A new distributed denial-of-service (DDoS) botnet known as Kimwolf has enlisted a massive army of no less than 1.8 million infected devices comprising Android-based TVs, set-top boxes, and tablets, and may be associated with another botnet known as AISURU, according to findings from QiAnXin XLab.
“Kimwolf is a botnet compiled using the NDK [Native Development Kit],” the company said in a report published today. “In addition to typical DDoS attack capabilities, it integrates proxy forwarding, reverse shell, and file management functions.”
The hyper-scale botnet is estimated to have issued 1.7 billion DDoS attack commands within a three-day period between November 19 and 22, 2025, around the same time one of its command-and-control (C2) domains – 14emeliaterracewestroxburyma02132[.]su – came first in Cloudflare’s list of top 100 domains, briefly even surpassing Google.
Kimwolf’s primary infection targets are TV boxes deployed in residential network environments. Some of the affected device models include TV BOX, SuperBOX, HiDPTAndroid, P200, X96Q, XBOX, SmartTV, and MX10. Infections are scattered globally, with Brazil, India, the U.S., Argentina, South Africa, and the Philippines registering higher concentrations. That said, the exact means by which the malware is propagated to these devices is presently unclear.
XLab said its investigation into the botnet commenced after it received a “version 4” artifact of Kimwolf from a trusted community partner on October 24, 2025. Since then, an additional eight samples were discovered last month.
“We observed that Kimwolf’s C2 domains have been successfully taken down by unknown parties at least three times [in December], forcing it to upgrade its tactics and turn to using ENS (Ethereum Name Service) to harden its infrastructure, demonstrating its powerful evolutionary capability,” XLab researchers said.
That’s not all. Earlier this month, XLab managed to successfully seize control of one of the C2 domains, enabling it to assess the scale of the botnet.
An interesting aspect of Kimwolf is that it’s tied to the infamous AISURU botnet, which has been behind some of the record-breaking DDoS attacks over the past year. It’s suspected that the attackers reused code from AISURU in the early stages, before opting to develop the Kimwolf botnet to evade detection.
XLab said it’s possible some of these attacks may not have come from AISURU alone, and that Kimwolf may be either participating or even leading the efforts.
“These two major botnets propagated through the same infection scripts between September and November, coexisting in the same batch of devices,” the company said. “They actually belong to the same hacker group.”
This assessment is based on similarities in APK packages uploaded to the VirusTotal platform, in some cases even using the same code signing certificate (“John Dinglebert Dinglenut VIII VanSack Smith”). Further definitive evidence arrived on December 8, 2025, with the discovery of…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
