Kimwolf Botnet Seizes 1.8M Android TVs for Massive DDoS

Kimwolf, a fast-evolving Android botnet, has hijacked about 1.8 million smart TVs, TV boxes, and tablets to power massive DDoS activity and proxy abuse, according to QiAnXin XLab.

At a glance

• Scale: Roughly 1.83 million daily active bot IPs observed after XLab briefly controlled a C2
• Command volume: 1.7 billion DDoS commands in three days (Nov 19–22, 2025)
• Targeted devices: Android TV boxes and similar hardware, including TV BOX, SuperBOX, HiDPTAndroid, P200, X96Q, XBOX, SmartTV, MX10
• Hotspots: Brazil, India, the U.S., Argentina, South Africa, and the Philippines
• Build and features: Compiled with Android NDK; supports DDoS, proxy forwarding, reverse shell, and file management

How it operates and adapts

• Execution flow: Ensures a single running instance, decrypts embedded C2 data, resolves via DNS-over-TLS, and uses TLS for command-and-control
• Attack surface: 13 DDoS methods across UDP, TCP, and ICMP; observed targets include the U.S., China, France, Germany, and Canada
• Rapid evolution: After multiple C2 takedowns in December, operators shifted to ENS and EtherHiding to harden infrastructure, using an ENS domain and smart contract to conceal the real C2 IP
• Visibility spike: A C2 domain briefly topped Cloudflare’s top 100 list, even surpassing Google during the surge

Linked to AISURU

• Shared playbook: The same infection scripts circulated between September and November 2025, with both botnets coexisting on the same devices
• Overlapping indicators: APK similarities on VirusTotal and a shared code signing certificate named John Dinglebert Dinglenut VIII VanSack Smith
• Infrastructure clue: A downloader server at 93.95.112[.]59 referenced APKs for both Kimwolf and AISURU
• Assessment: XLab believes both botnets are operated by the same group; some attacks attributed to AISURU may be driven or co-led by Kimwolf

Monetization at scale

• Proxy-first: More than 96% of observed commands instructed bots to provide proxy services, signaling a strong revenue motive
• Tooling: A Rust-based command client helps build the proxy network, and nodes receive the ByteConnect SDK to monetize bandwidth

Timeline highlights

• Oct 24, 2025: XLab receives a Version 4 Kimwolf artifact; eight more samples surface in subsequent weeks
• Dec 2025: Repeated C2 takedowns push a migration to ENS-based infrastructure
• Dec 8, 2025: Downloader server discovered with references to both botnets
• Dec 12, 2025: Latest variants detected using EtherHiding via an ENS domain and smart contract

Why it matters

• Kimwolf underscores a shift from classic IoT botnets like Mirai to smart TVs and TV boxes, joining the ranks of million-scale botnets such as Badbox, Bigpanzi, and Vo1d.

Source: The Hacker News