A formidable new botnet, dubbed Kimwolf, has compromised an estimated 1.8 million Android-based devices, primarily smart TVs and set-top boxes, to launch large-scale distributed denial-of-service (DDoS) attacks. The botnet's immense scale and sophisticated capabilities have raised significant cybersecurity concerns.

Key Takeaways

• Massive Scale: Kimwolf has infected approximately 1.8 million Android devices globally.

• Targeted Devices: Primarily targets Android-based TVs, set-top boxes, and tablets, often those lacking robust security.

• DDoS Capabilities: Capable of launching significant DDoS attacks, with evidence of issuing billions of commands.

• Advanced Features: Integrates proxy forwarding, reverse shell, and file management functions.

• Evasion Tactics: Employs techniques like DNS-over-TLS (DoT) and ENS domains to evade detection and takedown efforts.

• AISURU Connection: Shows strong links to the AISURU botnet, suggesting a shared developer or code reuse.

The Kimwolf Threat Emerges

The Kimwolf botnet, compiled using the Android Native Development Kit (NDK), has rapidly emerged as a significant threat. Security researchers from QiAnXin XLab first identified the botnet after receiving an early sample in October 2025. Its command-and-control (C2) domains have even briefly surpassed Google in global domain popularity rankings on Cloudflare, highlighting its extensive reach.

Devastating DDoS Attacks

Between November 19 and 22, 2025, Kimwolf issued an astonishing 1.7 billion DDoS attack commands. The botnet supports 13 different DDoS attack methods over UDP, TCP, and ICMP, targeting infrastructure in countries including the U.S., China, France, Germany, and Canada. Beyond direct attacks, over 96% of its commands are used for proxy services, exploiting the bandwidth of compromised devices for malicious purposes.

Sophisticated Evasion and Resilience

Kimwolf employs advanced techniques to maintain its operations and evade security measures. It utilizes DNS-over-TLS (DoT) to conceal its communication patterns and has recently adopted Ethereum Name Service (ENS) domains, such as "pawsatyou[.]eth," to dynamically retrieve C2 IP addresses from smart contracts. This makes its infrastructure more resilient to takedown attempts. The botnet also uses TLS encryption for network communications and implements Elliptic Curve Digital Signature algorithms for command verification.

Links to AISURU and Shared Infrastructure

Investigations reveal a strong association between Kimwolf and the AISURU botnet, known for record-breaking DDoS attacks. Researchers believe the attackers may have reused code from AISURU in Kimwolf's early stages to improve stealth and detection evasion. Evidence suggests both botnets propagated through similar infection scripts and coexisted on the same devices, pointing to a shared developer group.

Targeting and Recommendations

Kimwolf primarily targets Android TV boxes and similar devices, often those that are uncertified by Google and may lack Google Play protection. This makes them more vulnerable to infection. Researchers urge manufacturers to enhance security on Android TV devices throughout the supply chain. Consumers are advised to avoid uncertified, low-cost Android devices, use strong passwords, keep firmware updated, and refrain from downloading applications from unknown sources.

Sources

• Kimwolf Botnet Hijacks 1.8 Million Android TVs, Launches Large-Scale DDoS Attacks, The Hacker News.

• Kimwolf Android Botnet Hijacked 1.8 Million Android Devices Worldwide, CybersecurityNews.

• Kimwolf botnet briefly surpasses Google traffic​, Cybernews.