Imagine nearly 2 million Android TVs, set-top boxes, and tablets secretly hijacked to launch devastating cyberattacks. That’s the chilling reality of the Kimwolf botnet, a new and powerful threat that’s sending shockwaves through the cybersecurity world. But here’s where it gets even more alarming: Kimwolf isn’t just another botnet; it’s potentially linked to the notorious AISURU botnet, responsible for some of the most massive DDoS attacks in recent history. According to QiAnXin XLab, Kimwolf has amassed a staggering 1.8 million infected devices, transforming them into a formidable army capable of launching 1.7 billion DDoS attack commands in just three days!
And this is the part most people miss: Kimwolf isn’t your average botnet. It’s a sophisticated piece of malware, built using the Android Native Development Kit (NDK), boasting features like proxy forwarding, reverse shell capabilities, and file management. This versatility allows it to go beyond simple DDoS attacks, potentially enabling data theft or other malicious activities.
Think of it like a digital Swiss Army knife for cybercriminals.
Kimwolf primarily targets TV boxes in homes, with popular models like TV BOX, SuperBOX, and X96Q falling victim. The infection is global, with hotspots in Brazil, India, the US, Argentina, South Africa, and the Philippines. But how exactly does it spread? That’s still a mystery, leaving security experts scrambling to uncover its propagation methods.
XLab’s investigation began in October 2025, when they received a sample of Kimwolf from a trusted partner. Since then, they’ve discovered eight more variants, highlighting its rapid evolution. Interestingly, Kimwolf’s command-and-control (C2) domains have been taken down multiple times, forcing the attackers to adapt. They’ve even turned to the Ethereum Name Service (ENS) to make their infrastructure more resilient, showcasing their determination and technical prowess.
This raises a crucial question: Are we witnessing the rise of a new breed of botnet, one that’s constantly evolving and becoming increasingly difficult to combat?
The connection to AISURU is particularly concerning. XLab believes the attackers may have reused code from AISURU initially, before developing Kimwolf to evade detection. This suggests a level of sophistication and organization that’s truly alarming. Could Kimwolf be the next big player in the world of DDoS attacks, potentially surpassing even AISURU’s destructive capabilities?
The malware itself is relatively straightforward. Once installed, it ensures only one instance runs on the infected device, decrypts the C2 domain, and uses DNS-over-TLS to connect to the command server. Recent versions have adopted a technique called EtherHiding, leveraging ENS domains and smart contracts to obfuscate their C2 infrastructure, making takedowns even more challenging.
This constant innovation highlights the cat-and-mouse game between cybercriminals and security researchers. As defenses improve, attackers adapt, creating a never-ending cycle of escalation.
Kimwolf’s capabilities extend beyond DDoS attacks. Over 96% of its commands are related to providing proxy services, indicating the attackers are also exploiting compromised devices for profit. They even deploy a Rust-based Command Client module to create a proxy network and a monetization SDK called ByteConnect, allowing them to generate revenue from the hijacked devices.
The rise of Kimwolf signals a disturbing trend: botnets are increasingly targeting smart TVs and TV boxes, devices often overlooked in terms of security. From Mirai in 2016 to Badbox, Bigpanzi, and now Kimwolf, it’s clear that attackers are shifting their focus to these vulnerable devices. So, what can we do? Strengthening security on our smart devices is crucial. Regular updates, strong passwords, and vigilance against suspicious activity are essential.
But ultimately, the fight against botnets like Kimwolf requires a collective effort from security researchers, device manufacturers, and internet service providers. Only by working together can we hope to stay one step ahead of these ever-evolving threats.
What are your thoughts on the Kimwolf botnet? Do you think we’re doing enough to protect our smart devices? Let us know in the comments below!
