Kimwolf botnet infects 1.8 million Android TV devices, uses ENS to evade detection
The Kimwolf botnet, a new distributed denial of service (DDoS) threat, has recruited a massive army of at least 1.8 million infected devices, primarily Android-based TVs, set-top boxes, and tablets. According to research by QiAnXin XLab, the botnet is associated with the infamous AISURU botnet. Kimwolf Threat Summary Massive reach: Kimwolf has infected 1.8 million devices, primarily Android TV boxes, set-top boxes, and tablets. Advanced Capabilities: In addition to typical DDoS attack capabilities, Kimwolf integrates proxy forwarding, reverse shell, and file management features. It is compiled using the Android NDK (Native Development Kit). Attack Activity: The botnet issued an estimated 1.7 billion DDoS attack commands over a three-day period (November 19-22, 2025). Primary Targets: The most affected devices include popular models such as TV BOX, SuperBOX, HiDPTAndroid, P200, X96Q, XBOX, SmartTV and MX10. The global spread is notable, with high concentrations in Brazil, India, the USA, Argentina, South Africa and the Philippines. Ties with the AISURU Botnet and TTPs XLab research has uncovered significant links between Kimwolf and the AISURU botnet, known for record-breaking DDoS attacks over the past year. Researchers suspect that the same hacking group reused code from AISURU in the early stages of Kimwolf. ...