The world of cybercrime has witnessed a shocking revelation: a botnet named Kimwolf has hijacked an astonishing 1.8 million Android TVs, set-top boxes, and tablets, unleashing a massive DDoS attack. But wait, there's more to this story than meets the eye.
QiAnXin XLab, a cybersecurity research team, has uncovered a sophisticated botnet operation, Kimwolf, which has infected an unprecedented number of Android-based devices. This botnet is believed to be linked to another notorious botnet, AISURU, known for its record-breaking DDoS attacks. The connection between the two is a fascinating twist, but the real controversy lies in the potential collaboration or leadership role of Kimwolf in these attacks.
Kimwolf, a botnet compiled with the Android NDK, offers more than just DDoS capabilities. It includes proxy forwarding, reverse shell, and file management features, making it a versatile threat. In a three-day period in November 2025, it unleashed an estimated 1.7 billion DDoS attack commands, a staggering number that caught the attention of security experts worldwide.
The primary targets of this malware are TV boxes in residential networks, with specific models like TV BOX, SuperBOX, and HiDPTAndroid among the affected devices. The infection has spread globally, with higher concentrations in countries like Brazil, India, and the U.S., but the exact propagation method remains a mystery.
XLab's investigation began with a 'version 4' sample of Kimwolf, leading to the discovery of eight more samples in the following month. The botnet's resilience was evident as unknown parties attempted to take down its C2 domains, prompting it to adopt ENS (Ethereum Name Service) for enhanced infrastructure protection.
In a surprising turn of events, XLab managed to seize control of one C2 domain, revealing the botnet's massive scale. The connection to AISURU became clearer when researchers found similarities in APK packages uploaded to VirusTotal, even sharing the same code signing certificate in some cases.
Kimwolf's malware is designed for efficiency. It ensures single-instance execution, decrypts embedded C2 domains, and uses DNS-over-TLS to connect and receive commands. Recent versions have implemented EtherHiding, an innovative technique using an ENS domain to fetch the C2 IP from a smart contract, making it harder to dismantle its infrastructure.
This advanced malware encrypts sensitive data and employs TLS encryption for network communications. It supports 13 DDoS attack methods and primarily targets devices in the U.S., China, France, Germany, and Canada. Interestingly, over 96% of commands are for proxy services, suggesting a profit-driven motive.
The attackers' monetization strategy is further evident in the deployment of a Rust-based Command Client module and a ByteConnect SDK, which enables monetization of traffic for app developers and IoT device owners. This evolution in cybercrime highlights a shift in focus from IoT devices to smart TVs and TV boxes, as seen with other giant botnets like Badbox and Vo1d.
As the story unfolds, one question lingers: Is Kimwolf a mere participant or a key player in these attacks? The evidence suggests a complex relationship with AISURU, leaving room for debate. What do you think? Share your thoughts on this intriguing cybercrime saga!
