- A new Android-based botnet called Kimwolf has compromised 1.8 million devices such as smart TVs, set-top boxes, and tablets worldwide.
- Between November 19 and 22, 2025, Kimwolf issued 1.7 billion distributed denial-of-service (DDoS) commands targeting countries including the U.S., China, France, Germany, and Canada.
- The botnet uses advanced methods like proxy forwarding, reverse shell access, and encrypted communications, integrating Ethereum Name Service (ENS) for resilience.
- Kimwolf appears linked to the AISURU botnet, sharing infection scripts and code, indicating they are operated by the same Hacker group.
- Most commands focus on creating proxy services to monetize bandwidth, deploying a Rust-based Command Client and ByteConnect software development kit on infected devices.
A large-scale DDoS botnet named Kimwolf has infected approximately 1.8 million Android-based devices including TVs, set-top boxes, and tablets. This was reported following investigations conducted between October and December 2025. The botnet commanded a remarkable 1.7 billion attack instructions over three days from November 19 to 22, 2025. Infected devices are primarily found in Brazil, India, the U.S., Argentina, South Africa, and the Philippines.
Kimwolf was created using the Android Native Development Kit (NDK), providing it capabilities beyond typical DDoS attacks. It supports proxy forwarding, reverse shell execution (a method allowing remote control), and file management. The Malware connects to command-and-control (C2) servers, which it obtains using DNS-over-TLS for encrypted DNS requests. Researchers managed to seize control of one of these domains and found it briefly topped Cloudflare’s top 100 domains list, even surpassing Google during the attack period.
The infected devices mostly include models such as TV BOX, SuperBOX, HiDPTAndroid, P200, X96Q, XBOX, SmartTV, and MX10. While the exact infection method is unclear, the botnet’s infrastructure has adapted to disruptions by using Ethereum Name Service (ENS), leveraging smart contracts to obtain C2 IP addresses. This technique, called EtherHiding, adds resilience against takedown efforts by encrypting C2 details within Ethereum blockchain transactions.
Kimwolf is strongly associated with the AISURU botnet, which has launched major DDoS attacks over the past year. Both botnets share infection scripts and code, sometimes even the same digital signature certificate (“John Dinglebert Dinglenut VIII VanSack Smith”), confirming they belong to the same threat actor. A downloader server identified on December 8, 2025, contained scripts referencing both botnets.
The malware ensures only one active process runs per device and supports 13 different types of DDoS attacks over UDP, TCP, and ICMP protocols. Over 96% of issued commands are proxy-related, indicating the attackers’ focus on exploiting bandwidth for profit. To build and manage the proxy network, the botnet deploys a Rust-based Command Client and distributes ByteConnect SDK, a tool that helps monetize app and IoT traffic.
The rise of Kimwolf marks a shift from earlier malware mainly targeting IoT devices like routers and cameras, with attackers increasingly focusing on smart TVs and related devices globally.
For further details, see the original research report and related VirusTotal samples. The Ethereum smart contract involved is accessible here.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Oracle Shares Drop 5% as $10B Data Center Deal Falls Through
- Aave DAO and Labs Clash Over Brand Asset Ownership Rights
- Stablecoins Surge as Visa Expands Pilot and FDIC Approves Plan
- Operation ForumTroll Phishing Targets Russian Scholars with Spyware
- XRP Price Declines 26%, Warning Signs Point to Possible $1 Drop
