Image Main

The Kimwolf botnet, a new distributed denial of service (DDoS) threat, has recruited a massive army of at least 1.8 million infected devices, primarily Android-based TVs, set-top boxes, and tablets. According to research by QiAnXin XLab, the botnet is associated with the infamous AISURU botnet.

Kimwolf Threat Summary

  • Massive reach: Kimwolf has infected 1.8 million devices, primarily Android TV boxes, set-top boxes, and tablets.
  • Advanced Capabilities: In addition to typical DDoS attack capabilities, Kimwolf integrates proxy forwarding, reverse shell, and file management features. It is compiled using the Android NDK (Native Development Kit).
  • Attack Activity: The botnet issued an estimated 1.7 billion DDoS attack commands over a three-day period (November 19-22, 2025).
  • Primary Targets: The most affected devices include popular models such as TV BOX, SuperBOX, HiDPTAndroid, P200, X96Q, XBOX, SmartTV and MX10. The global spread is notable, with high concentrations in Brazil, India, the USA, Argentina, South Africa and the Philippines.

Ties with the AISURU Botnet and TTPs

XLab research has uncovered significant links between Kimwolf and the AISURU botnet, known for record-breaking DDoS attacks over the past year. Researchers suspect that the same hacking group reused code from AISURU in the early stages of Kimwolf.

  • Evidence of linking: Both botnets used the same infection scripts between September and November, coexisting on the same devices. Analysis of APK packages uploaded to VirusTotal revealed similarities and even the use of the same code signing certificate (“John Dinglebert Dinglenut VIII VanSack Smith”).
  • Shared Infrastructure: An active download server (93.95.112[.]59) discovered on December 8, 2025 contained scripts referencing the Kimwolf and AISURU APKs, confirming that they belong to the same group.

Evasion Technique “EtherHiding”

To thwart removal efforts, Kimwolf has evolved its tactics. Following at least three successful takedowns of its C2 domains, the botnet adopted an advanced evasion technique known as EtherHiding.

  • Using ENS: Kimwolf uses an Ethereum Name Service (ENS) domain like pawsatyou[.]eth to retrieve the real IP address of its C2 server from an associated smart contract.
  • Obtaining IP: The actual IP is extracted from the ’lol’ field of the transaction, where an XOR operation is performed with a specific key (0x93141715) to decode the IPv6 address of the C2 server.

Monetization and Evolution

XLab’s analysis revealed that more than 96% of the botnet’s commands are related to providing proxy services. Attackers seek to monetize the bandwidth of compromised devices.

  • Proxy Services: Kimwolf deploys a Rust-based command client module to form a proxy network.
  • SDK Monetization: The botnet also deploys a ByteConnect software development kit (SDK), a monetization solution that allows IoT device owners to sell traffic from their devices.

This evolution of Kimwolf aligns with a trend seen in other giant botnets (such as Badbox, Bigpanzi and Vo1d) that have shifted their focus from traditional IoT devices (routers, cameras) to smart TVs and set-top boxes.

Conclusion

The emergence of Kimwolf and its rapid spread through Android TV devices underscores the growing threat that botnets pose to smart consumer devices. The sophistication of their evasion methods, such as EtherHiding, demonstrates the constant innovation of cybercriminals to evade detection and dismantlement of their infrastructure. The direct connection to the group behind AISURU indicates a large-scale, coordinated operation that seeks to take advantage of the growing base of Android devices in the home.

References