A brand new distributed denial-of-service (DDoS) botnet often called Kimwolf has enlisted a large military of a minimum of 1.8 million contaminated gadgets comprising Android-based TVs, set-top containers, and tablets, and could also be related to one other botnet often called AISURU, in keeping with findings from QiAnXin XLab.
“Kimwolf is a botnet compiled utilizing the NDK [Native Development Kit],” the corporate mentioned in a report printed right this moment. “Along with typical DDoS assault capabilities, it integrates proxy forwarding, reverse shell, and file administration features.”
The hyper-scale botnet is estimated to have issued 1.7 billion DDoS assault instructions inside a three-day interval between November 19 and 22, 2025, across the similar time one among its command-and-control (C2) domains – 14emeliaterracewestroxburyma02132[.]su – got here first in Cloudflare’s record of prime 100 domains, briefly even surpassing Google.
Kimwolf’s main an infection targets are TV containers deployed in residential community environments. A few of the affected machine fashions embrace TV BOX, SuperBOX, HiDPTAndroid, P200, X96Q, XBOX, SmartTV, and MX10. Infections are scattered globally, with Brazil, India, the U.S., Argentina, South Africa, and the Philippines registering increased concentrations. That mentioned, the precise means by which the malware is propagated to those gadgets is presently unclear.
XLab mentioned its investigation into the botnet commenced after it acquired a “model 4” artifact of Kimwolf from a trusted neighborhood associate on October 24, 2025. Since then, an extra eight samples have been found final month.
“We noticed that Kimwolf’s C2 domains have been efficiently taken down by unknown events no less than thrice [in December], forcing it to improve its techniques and switch to utilizing ENS (Ethereum Title Service) to harden its infrastructure, demonstrating its highly effective evolutionary functionality,” XLab researchers mentioned.
That is not all. Earlier this month, XLab managed to efficiently seize management of one of many C2 domains, enabling it to evaluate the size of the botnet.
An attention-grabbing side of Kimwolf is that it is tied to the notorious AISURU botnet, which has been behind a few of the record-breaking DDoS assaults over the previous 12 months. It is suspected that the attackers reused code from AISURU within the early phases, earlier than opting to develop the Kimwolf botnet to evade detection.
XLab mentioned it is attainable a few of these assaults could not have come from AISURU alone, and that Kimwolf could also be both collaborating and even main the efforts.
“These two main botnets propagated by means of the identical an infection scripts between September and November, coexisting in the identical batch of gadgets,” the corporate mentioned. “They really belong to the identical hacker group.”
This evaluation is predicated on similarities in APK packages uploaded to the VirusTotal platform, in some instances even utilizing the identical code signing certificates (“John Dinglebert Dinglenut VIII VanSack Smith”). Additional definitive proof arrived on December 8, 2025, with the invention of an energetic downloader server (“93.95.112[.]59”) that contained a script referencing APKs for each Kimwolf and AISURU.
The malware in itself is pretty simple. As soon as launched, it ensures that just one occasion of the method runs on the contaminated machine, after which proceeds to decrypt the embedded C2 area, makes use of DNS-over-TLS to acquire the C2 IP tackle, and connects to it to be able to obtain and execute instructions.
Current variations of the botnet malware detected as just lately as December 12, 2025, have launched a method often called EtherHiding that makes use of an ENS area (“pawsatyou[.]eth”) to fetch the precise C2 IP from the related sensible contract (0xde569B825877c47fE637913eCE5216C644dE081F) in an effort to render its infrastructure extra resilient to takedown efforts.
Particularly, this includes extracting an IPv6 tackle from the “lol” area of the transaction, then taking the final 4 bytes of the tackle and performing an XOR operation with the important thing “0x93141715” to get the precise IP tackle.
Moreover encrypting delicate information associated to C2 servers and DNS resolvers, Kimwolf makes use of TLS encryption for community communications to obtain DDoS instructions. In all, the malware helps 13 DDoS assault strategies over UDP, TCP, and ICMP. The assault targets, per XLab, are situated within the U.S., China, France, Germany, and Canada.
Additional evaluation has decided that over 96% of the instructions relate to utilizing the bot nodes for offering proxy providers. This means the attackers’ makes an attempt to take advantage of the bandwidth from compromised gadgets and maximize revenue. As a part of the hassle, a Rust-based Command Consumer module is deployed to type a proxy community.
Additionally delivered to the nodes is a ByteConnect software program growth package (SDK), a monetization resolution that enables app builders and IoT machine house owners to monetize their site visitors.
“Big botnets originated with Mirai in 2016, with an infection targets primarily focused on IoT gadgets like house broadband routers and cameras,” XLab mentioned. “Nevertheless, lately, info on a number of million-level big botnets like Badbox, Bigpanzi, Vo1d, and Kimwolf has been disclosed, indicating that some attackers have began to show their consideration to varied sensible TVs and TV containers.”
