Cybersecurity researchers have uncovered a hyper-scale DDoS botnet named Kimwolf, which has silently compromised more than 1.8 million Android-powered smart TVs, TV boxes, and tablets, turning them into a massive weapon for distributed denial-of-service (DDoS) attacks and illegal proxy services.
According to an in-depth investigation by QiAnXin XLab, Kimwolf represents a new generation of IoT-focused malware that demonstrates advanced persistence, infrastructure resilience, and monetization capabilities.
Kimwolf Botnet: Key Technical Capabilities
XLab researchers report that Kimwolf is compiled using Android’s Native Development Kit (NDK) and goes far beyond basic DDoS functionality. In addition to launching large-scale attacks, the malware supports:
- High-volume UDP, TCP, and ICMP flood attacks
- Proxy forwarding services
- Reverse shell access
- Remote file management
- Encrypted command-and-control (C2) communications
During a three-day window between November 19 and November 22, 2025, Kimwolf issued an estimated 1.7 billion DDoS attack commands, underscoring the unprecedented scale of the operation.
At the same time, one of its C2 domains—14emeliaterracewestroxburyma02132[.]su—briefly ranked among Cloudflare’s top 100 most queried domains, even momentarily surpassing Google.
Primary Targets: Android TV Boxes in Home Networks
The botnet primarily infects Android-based TV boxes deployed in residential environments, including popular models such as:
- TV BOX
- SuperBOX
- HiDPTAndroid
- P200
- X96Q
- XBOX
- SmartTV
- MX10
Infections have been detected globally, with Brazil, India, the United States, Argentina, South Africa, and the Philippines showing the highest concentration of compromised devices. However, the exact infection vector remains unknown, suggesting supply-chain abuse or preloaded malware as possible entry points.
Connection to the AISURU Botnet
XLab’s analysis links Kimwolf to the notorious AISURU botnet, which has been responsible for several record-breaking DDoS attacks in recent years. Evidence suggests:
- Early versions of Kimwolf reused AISURU source code
- Both botnets propagated using identical infection scripts between September and November
- Shared APK signing certificates were found on VirusTotal
- A downloader server (
93.95.112[.]59) hosted payloads for both botnets
Researchers concluded that Kimwolf and AISURU are operated by the same threat actor group, with Kimwolf likely created to evade detection and improve operational resilience.
ENS and EtherHiding: Hardening Against Takedowns
After multiple takedown attempts in December 2025, Kimwolf operators evolved their infrastructure by adopting Ethereum Name Service (ENS) domains—a tactic known as EtherHiding.
Recent Kimwolf variants retrieve their real C2 IP addresses from Ethereum smart contracts, specifically extracting encrypted IPv6 data from on-chain transactions. This approach makes traditional domain seizures significantly less effective and highlights the botnet’s rapid evolutionary capability.
Monetization Through Proxy Abuse
While Kimwolf supports 13 different DDoS attack methods, over 96% of observed commands were related to proxy services, indicating a clear profit-driven motive.
To monetize compromised devices, the operators deploy:
- A Rust-based proxy command client
- The ByteConnect SDK, which allows attackers to resell bandwidth from infected IoT devices
Attack targets identified by XLab are primarily located in the United States, China, France, Germany, and Canada.
The Growing Threat of Smart TV Botnets
Security experts warn that Kimwolf represents a broader trend. Since the emergence of Mirai in 2016, attackers have increasingly shifted focus from routers and cameras to smart TVs and Android TV boxes, which often ship with outdated firmware and weak security controls.
XLab notes that multi-million-node botnets such as Badbox, Bigpanzi, Vo1d, and now Kimwolf confirm that smart entertainment devices are becoming prime targets for cybercriminals.