
More recent Kimwolf samples, detected as late as December 12, 2025, incorporate a technique known as EtherHiding. This method relies on an ENS domain, pawsatyou[.]eth, to obtain the real C2 IP address from an associated Ethereum smart contract (0xde569B825877c47fE637913eCE5216C644dE081F), significantly increasing resistance to takedown efforts.
Specifically, the malware extracts an IPv6 address from the “lol” field of a transaction. It then takes the final four bytes and applies an XOR operation using the key 0x93141715 to derive the actual IP address.
In addition to encrypting sensitive C2 and DNS data, Kimwolf secures its network traffic with TLS. The malware supports 13 distinct DDoS attack techniques across UDP, TCP, and ICMP protocols. According to XLab, the attackers primarily target systems located in the United States, China, France, Germany, and Canada.
However, further analysis shows that more than 96% of issued commands focus on proxy services rather than direct DDoS activity. This strategy allows attackers to exploit the bandwidth of compromised devices and maximize revenue. To support this effort, the operators deploy a Rust-based Command Client module that forms a large-scale proxy network.
Additionally, attackers deliver the ByteConnect software development kit (SDK) to infected nodes. This monetization tool enables app developers and IoT device owners to profit from network traffic.
“Giant botnets originated with Mirai in 2016, with infection targets mainly concentrated on IoT devices like home broadband routers and cameras,” XLab said. “However, in recent years, information on multiple million-level giant botnets like Badbox, Bigpanzi, Vo1d, and Kimwolf has been disclosed, indicating that some attackers have started to turn their attention to various smart TVs and TV boxes.”
Source: TheHackerNews
Read more at Impreza News
