Kimwolf Botnet Hijacks 1.8 Million Android TV Boxes for DDoS Attacks

Security researchers have uncovered one of the largest Android botnets ever documented—a sprawling network of 1.8 million compromised devices capable of launching devastating distributed denial-of-service attacks. The botnet, dubbed Kimwolf, briefly became so active that one of its command-and-control domains ranked among the most queried on Cloudflare's global DNS infrastructure.

TL;DR

• What happened: Kimwolf botnet has infected 1.8 million Android TV boxes, set-top boxes, and tablets worldwide
• Who's affected: Owners of Android-based streaming devices including SuperBOX, X96Q, MX10, and similar models
• Severity: High - capable of launching 30 Tbps DDoS attacks and monetizing compromised bandwidth
• Action required: Replace unbranded Android TV boxes with reputable devices; isolate IoT devices on separate network segments

What is Kimwolf?

Kimwolf is a distributed denial-of-service botnet compiled using Android's Native Development Kit (NDK) that specifically targets Android-based entertainment devices. First identified by QiAnXin XLab researchers in late October 2025, the botnet rapidly expanded to encompass approximately 2.7 million distinct source IP addresses, with a conservative estimate of 1.8 million actively infected devices.

The botnet represents a significant evolution in IoT-based threats, combining aggressive DDoS capabilities with sophisticated evasion techniques typically associated with more advanced threat actors.

How Kimwolf Operates

The malware campaign targets explicitly Android-based set-top boxes and streaming devices, including popular models like SuperBOX, X96Q, MX10, TV BOX, HiDPTAndroid, and SmartTV devices. Geographic infections concentrate in Brazil, India, the United States, Argentina, South Africa, and the Philippines.

Attack Capabilities

Between November 19 and 22, 2025, Kimwolf operators initiated what researchers described as a "crazy" attack surge: in just three days, the botnet issued 1.7 billion DDoS attack commands targeting IP addresses globally. The botnet supports 13 distinct attack methods across UDP, TCP, and ICMP protocols.

A major cloud service provider observed an attack nearing 30 Tbps and 2.9 billion packets per second on December 9, 2025. After data comparison, both the provider and XLab researchers confirmed Kimwolf's participation in the assault.

Advanced Infrastructure

Kimwolf's command-and-control infrastructure employs several evasion techniques:

1. DNS-over-TLS for encrypted DNS queries to resolve C2 domains
2. TLS encryption for all command receipt communications
3. Ethereum Name Service (ENS) domains that fetch C2 IP addresses via smart contracts, making traditional takedowns ineffective

The use of blockchain-based domain resolution represents a significant advancement in botnet resilience. "We observed that Kimwolf's C2 domains have been successfully taken down by unknown parties at least three times in December, forcing it to upgrade its tactics and turn to using ENS to harden its infrastructure," XLab researchers noted.

Why This Matters

Kimwolf demonstrates the growing threat posed by consumer IoT devices to internet infrastructure. At its peak activity, one of Kimwolf's C2 domains—14emeliaterracewestroxburyma02132[.]su—briefly ranked among Cloudflare's top 100 most-queried domains globally, surpassing even Google.

Beyond DDoS capabilities, Kimwolf integrates proxy forwarding, reverse shell access, and file management functions. Analysis reveals that 96% of commands relate to proxy services, indicating attackers monetize compromised bandwidth through residential proxy networks—a growing revenue stream for botnet operators.

Connection to AISURU Botnet

Investigation suggests Kimwolf and the AISURU botnet share the same operator. Evidence includes:

• Identical code signing certificates (comically signed as "John Dinglebert Dinglenut VIII VanSack Smith")
• Shared downloader infrastructure discovered December 8, 2025
• Both botnets propagated through identical infection scripts between September and November 2025
• Coexistence on the same batch of compromised devices

"Kimwolf relies on an APK file to load and start it during runtime. We speculate that in the early stages of this campaign, the attackers directly reused Aisuru's code," researchers explained.

Recommended Mitigations

1. Replace unbranded devices - Consider replacing cheap, unbranded Android TV boxes with devices from reputable manufacturers
2. Network segmentation - Isolate IoT devices on separate VLANs with restricted internet access
3. Disable ADB - Ensure Android Debug Bridge is disabled on all devices
4. Monitor traffic - Watch for unusual outbound traffic patterns from entertainment devices
5. Update firmware - Apply any available firmware updates from device manufacturers
6. Block C2 domains - Add known Kimwolf C2 indicators to DNS blocklists

Frequently Asked Questions

How do I know if my Android TV box is infected? Signs include unusual device slowdowns, unexpected network activity, or increased data usage. However, many infections are difficult to detect without specialized tools. If you own a budget Android TV box from an unknown manufacturer, assume it may be vulnerable.

Can I clean an infected device? Factory reset may temporarily remove the infection, but reinfection often occurs rapidly. The most reliable solution is replacing suspect devices with products from established brands that receive regular security updates.

Why are Android TV boxes targeted? These devices typically run outdated Android versions, rarely receive security updates, operate continuously with internet connectivity, and users seldom monitor their activity—making them ideal botnet candidates.

---

Sources: QiAnXin XLab, The Hacker News, SecurityWeek