QiAnXin XLab has identified a large-scale distributed denial-of-service botnet named Kimwolf, which has compromised over 1.8 million Android-based devices including smart TVs, set-top boxes, and tablets. The malware, which may be linked to the AISURU botnet, was observed executing 1.7 billion DDoS attack commands within a three-day period from November 19 to 22, 2025. During this period, one of its command-and-control domains, 14emeliaterracewestroxburyma02132[.]su, briefly topped Cloudflare’s list of top 100 domains, surpassing even Google. The botnet primarily targets residential TV boxes, with models such as TV BOX, SuperBOX, HiDPTAndroid, P200, X96Q, XBOX, SmartTV, and MX10 among those infected. While infections are distributed worldwide, higher concentrations have been recorded in Brazil, India, the U.S., Argentina, South Africa, and the Philippines, though the exact propagation method remains unclear.
Kimwolf is built using the Native Development Kit and offers a combination of DDoS attack capabilities along with proxy forwarding, reverse shell, and file management functions. XLab began investigating the botnet after receiving a version 4 sample on October 24, 2025, and has since discovered eight additional variants. The botnet has shown the ability to adapt its infrastructure, using ENS domains to harden its command-and-control operations following repeated takedowns of its C2 domains. Researchers were able to temporarily seize control of one domain, revealing a peak of approximately 1.83 million active bot IPs on a single day. Evidence suggests that Kimwolf shares a connection with AISURU, including the use of the same infection scripts, overlapping device targets, and APK similarities detected on VirusTotal, in some cases signed with the same code certificate, “John Dinglebert Dinglenut VIII VanSack Smith.”
The malware operates by ensuring a single process instance runs on infected devices, decrypting the embedded C2 domain, and using DNS-over-TLS to retrieve the IP address to execute commands. Recent versions of Kimwolf, identified as of December 12, 2025, introduced a technique called EtherHiding, which leverages an ENS domain, pawsatyou[.]eth, and a smart contract to dynamically fetch the C2 IP address. This mechanism uses an IPv6 address extraction and XOR operation to determine the actual IP, strengthening resilience against takedowns. All network communications are TLS encrypted, and the malware supports 13 types of DDoS attacks over UDP, TCP, and ICMP targeting regions including the U.S., China, France, Germany, and Canada.
Analysis by XLab indicates that more than 96 percent of commands relate to using compromised devices as proxy nodes, likely to exploit bandwidth for profit. The malware also delivers a Rust-based Command Client module to establish a proxy network, alongside a ByteConnect software development kit to monetize traffic from infected devices. Kimwolf’s emergence highlights a trend in which cybercriminals have shifted focus from traditional IoT devices like routers and cameras to smart TVs and TV boxes, building hyper-scale botnets capable of generating extensive network traffic and supporting multifaceted operations. Previous large-scale botnets like Mirai, Badbox, Bigpanzi, and Vo1d laid the groundwork for this evolution, with Kimwolf representing a modern iteration in this class of malware.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
