A new distributed denial-of-service (DDoS) botnet known as Kimwolf has enlisted a massive army of no less than 1.8 million infected devices comprising Android-based TVs, set-top boxes, and tablets, and may be associated with another botnet known as AISURU, according to findings from QiAnXin XLab.
“Kimwolf is a botnet compiled using the NDK [Native Development Kit],” the company said in a report published today. “In addition to typical DDoS attack capabilities, it integrates proxy forwarding, reverse shell, and file management functions.”
The hyper-scale botnet is estimated to have issued 1.7 billion DDoS attack commands within a three-day period between November 19 and 22, 2025, around the same time one of its command-and-control (C2) domains – 14emeliaterracewestroxburyma02132[.]su – came first in Cloudflare’s list of top 100 domains, briefly even surpassing Google.
Kimwolf’s primary infection targets are TV boxes deployed in residential network environments. Some of the affected device models include TV BOX, SuperBOX, HiDPTAndroid, P200, X96Q, XBOX, SmartTV, and MX10. Infections are scattered globally, with Brazil, India, the U.S., Argentina, South Africa, and the Philippines registering higher concentrations. That said, the exact means by which the malware is propagated to these devices is presently unclear.
XLab said its investigation into the botnet commenced after it received a “version 4” artifact of Kimwolf from a trusted community partner on October 24, 2025. Since then, an additional eight samples were discovered last month.
“We observed that Kimwolf’s C2 domains have been successfully taken down by unknown parties at least three times [in December], forcing it to upgrade its tactics and turn to using ENS (Ethereum Name Service) to harden its infrastructure, demonstrating its powerful evolutionary capability,” XLab researchers said.
That’s not all. Earlier this month, XLab managed to successfully seize control of one of the C2 domains, enabling it to assess the scale of the botnet.
An interesting aspect of Kimwolf is that it’s tied to the infamous AISURU botnet, which has been behind some of the record-breaking DDoS attacks over the past year. It’s suspected that the attackers reused code from AISURU in the early stages, before opting to develop the Kimwolf botnet to evade detection.
XLab said it’s possible some of these attacks may not have come from AISURU alone, and that Kimwolf may be either participating or even leading the efforts.
“These two major botnets propagated through the same infection scripts between September and November, coexisting in the same batch of devices,” the company said. “They actually belong to the same hacker group.”
This assessment is based on similarities in APK packages uploaded to the VirusTotal platform, in some cases even using the same code signing certificate (“John Dinglebert Dinglenut VIII VanSack Smith”). Further definitive evidence arrived on December 8, 2025, with the discovery of an active downloader server (“93.95.112[.]59”) that contained a script referencing APKs for both Kimwolf and AISURU.
The malware in itself is fairly straightforward. Once launched, it ensures that only one instance of the process runs on the infected device, and then proceeds to decrypt the embedded C2 domain, uses DNS-over-TLS to obtain the C2 IP address, and connects to it in order to receive and execute commands.
Recent versions of the botnet malware detected as recently as December 12, 2025, have introduced a technique known as EtherHiding that makes use of an ENS domain (“pawsatyou[.]eth”) to fetch the actual C2 IP from the associated smart contract (0xde569B825877c47fE637913eCE5216C644dE081F) in an effort to render its infrastructure more resilient to takedown efforts.
Specifically, this involves extracting an IPv6 address from the “lol” field of the transaction, then taking the last four bytes of the address and performing an XOR operation with the key “0x93141715” to get the actual IP address.
Besides encrypting sensitive data related to C2 servers and DNS resolvers, Kimwolf uses TLS encryption for network communications to receive DDoS commands. In all, the malware supports 13 DDoS attack methods over UDP, TCP, and ICMP. The attack targets, per XLab, are located in the U.S., China, France, Germany, and Canada.
Further analysis has determined that over 96% of the commands relate to using the bot nodes for providing proxy services. This indicates the attackers’ attempts to exploit the bandwidth from compromised devices and maximize profit. As part of the effort, a Rust-based Command Client module is deployed to form a proxy network.
Also delivered to the nodes is a ByteConnect software development kit (SDK), a monetization solution that allows app developers and IoT device owners to monetize their traffic.
“Giant botnets originated with Mirai in 2016, with infection targets mainly concentrated on IoT devices like home broadband routers and cameras,” XLab said. “However, in recent years, information on multiple million-level giant botnets like Badbox, Bigpanzi, Vo1d, and Kimwolf has been disclosed, indicating that some attackers have started to turn their attention to various smart TVs and TV boxes.”
