A brand new distributed denial-of-service (DDoS) botnet generally known as Kimwolf has enlisted a large military of a minimum of 1.8 million contaminated gadgets comprising Android-based TVs, set-top containers, and tablets, and could also be related to one other botnet generally known as AISURU, based on findings from QiAnXin XLab.
“Kimwolf is a botnet compiled utilizing the NDK [Native Development Kit],” the corporate mentioned in a report revealed at the moment. “Along with typical DDoS assault capabilities, it integrates proxy forwarding, reverse shell, and file administration capabilities.”
The hyper-scale botnet is estimated to have issued 1.7 billion DDoS assault instructions inside a three-day interval between November 19 and 22, 2025, across the identical time certainly one of its command-and-control (C2) domains – 14emeliaterracewestroxburyma02132[.]su – got here first in Cloudflare’s listing of high 100 domains, briefly even surpassing Google.
Kimwolf’s main an infection targets are TV containers deployed in residential community environments. Among the affected gadget fashions embrace TV BOX, SuperBOX, HiDPTAndroid, P200, X96Q, XBOX, SmartTV, and MX10. Infections are scattered globally, with Brazil, India, the U.S., Argentina, South Africa, and the Philippines registering larger concentrations. That mentioned, the precise means by which the malware is propagated to those gadgets is presently unclear.
XLab mentioned its investigation into the botnet commenced after it acquired a “model 4” artifact of Kimwolf from a trusted group companion on October 24, 2025. Since then, an extra eight samples had been found final month.
“We noticed that Kimwolf’s C2 domains have been efficiently taken down by unknown events at the very least thrice [in December], forcing it to improve its techniques and switch to utilizing ENS (Ethereum Identify Service) to harden its infrastructure, demonstrating its highly effective evolutionary functionality,” XLab researchers mentioned.
That is not all. Earlier this month, XLab managed to efficiently seize management of one of many C2 domains, enabling it to evaluate the dimensions of the botnet.
An fascinating facet of Kimwolf is that it is tied to the notorious AISURU botnet, which has been behind a few of the record-breaking DDoS assaults over the previous 12 months. It is suspected that the attackers reused code from AISURU within the early phases, earlier than opting to develop the Kimwolf botnet to evade detection.
XLab mentioned it is attainable a few of these assaults could not have come from AISURU alone, and that Kimwolf could also be both taking part and even main the efforts.
“These two main botnets propagated by means of the identical an infection scripts between September and November, coexisting in the identical batch of gadgets,” the corporate mentioned. “They really belong to the identical hacker group.”
This evaluation relies on similarities in APK packages uploaded to the VirusTotal platform, in some circumstances even utilizing the identical code signing certificates (“John Dinglebert Dinglenut VIII VanSack Smith”). Additional definitive proof arrived on December 8, 2025, with the invention of an lively downloader server (“93.95.112[.]59”) that contained a script referencing APKs for each Kimwolf and AISURU.
The malware in itself is pretty easy. As soon as launched, it ensures that just one occasion of the method runs on the contaminated gadget, after which proceeds to decrypt the embedded C2 area, makes use of DNS-over-TLS to acquire the C2 IP deal with, and connects to it as a way to obtain and execute instructions.
Current variations of the botnet malware detected as lately as December 12, 2025, have launched a method generally known as EtherHiding that makes use of an ENS area (“pawsatyou[.]eth”) to fetch the precise C2 IP from the related sensible contract (0xde569B825877c47fE637913eCE5216C644dE081F) in an effort to render its infrastructure extra resilient to takedown efforts.
Particularly, this includes extracting an IPv6 deal with from the “lol” discipline of the transaction, then taking the final 4 bytes of the deal with and performing an XOR operation with the important thing “0x93141715” to get the precise IP deal with.
Apart from encrypting delicate knowledge associated to C2 servers and DNS resolvers, Kimwolf makes use of TLS encryption for community communications to obtain DDoS instructions. In all, the malware helps 13 DDoS assault strategies over UDP, TCP, and ICMP. The assault targets, per XLab, are positioned within the U.S., China, France, Germany, and Canada.
Additional evaluation has decided that over 96% of the instructions relate to utilizing the bot nodes for offering proxy companies. This means the attackers’ makes an attempt to take advantage of the bandwidth from compromised gadgets and maximize revenue. As a part of the trouble, a Rust-based Command Consumer module is deployed to type a proxy community.
Additionally delivered to the nodes is a ByteConnect software program improvement package (SDK), a monetization answer that permits app builders and IoT gadget house owners to monetize their visitors.
“Large botnets originated with Mirai in 2016, with an infection targets primarily focused on IoT gadgets like house broadband routers and cameras,” XLab mentioned. “Nonetheless, in recent times, info on a number of million-level big botnets like Badbox, Bigpanzi, Vo1d, and Kimwolf has been disclosed, indicating that some attackers have began to show their consideration to numerous sensible TVs and TV containers.”
