Kimwolf Botnet

Cybersecurity experts have uncovered a massive distributed denial-of-service (DDoS) botnet known as Kimwolf, which has already enlisted over 1.8 million infected devices. These include Android-based TVs, set-top boxes, and tablets. Early investigations suggest a potential connection to the notorious AISURU botnet. The discovery highlights the increasing sophistication of IoT-targeted malware and underscores the critical need for vigilance in protecting connected devices.

Anatomy of Kimwolf

Kimwolf is built using the Native Development Kit (NDK) and combines multiple capabilities beyond traditional DDoS attacks. Key features include:

• Proxy forwarding
• Reverse shell access
• File management functions

The botnet's malware is designed to run a single process per device, decrypt embedded Command-and-Control (C2) domains, resolve the C2 IP using DNS-over-TLS, and execute commands received from its operators.

Record-Breaking Scale and Activity

In just three days, from November 19–22, 2025, Kimwolf reportedly issued 1.7 billion DDoS attack commands. One of its C2 domains, 14emeliaterracewestroxburyma02132[.]su, even briefly appeared among Cloudflare's top 100 domains, surpassing Google temporarily.

Primary infection targets include residential TV boxes such as:

• TV BOX, SuperBOX, HiDPTAndroid
• P200, X96Q, XBOX, SmartTV, MX10

Geographically, infections are concentrated in Brazil, India, the U.S., Argentina, South Africa, and the Philippines, though the exact propagation method remains unclear.

Evolution and Resilience

Kimwolf demonstrates advanced adaptability. Its C2 domains have been taken down at least three times in December 2025, prompting the operators to adopt Ethereum Name Service (ENS) domains to strengthen infrastructure. Recent versions of the malware incorporate EtherHiding, a technique that fetches the actual C2 IP via smart contracts and transforms it through XOR operations, making takedowns far more difficult.

Connection to AISURU and Shared Infrastructure

Evidence links Kimwolf to the AISURU botnet, known for record-breaking DDoS attacks:

• Both botnets coexisted on the same infected devices between September and November 2025.
• Similarities in APK packages and code signing certificates ('John Dinglebert Dinglenut VIII VanSack Smith') suggest a shared development origin.
• A downloader server (93.95.112[.]59) confirmed the presence of scripts referencing both Kimwolf and AISURU APKs.

This relationship hints at a single hacker group potentially operating both botnets to maximize reach and evade detection.

Attack Capabilities and Monetization

Kimwolf supports 13 distinct DDoS methods over UDP, TCP, and ICMP, targeting countries including the U.S., China, France, Germany, and Canada. Interestingly, over 96% of issued commands are directed at using infected nodes as proxy services, indicating a strong profit motive.

Additional components deployed to compromised devices include:

• Rust-based Command Client – builds a proxy network
• ByteConnect SDK – monetizes IoT traffic for developers and device owners
• TLS encryption secures all communications, while sensitive data about C2 servers and DNS resolvers is also encrypted, increasing operational stealth.

The Broader Context of Giant Botnets

Since Mirai's emergence in 2016, giant IoT botnets have evolved significantly. Early versions primarily targeted broadband routers and cameras, but modern botnets such as Badbox, Bigpanzi, Vo1d, and Kimwolf are increasingly focusing on smart TVs and TV boxes, reflecting attackers' shifting interests toward high-bandwidth consumer devices.